diff --git a/configuration.nix b/configuration.nix
index 2c038fa..9387400 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -44,7 +44,7 @@
       5349   # turn server
       3551   # apcups
       18080  # monero p2p
-      20000  # syncthing transfert
+      22000  # syncthing transfer
       64738  # mumble server
     ];
     firewall.allowedUDPPorts = [
@@ -113,6 +113,7 @@
     # SSH operation handier, example:
     #   git clone git@maxwell:user/repo
     git = {
+      group = "git";
       description = "Git server user";
       home = "/var/lib/gitea";
       isSystemUser = true;
@@ -120,6 +121,8 @@
     };
   };
 
+  users.groups.git = { };
+
   # Generate Diffie-Hellman parameters
   # for TLS applications, like nginx.
   security.dhparams = {
@@ -217,16 +220,13 @@
     password = "$JOIN_PASSWORD";
     users = 10;
     environmentFile = config.secrets.environments.murmur;
-    extraConfig = with config.var; ''
-      sslCert=/var/lib/acme/${hostname}/fullchain.pem
-      sslKey=/var/lib/acme/${hostname}/key.pem
-    '';
+    sslCert = "/var/lib/acme/${config.var.hostname}/fullchain.pem";
+    sslKey  = "/var/lib/acme/${config.var.hostname}/key.pem";
   };
 
   ### Syncthing node
   services.syncthing = {
     enable = true;
-    openDefaultPorts = true;
   };
 
   ### Monero node with local RPC
diff --git a/custom/modules/asjon.nix b/custom/modules/asjon.nix
index c93069c..2937d99 100644
--- a/custom/modules/asjon.nix
+++ b/custom/modules/asjon.nix
@@ -27,17 +27,28 @@ in {
        '';
      };
 
+     group = mkOption {
+       type = types.str;
+       default = "asjon";
+       description = ''
+         Asjon will be run under this group (user will be created if it doesn't exist.
+         This can be your user name).
+       '';
+     };
+
   };
 
   config = mkIf cfg.enable {
 
-    users.extraUsers.${cfg.user} = {
+    users.users.${cfg.user} = {
+      group = cfg.group;
       home = cfg.dataDir;
       isSystemUser = true;
       createHome  = true;
       description = "asjon user";
       shell = "${pkgs.bash}/bin/bash";
     };
+    users.groups.${cfg.group} = { };
 
     systemd.services.asjon = {
       description = "asjon: our chat bot";
diff --git a/custom/modules/breve.nix b/custom/modules/breve.nix
index 9357e09..15e8c6f 100644
--- a/custom/modules/breve.nix
+++ b/custom/modules/breve.nix
@@ -44,6 +44,15 @@ in {
        '';
      };
 
+     group = mkOption {
+       type = types.str;
+       default = "breve";
+       description = ''
+         Breve will run under this group (user will be created if it doesn't exist.
+         This can be your user name).
+       '';
+     };
+
      hostname = mkOption {
        type = types.str;
        default = config.networking.hostName;
@@ -98,11 +107,14 @@ in {
 
   config = mkIf cfg.enable {
 
-    users.extraUsers."${cfg.user}" = {
+    users.users.${cfg.user} = {
       isSystemUser = true;
+      group = cfg.group;
       description = "Breve daemon user";
     };
 
+    users.groups.${cfg.group} = {};
+
     networking.firewall = mkIf cfg.openPorts {
       allowedTCPPorts = [ cfg.port ]
       ++ optional (cfg.port == 443) 80;
@@ -116,6 +128,7 @@ in {
       environment.XDG_CONFIG_HOME = "${dataDir}/conf";
       serviceConfig = {
         User      = cfg.user;
+        Group     = cfg.group;
         ExecStart = "${pkgs.haskellPackages.breve}/bin/breve";
         Restart   = "on-failure";
         StateDirectory = "breve";
diff --git a/email.nix b/email.nix
index 8ba3dfe..a6aad53 100644
--- a/email.nix
+++ b/email.nix
@@ -3,8 +3,8 @@
 {
   imports = [
     (builtins.fetchTarball {
-      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-21.05/nixos-mailserver-nixos-21.05.tar.gz";
-      sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-21.11/nixos-mailserver-nixos-21.11.tar.gz";
+      sha256 = "1i56llz037x416bw698v8j6arvv622qc0vsycd20lx3yx8n77n44";
     })
   ];
 
diff --git a/testing.nix b/testing.nix
index 49a35f8..8842183 100644
--- a/testing.nix
+++ b/testing.nix
@@ -1,9 +1,5 @@
 { pkgs, lib, ... }:
 
-let
-  secrets = toString ./secrets;
-in
-
 {
   imports = [
     <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
@@ -11,22 +7,16 @@ in
   ];
 
   # VM hardware setup
-  virtualisation.memorySize = "4000"; # MB
+  virtualisation.memorySize = 4000; # MB
   virtualisation.graphics = false;
   virtualisation.cores = 4;
   virtualisation.msize = 1 * 1024 * 1024;
 
-  virtualisation.qemu.options =
-    [ # Ensure secrets are accessible by the
-      # activation scripts at runtime.
-      "-virtfs local,path=${secrets},security_model=none,mount_tag=secrets"
-    ];
-
-  virtualisation.fileSystems."${secrets}" =
-    { device = "secrets";
-      fsType = "9p";
-      options = [ "trans=virtio" "version=9p2000.L" ];
-      neededForBoot = true;
+  # Ensure secrets are accessible by the
+  # activation scripts at runtime.
+  virtualisation.sharedDirectories.secrets =
+    { source = toString ./secrets;
+      target = toString ./secrets;
     };
 
   # These don't work in a virtual machine