diff --git a/flake.nix b/flake.nix
index 82e2c37..88d6b7f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -505,6 +505,22 @@
             ];
           };
 
+          usbstick = clanSetup {
+            name = "usbstick";
+            host = "usbstick.bear";
+            modules = [
+              homeManagerModules
+              stylixModules
+              {
+                home-manager.users.mainUser = import ./homes/palo;
+                home-manager.users.root = import ./homes/root;
+              }
+              {
+                clan.core.machineDescription = "USB-Stick for Backup";
+              }
+            ];
+          };
+
         };
 
       };
diff --git a/machines/usbstick/configuration.nix b/machines/usbstick/configuration.nix
new file mode 100644
index 0000000..ff6fd2a
--- /dev/null
+++ b/machines/usbstick/configuration.nix
@@ -0,0 +1,77 @@
+{ config, pkgs, lib, ... }: {
+
+  imports = [
+
+    ./hardware-configuration.nix
+    #./tinc.nix
+    #./syncthing.nix
+
+  ];
+
+  #security.wrappers = {
+  #  pmount = {
+  #    source = "${pkgs.pmount}/bin/pmount";
+  #    setuid = true;
+  #    owner = "root";
+  #    group = "root";
+  #  };
+  #  pumount = {
+  #    source = "${pkgs.pmount}/bin/pumount";
+  #    setuid = true;
+  #    owner = "root";
+  #    group = "root";
+  #  };
+  #};
+
+  components.gui.enable = true;
+
+  configuration.desktop = {
+    width = 1366;
+    height = 768;
+  };
+
+  # grub configuraton
+  # -----------------
+  boot.loader.grub.enable = true;
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.tmpOnTmpfs = true;
+
+  networking.networkmanager.enable = true;
+  networking.hostName = "usbstick";
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    htop
+    silver-searcher
+  ];
+
+  environment.extraInit = ''
+    # use vi shortcuts
+    # ----------------
+    set -o vi
+    EDITOR=vim
+  '';
+
+  boot.supportedFilesystems = [ "zfs" ];
+  networking.hostId = "2ed43034";
+
+  services.openssh.enable = true;
+
+  #users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de" ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.05"; # Did you read the comment?
+
+}
+
diff --git a/machines/usbstick/hardware-configuration.nix b/machines/usbstick/hardware-configuration.nix
new file mode 100644
index 0000000..0efa0f3
--- /dev/null
+++ b/machines/usbstick/hardware-configuration.nix
@@ -0,0 +1,50 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      #device = "/dev/disk/by-uuid/b3dc4880-fb1b-415d-a5a8-a53b9f0a9ab6";
+      device = "/dev/mapper/root-enc";
+      fsType = "ext4";
+    };
+
+  #boot.initrd.luks.devices."root-enc".device = "/dev/disk/by-uuid/c2a56e0f-f831-4d21-8cf4-7ddf3901ea8a";
+  boot.initrd.luks.devices."root-enc".device = "/dev/sda3";
+
+  fileSystems."/boot" =
+    {
+      #device = "/dev/disk/by-uuid/EBCE-D756";
+      device = "/dev/disk/by-uuid/sda2";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true;
+  # networking.interfaces.tinc.private.useDHCP = lib.mkDefault true;
+  # networking.interfaces.tinc.retiolum.useDHCP = lib.mkDefault true;
+  # networking.interfaces.tinc.secret.useDHCP = lib.mkDefault true;
+  # networking.interfaces.virbr0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/machines/usbstick/syncthing.nix b/machines/usbstick/syncthing.nix
new file mode 100644
index 0000000..0778de2
--- /dev/null
+++ b/machines/usbstick/syncthing.nix
@@ -0,0 +1,37 @@
+{ config, pkgs, lib, ... }: {
+
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = false;
+    user = "palo";
+    dataDir = "/home/palo/.syncthing";
+    configDir = "/home/palo/.syncthing";
+    overrideFolders = true;
+    folders = {
+
+      # on encrypted drive
+      # ------------------
+      private = {
+        enable = true;
+        path = "/home/palo/private";
+      };
+      desktop = {
+        enable = true;
+        path = "/home/palo/desktop";
+      };
+      finance = {
+        enable = true;
+        path = "/home/palo/finance";
+      };
+      password-store = {
+        enable = true;
+        path = "/home/palo/.password-store";
+      };
+    };
+  };
+
+  services.permown."/home/palo/music-library" = {
+    owner = "palo";
+    group = "users";
+  };
+}
diff --git a/machines/usbstick/tinc.nix b/machines/usbstick/tinc.nix
new file mode 100644
index 0000000..2693db2
--- /dev/null
+++ b/machines/usbstick/tinc.nix
@@ -0,0 +1,5 @@
+{ config, ... }:
+{
+  tinc.private.enable = true;
+  tinc.private.ipv4 = "10.23.42.25";
+}