diff --git a/common/nginx.nix b/common/nginx.nix
index 10e498d..19b315b 100644
--- a/common/nginx.nix
+++ b/common/nginx.nix
@@ -7,17 +7,13 @@
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
 
-    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
-
     appendHttpConfig = ''
-      map $scheme $hsts_header {
-          https   "max-age=31536000; includeSubdomains; preload";
-      }
-      add_header Strict-Transport-Security $hsts_header;
-      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-      add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
+      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+      add_header Content-Security-Policy "default-src https: data: 'unsafe-inline'; object-src 'none'; base-uri 'none';" always;
+      add_header Referrer-Policy strict-origin-when-cross-origin;
       add_header X-Frame-Options SAMEORIGIN;
       add_header X-Content-Type-Options nosniff;
+      add_header X-Clacks-Overhead "GNU Terry Pratchett";
       proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
     '';
   };
diff --git a/common/steam.nix b/common/steam.nix
index 5f538fa..b1e26de 100644
--- a/common/steam.nix
+++ b/common/steam.nix
@@ -1,10 +1,12 @@
 { config, lib, pkgs, ... }:
 
 {
-  programs.steam = {
-    remotePlay.openFirewall = true;
-    dedicatedServer.openFirewall = true;
-  };
+  config = lib.mkIf config.programs.steam.enable {
+    programs.steam = {
+      remotePlay.openFirewall = true;
+      dedicatedServer.openFirewall = true;
+    };
 
-  services.joycond.enable = config.programs.steam.enable;
+    services.joycond.enable = true;
+  };
 }
diff --git a/flake.lock b/flake.lock
index c0faff0..e65e4f4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -121,11 +121,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1726592409,
-        "narHash": "sha256-2Y6CDvD/BD43WLS77PHu6dUHbdUfFhuzkY8oJAecD/U=",
+        "lastModified": 1726989464,
+        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2ab00f89dd3ecf8012f5090e6d7ca1a7ea30f594",
+        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
         "type": "github"
       },
       "original": {
@@ -137,11 +137,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1726447378,
-        "narHash": "sha256-2yV8nmYE1p9lfmLHhOCbYwQC/W8WYfGQABoGzJOb1JQ=",
+        "lastModified": 1726969270,
+        "narHash": "sha256-8fnFlXBgM/uSvBlLWjZ0Z0sOdRBesyNdH0+esxqizGc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "086b448a5d54fd117f4dc2dee55c9f0ff461bdc1",
+        "rev": "23cbb250f3bf4f516a2d0bf03c51a30900848075",
         "type": "github"
       },
       "original": {
@@ -153,11 +153,11 @@
     },
     "nixpkgsSmall": {
       "locked": {
-        "lastModified": 1726611721,
-        "narHash": "sha256-oSDOQ5c7CTVzkaG5A19UW3Yxsv9TLNFNcrvQT9F4Pz0=",
+        "lastModified": 1727076372,
+        "narHash": "sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a51a2cef87fc37c7e31d3a5345bc493e5f7a5f6e",
+        "rev": "7ca0f93c530406c1610defff0b9bf643333cf992",
         "type": "github"
       },
       "original": {
@@ -169,11 +169,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1726681508,
-        "narHash": "sha256-xz858EXcKZjWR6TPyU84BTeMHIPewGW68DutnxghaR4=",
+        "lastModified": 1727141325,
+        "narHash": "sha256-oqM2LaC0RLXgKZmFpj+aFM8qf5Iw9ilMJPWGZbGdTAk=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "59c5c2575c0cae6bc98b9de8161731cfb8cdc1f0",
+        "rev": "0d7209843407825066ccf9743c40d50b6d68674f",
         "type": "github"
       },
       "original": {
@@ -192,11 +192,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1726509788,
-        "narHash": "sha256-PmCmO8NDKzwHrTp9Ox/rcLiCYivqIpZlnLk8wZRjv2I=",
+        "lastModified": 1727020652,
+        "narHash": "sha256-zwTXt1bcf+wycX389ZyJFzUO2gzCb16ButXxiX2iA7Y=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "5a0c70a007837e2db01e0bb68971792e8653d32c",
+        "rev": "6f1db348fcb89fd6b0b9c32e279d29ee6b4d1272",
         "type": "github"
       },
       "original": {
@@ -205,6 +205,22 @@
         "type": "github"
       }
     },
+    "randomcat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1727143958,
+        "narHash": "sha256-W2DK8AehT9Q5IaYWzUuUYyVRSvu3DdHwr8ioWJluUD8=",
+        "owner": "randomnetcat",
+        "repo": "nix-configs",
+        "rev": "2a6bd13e96db07e2e904fcc1b93faf5484725c91",
+        "type": "github"
+      },
+      "original": {
+        "owner": "randomnetcat",
+        "repo": "nix-configs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
@@ -214,7 +230,8 @@
         "nixpkgs": "nixpkgs",
         "nixpkgsSmall": "nixpkgsSmall",
         "nur": "nur",
-        "plasma-manager": "plasma-manager"
+        "plasma-manager": "plasma-manager",
+        "randomcat": "randomcat"
       }
     },
     "stable": {
diff --git a/flake.nix b/flake.nix
index 06f6387..61126be 100644
--- a/flake.nix
+++ b/flake.nix
@@ -28,10 +28,15 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    randomcat = {
+      url = "github:randomnetcat/nix-configs";
+      flake = false;
+    };
+
     birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main";
   };
 
-  outputs = inputs@{ self, nixpkgs, nixpkgsSmall, home-manager, plasma-manager, nur, agenix, colmena, birdsong, ... }: {
+  outputs = inputs@{ self, nixpkgs, nixpkgsSmall, home-manager, plasma-manager, nur, agenix, colmena, randomcat, birdsong, ... }: {
     nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes;
 
     # The name of this output type is not standardised. I have picked
@@ -79,6 +84,7 @@
           birdsong.nixosModules.default
           ./common
           ./services
+          (builtins.toPath "${randomcat}/services/default.nix")
         ];
       };
 
diff --git a/hosts/kilgharrah/datasets.nix b/hosts/kilgharrah/datasets.nix
new file mode 100644
index 0000000..161a50f
--- /dev/null
+++ b/hosts/kilgharrah/datasets.nix
@@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+
+{
+  environment.etc.crypttab.text = ''
+    albion UUID=acda0e7a-069f-47c7-8e37-ec00e7cdde0f /root/luks-albion.key
+  '';
+
+  randomcat.services.zfs.datasets = {
+    "rpool_albion/data" = { mountpoint = "none"; };
+    "rpool_albion/data/steam" = { mountpoint = "/home/qenya/.local/share/Steam"; };
+  };
+}
diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix
index 01377be..75dd2ec 100644
--- a/hosts/kilgharrah/default.nix
+++ b/hosts/kilgharrah/default.nix
@@ -6,6 +6,8 @@
     ./filesystems.nix
     ./hardware.nix
     ./networking.nix
+
+    ./datasets.nix
   ];
 
   nixpkgs.hostPlatform = "x86_64-linux";
diff --git a/hosts/kilgharrah/filesystems.nix b/hosts/kilgharrah/filesystems.nix
index bfc5b10..e2baa43 100644
--- a/hosts/kilgharrah/filesystems.nix
+++ b/hosts/kilgharrah/filesystems.nix
@@ -5,12 +5,6 @@
     "cryptroot".device = "/dev/disk/by-uuid/b414aaba-0a36-4135-a7e1-dc9489286acd";
   };
 
-  boot.supportedFilesystems = [ "zfs" ];
-
-  environment.etc.crypttab.text = ''
-    cryptstorage UUID=acda0e7a-069f-47c7-8e37-ec00e7cdde0f /root/luks-albion.key
-  '';
-
   fileSystems = {
     "/" = {
       device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b";