diff --git a/hosts/pulsebert/default.nix b/hosts/pulsebert/default.nix
index 60153e9d..3d628f96 100644
--- a/hosts/pulsebert/default.nix
+++ b/hosts/pulsebert/default.nix
@@ -66,12 +66,9 @@
     domain = "hq.c3d2.de";
     firewall = {
       allowedTCPPorts = [
-        80 # ledfx
-        4713 # pulseaudio/pipewire network sync
         5355 # llmnr
       ];
       allowedUDPPorts = [
-        5353 # mdns
         5355 # llmnr
       ];
     };
@@ -80,14 +77,6 @@
     interfaces.eth0.useDHCP = true;
   };
 
-  environment.systemPackages = with pkgs; [
-    mpd
-    mpv
-    ncmpcpp
-    ncpamixer
-    pulseaudio # required for pactl
-  ];
-
   # https://github.com/dump-dvb/nix-config/blob/310ceedca5ab2d5c22070bd73c603926b6100a74/hardware/configuration-rpi-3b.nix#L16
   sdImage = lib.mkForce {
     populateFirmwareCommands =
@@ -144,25 +133,17 @@
     '';
   };
 
-  security = {
-    rtkit.enable = true;
-    sudo = {
-      enable = true;
-      wheelNeedsPassword = false;
-    };
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
   };
 
   services = {
-    avahi.nssmdns = true;
     # Do not log to flash but also breaks journalctl --user
     # journald.extraConfig = ''
     #   Storage=volatile
     # '';
 
-    openssh = {
-      enable = true;
-    };
-
     nginx = {
       enable = true;
       virtualHosts = {
diff --git a/modules/audio-server.nix b/modules/audio-server.nix
index 11450afd..da4e4d64 100644
--- a/modules/audio-server.nix
+++ b/modules/audio-server.nix
@@ -6,41 +6,62 @@
   };
 
   config = lib.mkIf config.c3d2.audioServer.enable {
-    sound.enable = true;
-    hardware.bluetooth = {
-      enable = lib.mkDefault true;
-      settings = {
-        Policy.AutoEnable = true;
-        General.DiscoverableTimeout = 0;
+    environment.systemPackages = with pkgs; [
+      mpd
+      mpv
+      ncmpcpp
+      ncpamixer
+      pulseaudio # required for pactl
+    ];
+
+    hardware = {
+      bluetooth = {
+        enable = lib.mkDefault true;
+        settings = {
+          Policy.AutoEnable = true;
+          General.DiscoverableTimeout = 0;
+        };
+      };
+
+      pulseaudio = {
+        enable = !config.services.pipewire.pulse.enable;
+        systemWide = true;
+        tcp = {
+          enable = true;
+          anonymousClients.allowedIpRanges = [
+            "127.0.0.0/8"
+            "::1/128"
+            "fd23:42:c3d2:500::/56"
+            "172.22.99.0/24"
+            "172.20.72.0/21"
+            "2a00:8180:2c00:200::/56"
+            "2a0f:5382:acab:1400::/56"
+          ];
+        };
+        zeroconf.publish.enable = true;
+        package = (pkgs.pulseaudio.override {
+          bluetoothSupport = true;
+          advancedBluetoothCodecs = true;
+          zeroconfSupport = true;
+        }).overrideAttrs (_: {
+          # one test times out
+          doCheck = false;
+        });
       };
     };
 
-    hardware.pulseaudio = {
-      enable = !config.services.pipewire.pulse.enable;
-      systemWide = true;
-      tcp = {
-        enable = true;
-        anonymousClients.allowedIpRanges = [
-          "127.0.0.0/8"
-          "::1/128"
-          "fd23:42:c3d2:500::/56"
-          "172.22.99.0/24"
-          "172.20.72.0/21"
-          "2a00:8180:2c00:200::/56"
-          "2a0f:5382:acab:1400::/56"
-        ];
-      };
-      zeroconf.publish.enable = true;
-      package = (pkgs.pulseaudio.override {
-        bluetoothSupport = true;
-        advancedBluetoothCodecs = true;
-        zeroconfSupport = true;
-      }).overrideAttrs (_: {
-        # one test times out
-        doCheck = false;
-      });
+    networking.firewall = {
+      allowedTCPPorts = [
+        80 # ledfx
+        4713 # pulseaudio/pipewire network sync
+      ];
+      allowedUDPPorts = [
+        5353 # mdns
+      ];
     };
 
+    security.rtkit.enable = true;
+
     services.pipewire = {
       enable = true;
       alsa.enable = true; # required for ledfx
@@ -74,11 +95,10 @@
       pulse.enable = true;
     };
 
-    security.rtkit.enable = true;
-
     # tell Avahi to publish services like Pipewire/PulseAudio
     services.avahi = {
       enable = true;
+      nssmdns = true;
       publish = {
         enable = true;
         addresses = true;
@@ -86,6 +106,8 @@
       };
     };
 
+    sound.enable = true;
+
     system.activationScripts.enableLingering = lib.optionalString config.services.pipewire.pulse.enable (''
       rm -r /var/lib/systemd/linger
       mkdir /var/lib/systemd/linger
@@ -93,16 +115,25 @@
       touch /var/lib/systemd/linger/k-ot
     '');
 
-    systemd.services.bluetooth-agent = lib.mkIf config.hardware.bluetooth.enable {
-      description = "Allow anyone to pair via Bluetooth";
-      wantedBy = [ "multi-user.target" ];
-      requires = [ "bluetooth.target" ];
-      after = [ "bluetooth.service" ];
-      serviceConfig = {
-        Type = "simple";
-        ExecStart = "${pkgs.bluez-tools}/bin/bt-agent -c NoInputNoOutput";
-        Restart = "on-failure";
-        RestartSec = 60;
+    systemd = {
+      services.bluetooth-agent = lib.mkIf config.hardware.bluetooth.enable {
+        description = "Allow anyone to pair via Bluetooth";
+        wantedBy = [ "multi-user.target" ];
+        requires = [ "bluetooth.target" ];
+        after = [ "bluetooth.service" ];
+        serviceConfig = {
+          Type = "simple";
+          ExecStart = "${pkgs.bluez-tools}/bin/bt-agent -c NoInputNoOutput";
+          Restart = "on-failure";
+          RestartSec = 60;
+        };
+      };
+      user.services.ledfx = {
+        after = [ "pipewire.target" ];
+        wantedBy = [ "default.target" ];
+        serviceConfig = {
+          ExecStart = "${pkgs.ledfx}/bin/ledfx";
+        };
       };
     };