diff --git a/nixos/systems/blowhole/klipper.nix b/nixos/systems/blowhole/klipper.nix
index 2e900f0..823a6ba 100644
--- a/nixos/systems/blowhole/klipper.nix
+++ b/nixos/systems/blowhole/klipper.nix
@@ -41,6 +41,10 @@ in
     fsType = "zfs";
   };
 
+  systemd.services."container@klipper" = {
+    restartIfChanged = lib.mkForce false;
+  };
+
   containers.klipper = {
     ephemeral = true;
     autoStart = true;
@@ -58,12 +62,20 @@ in
         hostPath = "/var/lib/klipper";
         isReadOnly = false;
       };
+      "/var/lib/moonraker/gcodes" = {
+        hostPath = "/var/lib/klipper/gcodes";
+        isReadOnly = false;
+      };
+      "/dev/serial/by-id/" = {
+        hostPath = "/dev/serial/by-id/";
+        isReadOnly = false;
+      };
     };
 
     allowedDevices = [
       {
         node = "/dev/serial/by-id/usb-Klipper_lpc1768_13E0FF0C469027AEBAA84A52871E00F5-if00";
-        modifier = "rw";
+        modifier = "rwm";
       }
     ];
 
@@ -93,7 +105,7 @@ in
 
         address = "10.64.99.6:19000";
         adminBind = "127.0.0.1:19100";
-        hotRestart = true;
+        hotRestart = false;
       };
 
       users.users.klipper = {
@@ -217,7 +229,7 @@ in
           };
 
           virtual_sdcard = {
-            path = "/var/lib/klipper/sdcard";
+            path = "/var/lib/moonraker/gcodes";
           };
 
           ### Mainsail
@@ -451,6 +463,8 @@ in
       services.moonraker = {
         enable = true;
 
+        group = "klipper";
+
         settings = {
           authorization = {
             trusted_clients = with secret.network.ips; [