diff --git a/hosts/nb/configuration.nix b/hosts/nb/configuration.nix
index f23c92c..430764f 100644
--- a/hosts/nb/configuration.nix
+++ b/hosts/nb/configuration.nix
@@ -35,6 +35,8 @@ in {
       ./cachix.nix
       ./users
 
+      ./modules/epicenter.nix
+
       # ./modules/steam.nix
       ./modules/fingerprint.nix
       ./modules/set-nix-channel.nix
diff --git a/hosts/nb/modules/desktop/default.nix b/hosts/nb/modules/desktop/default.nix
index 923550a..32088d1 100644
--- a/hosts/nb/modules/desktop/default.nix
+++ b/hosts/nb/modules/desktop/default.nix
@@ -9,7 +9,6 @@ in {
     ./thunderbird.nix
     ./bitwarden.nix
     ./rustdesk.nix
-    ./rustdesk-epicenter.nix
     ./flatpak-packages.nix
   ];
 
diff --git a/hosts/nb/modules/desktop/rustdesk-epicenter.nix b/hosts/nb/modules/desktop/rustdesk-epicenter.nix
deleted file mode 100644
index 6c0164a..0000000
--- a/hosts/nb/modules/desktop/rustdesk-epicenter.nix
+++ /dev/null
@@ -1,38 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  wrapperScript = pkgs.writeShellScriptBin "rustdesk-wrapper" ''
-    CONFIG_FILE="$HOME/.config/rustdesk/RustDesk2.toml"
-    CONFIG_DIR="$(dirname "$CONFIG_FILE")"
-
-    if [ ! -f "$CONFIG_FILE" ]; then
-        ${pkgs.rustdesk-flutter}/bin/rustdesk &
-        RUSTDESK_PID=$!
-        sleep 3
-        kill $RUSTDESK_PID 2>/dev/null || true
-        sleep 1
-    fi
-
-    if [ -f "$CONFIG_FILE" ]; then
-        sed -i "s|^rendezvous_server = .*|rendezvous_server = 'tools.epicenter.works:21116'|" "$CONFIG_FILE"
-        sed -i "s|^custom-rendezvous-server = .*|custom-rendezvous-server = 'tools.epicenter.works'|" "$CONFIG_FILE"
-        sed -i "/^key\s*=.*/d" "$CONFIG_FILE"
-    fi
-
-    # Launch RustDesk
-    exec ${pkgs.rustdesk-flutter}/bin/rustdesk "$@"
-  '';
-
-  rustdeskEpicenterDesktopItem = pkgs.makeDesktopItem {
-    name = "rustdesk-epicenter";
-    desktopName = "RustDesk Epicenter";
-    exec = "${wrapperScript}/bin/rustdesk-wrapper";
-    icon = "rustdesk";  # Using the standard rustdesk icon
-    categories = [ "Network" "RemoteAccess" ];
-    comment = "Remote desktop software configured for Epicenter";
-  };
-in {
-  environment.systemPackages = [
-    rustdeskEpicenterDesktopItem
-  ];
-}
diff --git a/hosts/nb/modules/epicenter.nix b/hosts/nb/modules/epicenter.nix
new file mode 100644
index 0000000..14cb508
--- /dev/null
+++ b/hosts/nb/modules/epicenter.nix
@@ -0,0 +1,78 @@
+{ lib, pkgs, ... }: 
+let
+  wrapperScript = pkgs.writeShellScriptBin "rustdesk-epicenter-wrapper" ''
+    # Grant epicenter user access to the Wayland socket
+    ${pkgs.acl}/bin/setfacl -m u:epicenter:x "$XDG_RUNTIME_DIR"
+    ${pkgs.acl}/bin/setfacl -m u:epicenter:rwx "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"
+
+    # Run rustdesk as epicenter user with absolute path to Wayland socket
+    exec /run/wrappers/bin/sudo -u epicenter \
+      WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" \
+      XDG_RUNTIME_DIR=/run/user/1001 \
+      ${pkgs.rustdesk-flutter}/bin/rustdesk "$@"
+  '';
+
+  rustdeskEpicenterDesktopItem = pkgs.makeDesktopItem {
+    name = "rustdesk-epicenter";
+    desktopName = "RustDesk Epicenter";
+    exec = "${wrapperScript}/bin/rustdesk-epicenter-wrapper";
+    icon = "rustdesk";
+    categories = [ "Network" "RemoteAccess" ];
+    comment = "Remote desktop software for office user (Epicenter)";
+  };
+in {
+  environment.systemPackages = [
+    rustdeskEpicenterDesktopItem
+  ];
+
+  users.users.epicenter = {
+    isNormalUser = true;
+    extraGroups = [ ];  # Minimal groups
+  };
+
+  users.groups.epicenter = {};
+
+  # Allow dominik to run rustdesk as epicenter user without password
+  security.sudo.extraRules = [
+    {
+      users = [ "dominik" ];
+      runAs = "epicenter";
+      commands = [
+        {
+          command = "${pkgs.rustdesk-flutter}/bin/rustdesk";
+          options = [ "NOPASSWD" "SETENV" ];
+        }
+      ];
+    }
+  ];
+
+  home-manager.users.epicenter = {
+    home.stateVersion = "24.05";
+    home.username = "epicenter";
+    home.homeDirectory = "/home/epicenter";
+
+    # Add rustdesk to the epicenter user's packages
+    home.packages = with pkgs; [
+      rustdesk-flutter
+    ];
+
+    # Declaratively configure RustDesk for Epicenter server
+    home.file.".config/rustdesk/RustDesk2.toml" = {
+      force = true;
+      text = ''
+rendezvous_server = 'rustdesk.helsinki.tools:21116'
+nat_type = 1
+serial = 0
+unlock_pin = '''
+trusted_devices = '''
+
+[options]
+av1-test = 'N'
+key = '8jkD3HoWK+flkWcAMIqRnyn0jr4r9VPb+JYIbBtb+7k='
+api-server = 'https://rustdesk.helsinki.tools'
+custom-rendezvous-server = 'rustdesk.helsinki.tools'
+      '';
+    };
+  };
+
+}
diff --git a/hosts/nb/users/dominik.nix b/hosts/nb/users/dominik.nix
index cee91e4..4a330f2 100644
--- a/hosts/nb/users/dominik.nix
+++ b/hosts/nb/users/dominik.nix
@@ -172,7 +172,7 @@ in
   home-manager.users.dominik = { lib, pkgs, ... }: {
     # imports = [ "${impermanence}/home-manager.nix" ];
     /* The home.stateVersion option does not have a default and must be set */
-    home.stateVersion = "24.05";
+    home.stateVersion = "25.05";
     home.enableNixpkgsReleaseCheck = false;
     home.sessionVariables = {
       MOZ_ENABLE_WAYLAND = "1";