diff --git a/config/default.nix b/config/default.nix
index a3cba1ce..89827a0b 100644
--- a/config/default.nix
+++ b/config/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, nixos, pkgs, ssh-public-keys, zentralwerk, ... }:
+{ config, hostRegistry, lib, nixos, pkgs, ssh-public-keys, zentralwerk, ... }:
 
 # this file contains default configuration that may be turned on depending on other config settings.
 # options should go to modules.
@@ -35,6 +35,12 @@
   documentation.enable = false;
 
   environment = {
+    etc."resolv.conf" = lib.mkIf (!config.services.resolved.enable) {
+      text = lib.concatMapStrings (ns: ''
+        nameserver ${ns}
+      '') config.networking.nameservers;
+    };
+
     gnome.excludePackages = with pkgs; with gnome; [
       baobab
       cheese
@@ -51,11 +57,14 @@
       totem
       yelp # less webkitgtk's
     ];
+
     interactiveShellInit = /* sh */ ''
       # raise some awareness torwards failed services
       systemctl --no-pager --failed || true
     '';
+
     noXlibs = !config.services.xserver.enable;
+
     systemPackages = with pkgs; [
       bmon
       curl
@@ -89,11 +98,19 @@
     ];
   };
 
-  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [
-    # proxy protocol used by public-access-proxy
-    8080
-    8443
-  ];
+  networking = {
+    firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [
+      # proxy protocol used by public-access-proxy
+      8080
+      8443
+    ];
+    nameservers = with hostRegistry.dnscache; [
+      ip4
+      ip6
+      "9.9.9.9"
+    ];
+    useHostResolvConf = lib.mkIf (!config.services.resolved.enable) true;
+  };
 
   nix = {
     deleteChannels = true;
@@ -287,5 +304,15 @@
 
   time.timeZone = lib.mkDefault "Europe/Berlin";
 
-  users.motdFile = ./motd;
+  users = {
+    motdFile = ./motd;
+    users = let
+      adminKeys = with builtins; lib.lists.flatten (attrValues cfg.sshKeys);
+    in {
+      # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix#L23
+      nixos = lib.mkIf (config.system.nixos.variant_id == "installer") { openssh.authorizedKeys.keys = adminKeys; };
+
+      root.openssh.authorizedKeys.keys = adminKeys;
+    };
+  };
 }
diff --git a/modules/c3d2.nix b/modules/c3d2.nix
index 256002db..79683a18 100644
--- a/modules/c3d2.nix
+++ b/modules/c3d2.nix
@@ -1,4 +1,4 @@
-{ zentralwerk, hostRegistry, config, options, lib, pkgs, ... }:
+{ zentralwerk, config, lib, pkgs, ... }:
 
 let
   cfg = config.c3d2;
@@ -89,29 +89,18 @@ in
         adminKeys = with builtins; lib.lists.flatten (attrValues cfg.sshKeys);
       in
       {
-        users = {
-          k-ot = lib.mkIf cfg.k-ot.enable {
-            createHome = true;
-            isNormalUser = true;
-            uid = 1000;
-            extraGroups = [
-              "audio"
-              "video"
-              "wheel"
-            ];
-            # get by running mkpasswd logged in as the user
-            hashedPassword = "$y$j9T$AoK/PRviZS4BDJ6jX/Qt6/$FDM/JfANEU7H0RAIuN0DL2hjYujVAVDdI0jgN5wGwB5";
-            openssh.authorizedKeys.keys = adminKeys;
-          };
-
-          # TODO: change when on 23.05
-          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix#L23
-          # nixos = lib.mkIf (config.system.nixos.variant_id == "installer") { openssh.authorizedKeys.keys = adminKeys; };
-          # using proxy option to detect iso
-          # https://github.com/NixOS/nixpkgs/blob/nixos-22.11/nixos/modules/profiles/installation-device.nix#L48
-          nixos = lib.mkIf (config.services.getty.autologinUser == "nixos") { openssh.authorizedKeys.keys = adminKeys; };
-
-          root.openssh.authorizedKeys.keys = adminKeys;
+        users.k-ot = lib.mkIf cfg.k-ot.enable {
+          createHome = true;
+          isNormalUser = true;
+          uid = 1000;
+          extraGroups = [
+            "audio"
+            "video"
+            "wheel"
+          ];
+          # get by running mkpasswd logged in as the user
+          hashedPassword = "$y$j9T$AoK/PRviZS4BDJ6jX/Qt6/$FDM/JfANEU7H0RAIuN0DL2hjYujVAVDdI0jgN5wGwB5";
+          openssh.authorizedKeys.keys = adminKeys;
         };
       };
 
@@ -138,7 +127,7 @@ in
         };
         secret.mqtt =
           let
-            catSecrets = pkgs.writeScript "cat-vector-secrets" ''
+            catSecrets = pkgs.writeScript "cat-vector-secrets" /* bash */ ''
               #!${pkgs.runtimeShell} -e
               echo '{'
               COMMA=n
@@ -185,28 +174,11 @@ in
       }];
     };
 
-    networking = {
-      interfaces = lib.mkIf (cfg.hq.interface != null) {
-        "${cfg.hq.interface}".ipv6.addresses = [{
-          address = toHqPrivateAddress config.networking.hostName;
-          prefixLength = 64;
-        }];
-      };
-
-      nameservers = with hostRegistry.dnscache; [
-        ip4
-        ip6
-        "9.9.9.9"
-      ];
-      useHostResolvConf = lib.mkIf (!config.services.resolved.enable) true;
-    };
-
-    environment.etc."resolv.conf" = lib.mkIf (!config.services.resolved.enable) {
-      text = lib.concatMapStrings
-        (ns: ''
-          nameserver ${ns}
-        '')
-        config.networking.nameservers;
+    networking.interfaces = lib.mkIf (cfg.hq.interface != null) {
+      "${cfg.hq.interface}".ipv6.addresses = [{
+        address = toHqPrivateAddress config.networking.hostName;
+        prefixLength = 64;
+      }];
     };
   };
 }