diff --git a/nix/pkgs/default.nix b/nix/pkgs/default.nix
index bc47e39..aa09040 100644
--- a/nix/pkgs/default.nix
+++ b/nix/pkgs/default.nix
@@ -77,68 +77,17 @@ let
       '') (builtins.attrValues rootfs-packages)}
     '';
 
+  openwrt = import ./openwrt { inherit self nixpkgs system openwrt-imagebuilder; };
+
   openwrt-images = builtins.foldl' (images: hostName:
     let
-      inherit (config.site.hosts.${hostName}) model;
-      matches = (openwrt-imagebuilder.lib.profiles {
-        inherit pkgs;
-      }).identifyProfiles model;
-      fallbackProfile =
-        if model == "dir-615-d"
-        then (openwrt-imagebuilder.lib.profiles {
-          inherit pkgs;
-          release = "19.07.10";
-        }).identifyProfile model
-        else if builtins.match "tl-wr.*" model != null
-        then {
-          release = "18.06.9";
-          packagesArch = "mips_24kc";
-          target = "ar71xx";
-          variant = "tiny";
-          profile = model;
-          sha256 = "109a2557gwmgib7r500qn9ygd8j4r4cv5jl5rpn9vczsm4ilkc1z";
-          feedsSha256 = {
-            base = "0xklqsk6d5d6bai0ry2hzfjr4sycf6241ihv8v1lmmf9r7d47cr1";
-            packages = "05g048saibh304ndnlczyq92b1c67c3cqvbhdamw1xqbsp6jzifp";
-          };
-        }
-        else null;
-      build = args:
-        openwrt-imagebuilder.lib.build (args // {
-          extraImageName = "zw-${hostName}";
-          packages = [
-            # remove unused default .ipk
-            "-dnsmasq" "-ppp" "-ppp-mod-pppoe" "-odhcp6c" "-odhcpd-ipv6only"
-            # debugging
-            "tcpdump"
-            # monitoring
-            "collectd" "collectd-mod-interface" "collectd-mod-load"
-            "collectd-mod-cpu" "collectd-mod-iwinfo" "collectd-mod-network"
-          ];
-          disabledServices = [ "dnsmasq" "uhttpd" ];
-          # TODO: files
-        });
+      image = openwrt.buildImage hostName;
     in
-      if matches == [] && fallbackProfile != null
+      if image != null
       then images // {
-        "${hostName}-image" = build fallbackProfile;
+        "${hostName}-image" = image;
       }
-      else if matches == []
-      then builtins.trace "${hostName} (${model}) not supported by OpenWRT"
-        images
-      else if builtins.length matches == 1
-      then
-        images // {
-          "${hostName}-image" = build (
-            builtins.elemAt matches 0
-          );
-        }
-      else builtins.trace "${hostName} (${model}) has multiple models!"
-        images // {
-          "${hostName}-image" = build (
-            builtins.elemAt matches 0
-          );
-        }
+      else images
   ) {} (
     builtins.attrNames (
       nixpkgs.lib.filterAttrs (_: { role, ... }: role == "ap")
@@ -147,7 +96,7 @@ let
   );
 
   device-templates = import ./device-templates.nix {
-    inherit self nixpkgs system;
+    inherit self nixpkgs system openwrt;
   };
 
   dns-slaves = import ./dns-slaves.nix {
diff --git a/nix/pkgs/device-templates.nix b/nix/pkgs/device-templates.nix
index 53c8a0c..b5bab6e 100644
--- a/nix/pkgs/device-templates.nix
+++ b/nix/pkgs/device-templates.nix
@@ -1,4 +1,4 @@
-{ self, nixpkgs, system }:
+{ self, nixpkgs, system, openwrt }:
 with nixpkgs.lib;
 let
   pkgs = nixpkgs.legacyPackages.${system};
@@ -12,7 +12,7 @@ let
             inherit self hostName config hostConfig pkgs;
           };
         in {
-          ap = import ./ap.nix args;
+          ap = openwrt.sshScript hostName;
           switch = import (./switches + "/${model}.nix")
             (args //
              import ./switches/shared.nix args
diff --git a/nix/pkgs/openwrt/default.nix b/nix/pkgs/openwrt/default.nix
new file mode 100644
index 000000000..134be91
--- /dev/null
+++ b/nix/pkgs/openwrt/default.nix
@@ -0,0 +1,86 @@
+{ self, nixpkgs, system, openwrt-imagebuilder }:
+
+let
+  inherit (self.lib) config;
+  pkgs = nixpkgs.legacyPackages.${system};
+  uciConfig = hostName: import ./uci-config.nix { inherit self pkgs hostName; };
+in  
+{
+  sshScript = hostName: ''
+    #! ${pkgs.runtimeShell} -e
+
+    ${if config.site.hosts.${hostName}.firstboot
+      then ''
+        ssh-keygen -R 192.168.1.1
+        ssh root@192.168.1.1 \
+          "ash -e -x" <<__SSH__
+      '' else ''
+        ssh root@${config.site.net.mgmt.hosts4.${hostName}} \
+          "ash -e -x" <<__SSH__
+        ${uciConfig hostName}
+        __SSH__
+
+        echo "Base configuration done \\o/"
+        echo "Later run: ap_install_collectd.sh ${config.site.net.mgmt.hosts4.${hostName}}"
+      ''}
+  '';
+
+  buildImage = hostName:
+    let
+      inherit (config.site.hosts.${hostName}) model;
+      matches = (openwrt-imagebuilder.lib.profiles {
+        inherit pkgs;
+      }).identifyProfiles model;
+      fallbackProfile =
+        if model == "dir-615-d"
+        then (openwrt-imagebuilder.lib.profiles {
+          inherit pkgs;
+          release = "19.07.10";
+        }).identifyProfile model
+        else if builtins.match "tl-wr.*" model != null
+        then {
+          release = "18.06.9";
+          packagesArch = "mips_24kc";
+          target = "ar71xx";
+          variant = "tiny";
+          profile = model;
+          sha256 = "109a2557gwmgib7r500qn9ygd8j4r4cv5jl5rpn9vczsm4ilkc1z";
+          feedsSha256 = {
+            base = "0xklqsk6d5d6bai0ry2hzfjr4sycf6241ihv8v1lmmf9r7d47cr1";
+            packages = "05g048saibh304ndnlczyq92b1c67c3cqvbhdamw1xqbsp6jzifp";
+          };
+        }
+        else null;
+      build = args:
+        openwrt-imagebuilder.lib.build (args // {
+          extraImageName = "zw-${hostName}";
+          packages = [
+            # remove unused default .ipk
+            "-dnsmasq" "-ppp" "-ppp-mod-pppoe" "-odhcp6c" "-odhcpd-ipv6only"
+            # debugging
+            "tcpdump"
+            # monitoring
+            "collectd" "collectd-mod-interface" "collectd-mod-load"
+            "collectd-mod-cpu" "collectd-mod-iwinfo" "collectd-mod-network"
+          ];
+          disabledServices = [ "dnsmasq" "uhttpd" ];
+          files = pkgs.runCommandNoCC "image-files" {} ''
+            mkdir -p $out/etc/uci-defaults
+            cat > $out/etc/uci-defaults/99-zentralwerk <<EOF
+            ${uciConfig hostName}
+            EOF
+          '';
+        });
+    in
+      if matches == [] && fallbackProfile != null
+      then build fallbackProfile
+      else if matches == []
+      then builtins.trace "${hostName} (${model}) not supported by OpenWRT"
+        null
+      else if builtins.length matches == 1
+      then build (builtins.elemAt matches 0)
+      else builtins.trace "${hostName} (${model}) has multiple models!" (
+        build (builtins.elemAt matches 0)
+      );
+
+}
diff --git a/nix/pkgs/ap.nix b/nix/pkgs/openwrt/uci-config.nix
similarity index 88%
rename from nix/pkgs/ap.nix
rename to nix/pkgs/openwrt/uci-config.nix
index 11a49a5..7c62354 100644
--- a/nix/pkgs/ap.nix
+++ b/nix/pkgs/openwrt/uci-config.nix
@@ -1,7 +1,10 @@
-{ self, pkgs, hostName, config, hostConfig, ... }:
+{ self, pkgs, hostName }:
 with pkgs;
 with lib;
 let
+  inherit (self.lib) config;
+  hostConfig = config.site.hosts.${hostName};
+
   ports = self.lib.getOpenwrtPorts hostConfig.model;
 
   uciDeleteAll = key: ''
@@ -26,7 +29,7 @@ let
                 then port.index
                 else if port ? interface
                 then port.interface
-                else "How to identify port ${lib.generators.toPretty {} port}?";
+                else "How to identify port ${generators.toPretty {} port}?";
         in result // {
           "${key}" = port;
         }
@@ -38,7 +41,7 @@ let
           then portByIndex.${index}.port
           else if portByIndex.${index} ? interface
           then portByIndex.${index}.interface
-          else throw "${hostName}: What is port ${lib.generators.toPretty {} portByIndex.${index}.port}?"
+          else throw "${hostName}: What is port ${generators.toPretty {} portByIndex.${index}.port}?"
         }"
       ) (
         builtins.sort builtins.lessThan (
@@ -118,7 +121,7 @@ let
             else []
           ) (builtins.attrValues openwrtModel.ports)
           ++
-          lib.optionals (hostConfig.interfaces ? ${port} && vlan != null) [ "${port}.${toString vlan}" ]
+          optionals (hostConfig.interfaces ? ${port} && vlan != null) [ "${port}.${toString vlan}" ]
         ) ports
       ) (
         builtins.attrValues (
@@ -129,19 +132,8 @@ let
       )
     );
 
-in ''
-  #! ${pkgs.runtimeShell} -e
-
-  ${if hostConfig.firstboot
-    then ''
-      ssh-keygen -R 192.168.1.1
-      ssh root@192.168.1.1 \
-        "ash -e -x" <<__SSH__
-    '' else ''
-      ssh root@${config.site.net.mgmt.hosts4.${hostName}} \
-        "ash -e -x" <<__SSH__
-    ''}
-
+in
+''
   # Set root password
   echo -e '${hostConfig.password}\n${hostConfig.password}' | passwd
 
@@ -186,11 +178,11 @@ in ''
   uci set network.mgmt=interface
   uci set network.mgmt.ifname='${
     if builtins.length (networkInterfaces "mgmt") > 0
-    then lib.concatStringsSep " " (networkInterfaces "mgmt")
+    then concatStringsSep " " (networkInterfaces "mgmt")
     else throw "${hostName}: No interface for mgmt"
   }'
   uci set network.mgmt.proto=static
-  ${lib.optionalString (hostConfig.interfaces.mgmt.type == "bridge") ''
+  ${optionalString (hostConfig.interfaces.mgmt.type == "bridge") ''
     uci set network.mgmt.type=bridge
   ''}
   uci set network.mgmt.ipaddr=${config.site.net.mgmt.hosts4.${hostName}}
@@ -205,7 +197,7 @@ in ''
   uci -q delete network.globals.ula_prefix || true
   # delete unused networks
   ${concatMapStrings (net:
-    lib.optionalString (! hostConfig.interfaces ? ${net}) ''
+    optionalString (! hostConfig.interfaces ? ${net}) ''
       uci -q delete network.${net} || true
     ''
   ) ([ "lan" "wan" "wan6" ] ++ builtins.attrNames config.site.net)}
@@ -216,22 +208,22 @@ in ''
       iface = hostConfig.interfaces.${net};
     in optionalString (net != "mgmt" && builtins.elem iface.type ["bridge" "phys"]) ''
       uci set network.${net}=interface
-      ${lib.optionalString (iface.type == "bridge") ''
+      ${optionalString (iface.type == "bridge") ''
         uci set network.${net}.type=bridge
       ''}
       uci set network.${net}.proto=static
       uci set network.${net}.ifname='${concatStringsSep " " (networkInterfaces net)}'
-      ${lib.optionalString (config.site.net.${net}.mtu != null) ''
+      ${optionalString (config.site.net.${net}.mtu != null) ''
         uci set network.${net}.mtu=${toString config.site.net.${net}.mtu}
       ''}
 
 
-      ${lib.optionalString (config.site.net.${net}.hosts4 ? ${hostName}) ''
+      ${optionalString (config.site.net.${net}.hosts4 ? ${hostName}) ''
         # address in net
         uci set network.${net}.ipaddr=${config.site.net.${net}.hosts4.${hostName}}
         uci set network.${net}.netmask=${self.lib.netmasks.${toString config.site.net.${net}.subnet4Len}}
       ''}
-      ${lib.concatMapStrings (hosts6: lib.optionalString (hosts6 ? ${hostName}) ''
+      ${concatMapStrings (hosts6: optionalString (hosts6 ? ${hostName}) ''
         uci set network.${net}.ip6addr=${hosts6.${hostName}}/64
       '') (builtins.attrValues config.site.net.${net}.hosts6)}
     '') (builtins.attrNames hostConfig.interfaces)
@@ -298,7 +290,7 @@ in ''
 
   uci commit
 
-  ${lib.optionalString hostConfig.wifiOnLink.enable ''
+  ${optionalString hostConfig.wifiOnLink.enable ''
     # Cronjob that makes sure WiFi is only visible when server with all
     # the gateways is reachable
     cat >/etc/crontabs/root <<__CRON__
@@ -338,10 +330,4 @@ in ''
     rm -f /etc/rc.d/*\$svc
     /etc/init.d/\$svc stop || true
   done
-
-  ${lib.optionalString hostConfig.firstboot "reboot"}
-  __SSH__
-
-  echo "Base configuration done \\o/"
-  echo "Later run: ap_install_collectd.sh ${config.site.net.mgmt.hosts4.${hostName}}"
 ''