diff --git a/nixos/machines/chungus/configuration.nix b/nixos/machines/chungus/configuration.nix
index 7549a39..b12adbb 100644
--- a/nixos/machines/chungus/configuration.nix
+++ b/nixos/machines/chungus/configuration.nix
@@ -5,8 +5,8 @@
     ../../system/server
     ../../components
 
-    ./hardware-configuration.nix
-    ./disko-config.nix
+    ./hardware-configuration
+
     ./disko-syncoid.nix
     ./packages.nix
 
@@ -70,14 +70,6 @@
 
   services.printing.enable = false;
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
-
-  boot.supportedFilesystems = [ "zfs" ];
-  # head -c4 /dev/urandom | od -A none -t x4
-  networking.hostId = "e439b116";
-  services.zfs.autoSnapshot.enable = true;
 
   #virtualisation.containers.storage.settings = {
   #  # fixes: Error: 'overlay' is not supported over zfs, a mount_program is required: backing file system is unsupported for this graph driver
@@ -91,13 +83,6 @@
 
   users.users.root.shell = pkgs.zsh;
 
-  # todo : rename to component.init.ssh
-  # todo : make tor optional
-  configuration.init-ssh = {
-    enable = "enabled";
-    kernelModules = [ "e1000e" ];
-  };
-
   hardware.opengl = {
     enable = true;
     extraPackages = with pkgs; [
diff --git a/nixos/machines/chungus/hardware-configuration/default.nix b/nixos/machines/chungus/hardware-configuration/default.nix
new file mode 100644
index 0000000..506b031
--- /dev/null
+++ b/nixos/machines/chungus/hardware-configuration/default.nix
@@ -0,0 +1,24 @@
+{ ... }:
+{
+  imports = [
+    ./disko-config.nix
+    ./hardware-configuration.nix
+  ];
+
+  # todo : rename to component.init.ssh
+  # todo : make tor optional
+  configuration.init-ssh = {
+    enable = "enabled";
+    kernelModules = [ "e1000e" ];
+  };
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
+
+  boot.supportedFilesystems = [ "zfs" ];
+  # head -c4 /dev/urandom | od -A none -t x4
+  networking.hostId = "e439b116";
+  services.zfs.autoSnapshot.enable = true;
+
+}
diff --git a/nixos/machines/chungus/disko-config.nix b/nixos/machines/chungus/hardware-configuration/disko-config.nix
similarity index 100%
rename from nixos/machines/chungus/disko-config.nix
rename to nixos/machines/chungus/hardware-configuration/disko-config.nix
diff --git a/nixos/machines/chungus/hardware-configuration.nix b/nixos/machines/chungus/hardware-configuration/hardware-configuration.nix
similarity index 100%
rename from nixos/machines/chungus/hardware-configuration.nix
rename to nixos/machines/chungus/hardware-configuration/hardware-configuration.nix
diff --git a/nixos/machines/orbi/configuration.nix b/nixos/machines/orbi/configuration.nix
index 5e5d300..5fcf92d 100644
--- a/nixos/machines/orbi/configuration.nix
+++ b/nixos/machines/orbi/configuration.nix
@@ -70,11 +70,6 @@
 
   services.smartd.enable = true;
 
-  boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
-
-  boot.supportedFilesystems = [ "zfs" ];
-  # head -c4 /dev/urandom | od -A none -t x4
-  networking.hostId = "5bb982a6";
 
 
 }
diff --git a/nixos/machines/orbi/hardware-configuration/default.nix b/nixos/machines/orbi/hardware-configuration/default.nix
index 7c2653b..8f2141c 100644
--- a/nixos/machines/orbi/hardware-configuration/default.nix
+++ b/nixos/machines/orbi/hardware-configuration/default.nix
@@ -34,10 +34,6 @@ in
     ./hardware-configuration.nix
   ];
 
-  environment.systemPackages = [
-    pkgs.mosh
-  ];
-
   # Use GRUB2 as the boot loader.
   # We don't use systemd-boot because Hetzner uses BIOS legacy boot.
   boot.loader.grub = {
@@ -50,6 +46,7 @@ in
   services.openssh.settings.PermitRootLogin = "prohibit-password";
   services.openssh.settings.PasswordAuthentication = false;
 
+  # todo : move this to the flake, this is always true
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
   ];
@@ -57,28 +54,14 @@ in
   services.openssh.enable = true;
   services.sshguard.enable = true;
 
+  boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
 
-  # enable ssh on init
-  # ------------------
+  boot.supportedFilesystems = [ "zfs" ];
+  # head -c4 /dev/urandom | od -A none -t x4
+  networking.hostId = "5bb982a6";
 
-  #boot.kernelParams = [
-  #  # See <https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for docs on this
-  #  # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
-  #  # The server ip refers to the NFS server -- we don't need it.
-  #  "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
-  #];
+  systemd.network.networks."10-uplink".networkConfig.Address = ipv6.address;
 
-  # luks unlock zeug
-  #boot.initrd.systemd.services.openssh = {
-  #  enable = true;
-  #};
-  #unlock_root(){
-  #  pw=$(rbw get 'zfs encryption')
-  #  ssh root@eve.i -p 2222 "echo ${pw} | systemd-tty-ask-password-agent"
-  #}
-  #boot.initrd.systemd.users.root.shell = "/bin/cryptsetup-askpass";
-
-  #boot.kernelParams = [ "ip=dhcp" ];
   boot.initrd.kernelModules = [ networkInterfaceModule ];
   boot.initrd.network = {
     enable = true;
@@ -95,14 +78,27 @@ in
     };
   };
 
-  systemd.network.networks."10-uplink".networkConfig.Address = ipv6.address;
-  boot.initrd.systemd.network.networks."10-uplink" = config.systemd.network.networks."10-uplink";
+  # enable ssh on init
+  # ==================
+
+
+  # No SystemD at boot
+  # ------------------
+  #boot.kernelParams = [
+  #  # See <https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for docs on this
+  #  # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
+  #  # The server ip refers to the NFS server -- we don't need it.
+  #  "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
+  #];
+  #boot.initrd.systemd.enable = false;
+  #boot.kernelParams = [ "ip=dhcp" ];
+  #boot.initrd.network.ssh.shell = "/bin/cryptsetup-askpass";
+  #boot.initrd.luks.reusePassphrases = true;
+
+  # SystemD at boot
+  # ---------------
   boot.initrd.systemd.enable = true;
-
-  # root shell if not booting (usefull for debugging)
-  boot.initrd.systemd.emergencyAccess = false;
-
-  # playing around with stuff
-  # boot.initrd.luks.reusePassphrases = true;
+  #boot.initrd.systemd.services.openssh.enable = true;
+  boot.initrd.systemd.network.networks."10-uplink" = config.systemd.network.networks."10-uplink";
 
 }
diff --git a/nixos/machines/orbi/hardware-configuration/disko-config.nix b/nixos/machines/orbi/hardware-configuration/disko-config.nix
index 4382a0e..60a12d5 100644
--- a/nixos/machines/orbi/hardware-configuration/disko-config.nix
+++ b/nixos/machines/orbi/hardware-configuration/disko-config.nix
@@ -1,7 +1,4 @@
-# nix run github:nix-community/disko -- --mode zap_create_mount ./disko-config.nix
-# nixos-generate-config --no-filesystems --root /mnt
-# vim /mnt/configuration.nix
-# nixos-install
+# nix run github:nix-community/nixos-anywhere -- --copy-host-keys --disk-encryption-keys /run/secret.key /home/palo/orbi/run/secret.key --flake .#orbi root@95.216.66.212
 { config, lib, ... }:
 let
   disks = [ "sda" "sdb" ];
@@ -38,11 +35,12 @@ in
               content = {
                 type = "luks";
                 name = "root_${disk}";
+                # if you want to use the key for interactive login be sure there is no trailing newline
+                # for example use `echo -n "password" > /run/secret.key`
+                # for example use `pass show hetzner/orbi/master_password | head -c -1 > /run/secret.key`
+                # or use nixos-anywhere --disk-encryption-keys /run/secret.key <local-path>
+                passwordFile = "/run/secret.key";
                 settings = {
-                  # if you want to use the key for interactive login be sure there is no trailing newline
-                  # for example use `echo -n "password" > /run/secret.key`
-                  # or use nixos-anywhere --disk-encryption-keys /run/secret.key <local-path>
-                  keyFile = "/run/secret.key";
                   allowDiscards = true;
                 };
                 content = {
@@ -56,10 +54,12 @@ in
               size = "100%";
               content = {
                 type = "luks";
+                # if you want to use the key for interactive login be sure there is no trailing newline
+                # for example use `echo -n "password" > /run/secret.key`
+                # for example use `pass show hetzner/orbi/master_password | head -c -1 > /run/secret.key`
+                # or use nixos-anywhere --disk-encryption-keys /run/secret.key <local-path>
+                passwordFile = "/run/secret.key";
                 settings = {
-                  # if you want to use the key for interactive login be sure there is no trailing newline
-                  # for example use `echo -n "password" > /run/secret.key`
-                  keyFile = "/run/secret.key";
                   allowDiscards = true;
                 };
                 name = "media_${disk}";