diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..c3d8928
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,69 @@
+{
+  "nodes": {
+    "naersk": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1650265945,
+        "narHash": "sha256-SO8+1db4jTOjnwP++29vVgImLIfETSXyoz0FuLkiikE=",
+        "owner": "nix-community",
+        "repo": "naersk",
+        "rev": "e8f9f8d037774becd82fce2781e1abdb7836d7df",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1650610227,
+        "narHash": "sha256-ofSO6FrMfC8+wmYy6ItxOfXpN0E6sumnQYQCauMjKvM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "692729210d05e0ae2f33edfc072318520dd12666",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-21.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "naersk": "naersk",
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1649756291,
+        "narHash": "sha256-KTll8bCINAzIUGaaMrbn9wb5nfhkXRLgmFrWGR/Dku0=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c2614c4fe61943b3d280ac1892fcebe6e8eaf8c8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..0e14262
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,28 @@
+{
+  inputs = { 
+    nixpkgs.url = github:NixOS/nixpkgs/nixos-21.11;
+
+    sops-nix.url = github:Mic92/sops-nix;
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+
+    naersk = {
+      url = github:nix-community/naersk;
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+  outputs = { self, nixpkgs, sops-nix, naersk, ... }@inputs:
+  let
+  in {
+    defaultPackage."x86_64-linux" = self.nixosConfigurations.traffic-stop-box.config.system.build.vm;
+
+    nixosConfigurations = {
+      traffic-stop-box = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
+        modules = [
+          ./hosts/traffic-stop-box/configuration.nix
+        ];
+      };
+    };
+  };
+}
diff --git a/hosts/traffic-stop-box/configuration.nix b/hosts/traffic-stop-box/configuration.nix
new file mode 100644
index 0000000..c7642c1
--- /dev/null
+++ b/hosts/traffic-stop-box/configuration.nix
@@ -0,0 +1,56 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, inputs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      #./hardware-configuration.nix
+
+      # Enabled modules
+      ../../modules/base.nix
+    ];
+
+  # symlink flake to '/etc/nixos/flake.nix' to make nixos-rebuild pick it by default
+  environment.etc."nixos/flake.nix".source = "/var/src/ascii.coffee/flake.nix";
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+  networking.hostName = "traffic-stop-box"; # Define your hostname.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = true;
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+
+}
+
diff --git a/modules/base.nix b/modules/base.nix
new file mode 100644
index 0000000..915ff4b
--- /dev/null
+++ b/modules/base.nix
@@ -0,0 +1,44 @@
+{ pkgs, config, ... }:
+
+{
+  _module.args.buildVM = false;
+
+  # use Nix 2.4 for flakes support
+  nix = {
+    extraOptions = ''
+      experimental-features = nix-command flakes
+     '';
+  };
+
+  # Select internationalisation properties.
+  # i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "uk";
+  };
+
+  users.users.root = {
+    openssh.authorizedKeys.keyFiles = [
+    ];
+  };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    atop
+    fish
+    git
+    htop
+    tmux
+    vim_configurable
+    wget
+    git-crypt
+  ];
+
+  users.users.root.password = "wtfwtf";
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+  services.openssh.passwordAuthentication = false;
+  programs.mosh.enable = true;
+}