diff --git a/hosts/quitte/configuration.nix b/hosts/quitte/configuration.nix
index 56ca69c..26684a8 100644
--- a/hosts/quitte/configuration.nix
+++ b/hosts/quitte/configuration.nix
@@ -12,23 +12,11 @@
   boot.loader.efi.canTouchEfiVariables = true;
   boot.supportedFilesystems = [ "zfs" ];
   boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
-  boot.zfs = {
-    forceImportRoot = true;
-  };
-
-  # services.qemuGuest.enable = true;
 
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
   i18n.defaultLocale = "en_US.UTF-8";
 
-  # List packages installed in system profile. To search, run:
-  environment.systemPackages = with pkgs; [
-    vim
-    wget
-    git
-  ];
-
   # prevent fork bombs
   security.pam.loginLimits = [
     {
@@ -58,18 +46,6 @@
     };
   };
 
-
-  # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [ 443 80 ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
-  # Copy the NixOS configuration file and link it from the resulting system
-  # (/run/current-system/configuration.nix). This is useful in case you
-  # accidentally delete configuration.nix.
-  # system.copySystemConfiguration = true;
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
diff --git a/modules/core/base.nix b/modules/core/base.nix
deleted file mode 100755
index 6fc1863..0000000
--- a/modules/core/base.nix
+++ /dev/null
@@ -1,112 +0,0 @@
-{ pkgs, config, ... }: {
-  nix = {
-    package = pkgs.nixUnstable; # or versioned attributes like nix_2_4
-    extraOptions = ''
-      experimental-features = nix-command flakes
-    '';
-  };
-
-  system.activationScripts.report-nixos-changes = ''
-    if [ -e /run/current-system ] && [ -e $systemConfig ]; then
-      echo System package diff:
-      ${config.nix.package}/bin/nix store diff-closures /run/current-system $systemConfig || true
-    fi
-
-    NO_FORMAT="\033[0m"
-    F_BOLD="\033[1m"
-    C_RED="\033[38;5;9m"
-    ${pkgs.diffutils}/bin/cmp --silent \
-      <(readlink /run/current-system/{initrd,kernel,kernel-modules}) \
-      <(readlink $systemConfig/{initrd,kernel,kernel-modules}) \
-      || echo -e "''${F_BOLD}''${C_RED}Kernel version changed, reboot is advised.''${NO_FORMAT}"
-  '';
-
-  # Select internationalisation properties.
-  console = {
-    #font = "Lat2-Terminus16";
-    font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
-    keyMap = pkgs.lib.mkForce "uk";
-  };
-
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-  programs.mosh.enable = true;
-
-  # vs code server
-  services.vscode-server.enable = true;
-
-  # set root ssh keys
-  users.users.root.openssh.authorizedKeys = {
-    keys = [
-      # RSA keys go into keyFiles because they're shamefully long
-      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS8xkNH7JvKblekx5oel4HVKCz3uBbQYEaR9Z9nzTAr manuel@ifsr.de"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINogGKyXieCXQvVTa1z3ArS1TlqcVl2sSqvMpOjQo/Um jakob@krbs.me"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjNYNRBsY/Dc+/XOaGDui9tRa4VGPsHwYo3irGnMRbR felix@tycho"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdOcXORg+akeN2t3yZlKWdoTURKxtV29eQ7UrIMkCHv felix@entropy"
-      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH73n+ZfJqNzIh9rPh6JYQaI4OAw9WKkPeqj2XRFmRfQ pascal@ifsr.de"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAmb1kv+7HU1QKE53+gNxUhrggbwomC40Xjxd9hACkoo bennofs@d-cube"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0X6L7NwTHiOmFzo8mJBCy6H+DKUePAAXU4amm32DAQ fugi@arch"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHD1ZkrAmC9g5eJPDgv4zuEM+UIIEWromDzM1ltHt4TM fugi@macbook"
-      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICBtP2ltExnQL5llOvfSKp6OCZKbPWsa2s6P0i00XyrH helene_emilia.hausmann@mailbox.tu-dresden.de"
-      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXMHwy4AZ9B4pMRBa/P/rb7N3SCas9e7Lp89plTHdFS halcyon@eisvogel.moe"
-      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJ7qUGZUjiDhQ6Se+aXr9DbgRTG2tx69owqVMkd2bna simon@mayushii"
-      "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLlITzcTVnSi8EpEW3leSuqYCDhbnJyoGCjFOtIJ0Dl5uRNm0UNXS7AbQtLLylEeI1+/qinQDEWAJ6cBDAaPfNw= rouven@thinkpad"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJgYI2rXmw4uPXAMmOgqgJEwYfwj/IBExTCzs9Dgo+R w0lff"
-    ];
-    keyFiles = [
-      ../../keys/ssh/marcus-sapphire
-      ../../keys/ssh/schrader
-      ../../keys/ssh/jannusch
-      ../../keys/ssh/jannusch-arch
-      ../../keys/ssh/tassilo
-      ../../keys/ssh/jonasga
-      ../../keys/ssh/rouven
-      ../../keys/ssh/joachim
-    ];
-  };
-
-  time.timeZone = "Europe/Berlin";
-
-  # basic shell & editor
-  programs.vim.defaultEditor = true;
-
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  environment.systemPackages = with pkgs; [
-    atop
-    btop
-    bat
-    git
-    htop
-    fd
-    ripgrep
-    tldr
-    tmux
-    usbutils
-    wget
-    neovim
-    helix
-    nmap
-    tcpdump
-    bat
-    dig
-    ethtool
-    iftop
-    ipcalc
-    iperf3
-    ipv6calc
-    lsof
-    ltrace
-    strace
-    mtr
-    traceroute
-    smartmontools
-    sysstat
-    tree
-    whois
-    eza
-    zsh
-    unzip
-  ];
-}
-
diff --git a/modules/core/default.nix b/modules/core/default.nix
old mode 100644
new mode 100755
index 6615617..4feaf37
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@@ -1,5 +1,5 @@
-{ ... }:
-{
+{ pkgs, config, ... }: {
+
   imports = [
     ./base.nix
     ./logging.nix
@@ -12,4 +12,114 @@
     ./sssd.nix
     ./zsh.nix
   ];
+
+  nix = {
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+  };
+
+  system.activationScripts.report-nixos-changes = ''
+    if [ -e /run/current-system ] && [ -e $systemConfig ]; then
+      echo System package diff:
+      ${config.nix.package}/bin/nix store diff-closures /run/current-system $systemConfig || true
+    fi
+
+    NO_FORMAT="\033[0m"
+    F_BOLD="\033[1m"
+    C_RED="\033[38;5;9m"
+    ${pkgs.diffutils}/bin/cmp --silent \
+      <(readlink /run/current-system/{initrd,kernel,kernel-modules}) \
+      <(readlink $systemConfig/{initrd,kernel,kernel-modules}) \
+      || echo -e "''${F_BOLD}''${C_RED}Kernel version changed, reboot is advised.''${NO_FORMAT}"
+  '';
+
+  # Select internationalisation properties.
+  console = {
+    #font = "Lat2-Terminus16";
+    font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
+    keyMap = pkgs.lib.mkForce "uk";
+  };
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+  programs.mosh.enable = true;
+
+  # vs code server
+  services.vscode-server.enable = true;
+
+  # set root ssh keys
+  users.users.root.openssh.authorizedKeys = {
+    keys = [
+      # RSA keys go into keyFiles because they're shamefully long
+      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS8xkNH7JvKblekx5oel4HVKCz3uBbQYEaR9Z9nzTAr manuel@ifsr.de"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINogGKyXieCXQvVTa1z3ArS1TlqcVl2sSqvMpOjQo/Um jakob@krbs.me"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjNYNRBsY/Dc+/XOaGDui9tRa4VGPsHwYo3irGnMRbR felix@tycho"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdOcXORg+akeN2t3yZlKWdoTURKxtV29eQ7UrIMkCHv felix@entropy"
+      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH73n+ZfJqNzIh9rPh6JYQaI4OAw9WKkPeqj2XRFmRfQ pascal@ifsr.de"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAmb1kv+7HU1QKE53+gNxUhrggbwomC40Xjxd9hACkoo bennofs@d-cube"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0X6L7NwTHiOmFzo8mJBCy6H+DKUePAAXU4amm32DAQ fugi@arch"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHD1ZkrAmC9g5eJPDgv4zuEM+UIIEWromDzM1ltHt4TM fugi@macbook"
+      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICBtP2ltExnQL5llOvfSKp6OCZKbPWsa2s6P0i00XyrH helene_emilia.hausmann@mailbox.tu-dresden.de"
+      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXMHwy4AZ9B4pMRBa/P/rb7N3SCas9e7Lp89plTHdFS halcyon@eisvogel.moe"
+      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJ7qUGZUjiDhQ6Se+aXr9DbgRTG2tx69owqVMkd2bna simon@mayushii"
+      "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLlITzcTVnSi8EpEW3leSuqYCDhbnJyoGCjFOtIJ0Dl5uRNm0UNXS7AbQtLLylEeI1+/qinQDEWAJ6cBDAaPfNw= rouven@thinkpad"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJgYI2rXmw4uPXAMmOgqgJEwYfwj/IBExTCzs9Dgo+R w0lff"
+    ];
+    keyFiles = [
+      ../../keys/ssh/marcus-sapphire
+      ../../keys/ssh/schrader
+      ../../keys/ssh/jannusch
+      ../../keys/ssh/jannusch-arch
+      ../../keys/ssh/tassilo
+      ../../keys/ssh/jonasga
+      ../../keys/ssh/rouven
+      ../../keys/ssh/joachim
+    ];
+  };
+
+  time.timeZone = "Europe/Berlin";
+
+  # basic shell & editor
+  programs.vim.defaultEditor = true;
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    atop
+    btop
+    bat
+    git
+    htop-vim
+    fd
+    ripgrep
+    tldr
+    tmux
+    usbutils
+    wget
+    neovim
+    helix
+    nmap
+    tcpdump
+    bat
+    dig
+    ethtool
+    iftop
+    ipcalc
+    iperf3
+    ipv6calc
+    lsof
+    ltrace
+    strace
+    mtr
+    traceroute
+    smartmontools
+    sysstat
+    tree
+    whois
+    eza
+    zsh
+    unzip
+  ];
 }
+
diff --git a/modules/core/nginx.nix b/modules/core/nginx.nix
index 9c5dca6..f71479a 100644
--- a/modules/core/nginx.nix
+++ b/modules/core/nginx.nix
@@ -18,6 +18,7 @@
   };
 
   config = {
+  networking.firewall.allowedTCPPorts = [ 443 80 ];
     services.nginx = {
       additionalModules = [ pkgs.nginxModules.pam ];
       enable = true;