diff --git a/nix/deployments/nixops.nix b/nix/deployments/nixops.nix
index 16b1f6f..83cca44 100644
--- a/nix/deployments/nixops.nix
+++ b/nix/deployments/nixops.nix
@@ -64,7 +64,10 @@ in
     { nodes, ... }:
     {
       deployment.targetHost = serverIp;
-      imports = [ ../system/xps11/configuration.nix ];
+      imports = [
+        ../system/xps11/configuration.nix
+        ../home/programs/jellyfin
+      ];
 
       fileSystems."/storage" = {
         device = "${nasIp}:/storage";
diff --git a/nix/home/programs/jellyfin/default.nix b/nix/home/programs/jellyfin/default.nix
index 6c0fcba..2f315cf 100644
--- a/nix/home/programs/jellyfin/default.nix
+++ b/nix/home/programs/jellyfin/default.nix
@@ -19,6 +19,10 @@
 
   services.jellyfin.enable = true;
 
+  # 2. override default hardening measure from NixOS - this is default since 22.05
+  systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false;
+
+
   security.acme.acceptTerms = true;
   security.acme.defaults.email = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email;
   services.nginx = {
diff --git a/nix/system/xps11/configuration.nix b/nix/system/xps11/configuration.nix
index db2e2d4..9edc143 100644
--- a/nix/system/xps11/configuration.nix
+++ b/nix/system/xps11/configuration.nix
@@ -11,7 +11,6 @@
       ./hardware-configuration.nix
       ./glibc-locale-paths.nix
       ../common/users.nix
-      ../../home/programs/jellyfin
     ];
 
   # Use the systemd-boot EFI boot loader.
@@ -106,9 +105,6 @@
     ];
   };
 
-  # 2. override default hardening measure from NixOS - this is default since 22.05
-  systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false;
-
   # Enable touchpad support.
   # services.xserver.libinput.enable = true;