diff --git a/configs/docker.nix b/configs/docker.nix
index 83fe6f8..cefc838 100644
--- a/configs/docker.nix
+++ b/configs/docker.nix
@@ -12,5 +12,6 @@
     docker-compose
     lazydocker
     minikube
+    lazydocker
   ];
 }
diff --git a/configs/user.nix b/configs/user.nix
index 5310615..87bc9ff 100644
--- a/configs/user.nix
+++ b/configs/user.nix
@@ -137,7 +137,7 @@ in
         enable = true;
         enableAutosuggestions = true;
         enableCompletion = true;
-        enableSyntaxHighlighting = true;
+        syntaxHighlighting.enable = true;
         oh-my-zsh = {
           enable = true;
           plugins =
diff --git a/machine/mini.nix b/machine/mini.nix
index 2587179..298097b 100644
--- a/machine/mini.nix
+++ b/machine/mini.nix
@@ -10,17 +10,28 @@ in {
     ../configs/user.nix
   ];
 
-  # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.extraModulePackages = with pkgs.linuxPackages; [ rtl88x2bu ];
+  boot = {
+    loader = {
+      grub = {
+        enable = true;
+        device = "nodev";
+        efiSupport = true;
+        configurationLimit = 5;
+      };
+
+      efi.canTouchEfiVariables = true;
+    };
+
+    extraModulePackages = with pkgs.linuxPackages; [ rtl88x2bu ];
+  };
 
   time.timeZone = "Europe/Berlin";
   networking = {
     hostName = "mini";
     useDHCP = false;
     firewall = { enable = false; };
-    networkmanager.enable = true;
+    interfaces.enp3s0.useDHCP = true;
+    interfaces.wlp0s20u1u1.useDHCP = true;
     wireguard.interfaces = {
       wg0 = {
         ips = [ "10.100.0.3/24" ];
@@ -30,35 +41,53 @@ in {
           publicKey = secrets.wireguard-vps-public;
           presharedKey = secrets.wireguard-preshared;
           allowedIPs = [ "10.100.0.0/24" ];
-          endpoint = "szczepan.ski:51820";
+          endpoint = "207.180.220.97:51820";
           persistentKeepalive = 25;
         }];
+
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp3s0 -j MASQUERADE
+        '';
+
+        # This undoes the above command
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp3s0 -j MASQUERADE
+        '';
       };
     };
+
+    nat = {
+      enable = true;
+      externalInterface = "wlp0s20u1u1";
+      internalInterfaces = [ "wg0" ];
+    };
+
+    wireless = {
+      enable = true;
+      networks.Skynet.psk = secrets.wifipassword;
+      interfaces = [ "wlp0s20u1u1" ];
+    };
   };
 
+  # nixpkgs.config.packageOverrides = pkgs: {
+  #   vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  # };
+  # hardware.opengl = {
+  #   enable = true;
+  #   extraPackages = with pkgs; [
+  #     intel-media-driver # LIBVA_DRIVER_NAME=iHD
+  #     vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+  #     vaapiVdpau
+  #     libvdpau-va-gl
+  #   ];
+  # };
+
   services = {
     # k3s = {
     #   enable = true;
     #   role = "server";
     # };
 
-    # nextdns = {
-    #   arguments = pkgs.lib.mkForce [
-    #     "-config"
-    #     secrets.nextdnshash
-    #     "-cache-size"
-    #     "10MB"
-    #     "-listen"
-    #     "0.0.0.0:53"
-    #     "-listen"
-    #     ":::53"
-    #     "-forwarder"
-    #     secrets.nextdnsforwarder
-    #     "-report-client-info"
-    #   ];
-    # };
-
     ddclient = {
       enable = true;
       verbose = true;
@@ -68,26 +97,54 @@ in {
       domains = [ "home.beinacht.org" ];
     };
 
-    printing = {
-      enable = true;
-      drivers = [ pkgs.brlaser ];
-      browsing = true;
-      listenAddresses = [
-        "*:631"
-      ]; # Not 100% sure this is needed and you might want to restrict to the local network
-      allowFrom = [
-        "all"
-      ]; # this gives access to anyone on the interface you might want to limit it see the official documentation
-      defaultShared = true; # If you want
-    };
+    # printing = {
+    #   enable = true;
+    #   drivers = [ pkgs.brlaser ];
+    #   browsing = true;
+    #   listenAddresses = [
+    #     "*:631"
+    #   ]; # Not 100% sure this is needed and you might want to restrict to the local network
+    #   allowFrom = [
+    #     "all"
+    #   ]; # this gives access to anyone on the interface you might want to limit it see the official documentation
+    #   defaultShared = true; # If you want
+    # };
 
-    avahi = {
-      enable = true;
-      publish.enable = true;
-      publish.userServices = true;
+    # avahi = {
+    #   enable = true;
+    #   publish.enable = true;
+    #   publish.userServices = true;
+    # };
+
+    borgbackup.jobs.home = rec {
+      compression = "auto,zstd";
+      encryption = {
+        mode = "repokey-blake2";
+        passphrase = secrets.borg-key;
+      };
+      extraCreateArgs =
+        "--list --stats --verbose --checkpoint-interval 600 --exclude-caches";
+      environment.BORG_RSH =
+        "ssh -o StrictHostKeyChecking=no -i /home/alex/.ssh/id_ed25519";
+      paths = [ "/home/alex" "/var/lib" ];
+      repo = secrets.borg-repo;
+      startAt = "daily";
+      prune.keep = {
+        daily = 7;
+        weekly = 4;
+        monthly = 6;
+      };
+      extraPruneArgs = "--save-space --list --stats";
+      exclude = [ "/home/alex/.cache" ];
     };
 
   };
 
-  system.stateVersion = "23.05";
+  powerManagement = {
+    enable = true;
+    powertop.enable = true;
+    cpuFreqGovernor = "powersave";
+  };
+
+  system.stateVersion = "23.11";
 }