diff --git a/hardware/nuc.nix b/hardware/nuc.nix
new file mode 100644
index 0000000..e5d0a42
--- /dev/null
+++ b/hardware/nuc.nix
@@ -0,0 +1,21 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "e1000e" "virtio-pci"];
+  boot.initrd.kernelModules = [ ];
+#  boot.kernelModules = [ "kvm-intel" "virtio" "tun" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+#  boot.kernelParams = [ "console=ttyS0,115200n8" ];
+
+  hardware.cpu.intel.updateMicrocode = true;
+  powerManagement.cpuFreqGovernor = "ondemand";
+  nix.maxJobs = lib.mkDefault 8;
+}
diff --git a/host/montalin.nix b/host/montalin.nix
new file mode 100644
index 0000000..266e9c7
--- /dev/null
+++ b/host/montalin.nix
@@ -0,0 +1,90 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+
+  imports =
+    [
+      ../hardware/nuc.nix
+      ../role/base.nix
+      ../role/dropbear.nix
+      (import ../role/backup.nix {systemdMount = "var-backup.mount"; borgArchiveFolder = "/var/backup/montalin";})
+    ];
+
+  boot.tmpOnTmpfs = true;
+  boot.initrd.luks.devices = {
+    "root".device = "/dev/disk/by-uuid/3a0a5071-67ab-4e13-a0b7-d31b86f5e8b1";
+    "swap".device = "/dev/disk/by-uuid/6dee6e3c-e2f3-46c5-8751-5fce8c80ed49";
+    "backup".device = "/dev/disk/by-uuid/a965933d-516c-46cf-8384-006b1770e46b";
+  };
+
+  fileSystems = {
+    "/" = { device = "/dev/mapper/root"; fsType = "btrfs";  options = [ "defaults" "noatime" ]; };
+    "/var/backup" = { device = "/dev/mapper/backup"; fsType = "ext4"; options = [ "defaults" "noauto" "noatime" ]; };
+    "/boot" = { device = "/dev/disk/by-uuid/0065-E4EA"; fsType = "vfat"; options = [ "defaults" "noatime" ]; };
+  };
+
+  swapDevices = [{ device = "/dev/mapper/swap"; }];
+
+  # Get disk identifier with `udevadm info -n /dev/sdX | grep ID_SERIAL_SHORT`
+  services.udev.extraRules = ''
+    ACTION=="add", KERNEL=="sd[a-z]", ENV{ID_SERIAL_SHORT}=="WD-WXH1A89L54LA", RUN+="${pkgs.hdparm}/bin/hdparm -S 60 /dev/%k"
+  '';
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+
+
+  environment.systemPackages = [ pkgs.borgbackup ];
+
+
+  networking.hostName = "montalin"; # Define your hostname.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.eno1.useDHCP = true;
+  networking.interfaces.wlp1s0.useDHCP = true;
+
+  #networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  #networking.wireless.networks = {
+  #  yummi = {
+  #    psk = "cookies!";
+  #  };
+  #};
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  # Set your time zone.
+  # time.timeZone = "Europe/Amsterdam";
+
+  # List services that you want to enable:
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  # users.users.jane = {
+  #   isNormalUser = true;
+  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+  # };
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "19.09"; # Did you read the comment?
+
+}
diff --git a/role/backup.nix b/role/backup.nix
new file mode 100644
index 0000000..e019b7e
--- /dev/null
+++ b/role/backup.nix
@@ -0,0 +1,66 @@
+{
+ systemdMount,
+ borgArchiveFolder,
+ keepWithin? "14d",
+ keepWeekly? "4",
+ keepMonthly? "6",
+ keepYearly? "-1",
+}:
+
+let pkgs = import<nixpkgs>{};
+in
+{
+
+  systemd =  {
+    services.backup = {
+      description = "Backup of all user data and system configuration with BorgBackup";
+      serviceConfig.Type = "oneshot";
+      path = with pkgs; [ bash borgbackup ];
+      script = ''
+        #!/usr/bin/env bash
+        set -euo pipefail
+        IFS=$'\n\t'
+        
+        systemctl start ${systemdMount}
+
+        export BORG_REPO=${borgArchiveFolder} \
+               BORG_BASE_DIR=${borgArchiveFolder}/borg-base-dir
+        
+        echo "Backup started at `date`"
+        borg create --exclude /var/backup \
+                    --exclude /var/tmp \
+                    --exclude /var/cache \
+                    $BORG_REPO::{hostname}-{now} \
+                    /etc \
+                    /home \
+                    /root \
+                    /var
+        
+        sync
+        echo "Backup finished at `date`"
+        
+        echo "Backup prune started at `date`"
+        borg prune --prefix '{hostname}-' \
+                   --keep-within  ${keepWithin} \
+                   --keep-weekly  ${keepWeekly} \
+                   --keep-monthly ${keepMonthly} \
+                   --keep-yearly  ${keepYearly}
+        sync
+        echo "Backup prune finished at `date`"
+
+        systemctl stop ${systemdMount}
+      '';
+    };
+
+    timers.backup = {
+      description = "Backup Schedule";
+
+      timerConfig = {
+        OnCalendar = "13:37";
+        Persistent = "true";
+      };
+
+      wantedBy = [ "timers.target" ];
+    };
+  };
+}
diff --git a/role/base.nix b/role/base.nix
index c510210..7d4ca94 100644
--- a/role/base.nix
+++ b/role/base.nix
@@ -3,6 +3,9 @@
 
 {
   system.autoUpgrade.enable = true;
+  system.autoUpgrade.allowReboot = true;
+
+  boot.loader.timeout = 2;
 
   i18n = {
     consoleFont = "Lat2-Terminus16";
@@ -12,8 +15,12 @@
   
   environment.systemPackages = with pkgs; [
     wget curl vim tmux git ncat bind
+    fwupd pciutils dmidecode smartmontools parted
   ];
 
+  services.fwupd.enable = true;
+
+
   # Networking
   networking.firewall = {
     allowPing = true;
diff --git a/role/dropbear.nix b/role/dropbear.nix
new file mode 100644
index 0000000..19ab61a
--- /dev/null
+++ b/role/dropbear.nix
@@ -0,0 +1,26 @@
+{ config, pkgs, ... }:
+
+{
+  # Note: This implementation currently only allows eth0 (first interface) with dhcp.
+  boot.initrd.network = {
+    enable = true;
+    ssh = {
+      enable = true;
+      port = 2222;
+      # this includes the ssh keys of all users in the wheel group,
+      # but you can just specify some keys manually
+      #authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
+      hostRSAKey = /boot/dropbear_rsa_host_key;
+      hostECDSAKey = /boot/dropbear_ecdsa_host_key;
+      # Key generation with dropbearkey -t <type> -f <output-keyfile>
+    };
+    postCommands = ''
+      echo 'cryptsetup-askpass' >> /root/.profile
+    '';
+  };
+  boot.kernelParams = ["ip=::::montalin:eth0:dhcp"];
+
+  boot.initrd.postMountCommands = ''
+    ip link set eth0 down
+  '';
+}