diff --git a/nixos/roles/admins.nix b/nixos/roles/admins.nix
new file mode 100644
index 0000000..43a86aa
--- /dev/null
+++ b/nixos/roles/admins.nix
@@ -0,0 +1,30 @@
+{lib, ...} :
+with lib;
+
+let
+  admins = {
+    nerf = {
+      hashedPassword =
+        "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7";
+        keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2"
+        ];
+    };
+  };
+
+  mkAdmin = name :
+  {hashedPassword, keys}: {
+    "${name}" = {
+      isNormalUser = true;
+      createHome = true;
+      extraGroups = [ "wheel" ];
+      group = "users";
+      home = "/home/${name}";
+      openssh.authorizedKeys = { inherit keys; };
+      inherit hashedPassword;
+    };
+  };
+
+in {
+  users.users = mkMerge (mapAttrsToList mkAdmin admins);
+}
diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
index 3c24242..7296a1d 100644
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@@ -1,4 +1,56 @@
-{ ... } : {
+{pkgs, config, lib, modulesPath, ...} : {
+
+imports = [
+  ./admins.nix
+  ./nix_keys.nix
+  (modulesPath + "/virtualisation/xen-domU.nix")
+  ];
+nix = {
+  extraOptions = ''
+    experimental-features = nix-command flakes
+    builders-use-substitutes = true
+  '';
+};
+
+networking = {
+  firewall = { # these shoud be default, but better make sure!
+    enable = true;
+    allowPing = true;
+  };
+  nftables.enable = true;
+  useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface
+  # hosts = # TODO write something to autogenerate ip adresses!
+};
+
+users = {
+  mutableUsers = false;
+  users.root.hashedPassword = "!";
+};
 
 sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+environment = {
+  systemPackages = builtins.attrValues {
+    inherit (pkgs)
+      htop lsof tmux btop;
+  };
+};
+
+services = {
+  journald.extraConfig = "SystemMaxUse=5G";
+
+  nginx = {
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedTlsSettings = true;
+  };
+
+  openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+    };
+  };
+};
 }
diff --git a/nixos/roles/nix_keys.nix b/nixos/roles/nix_keys.nix
new file mode 100644
index 0000000..85c7835
--- /dev/null
+++ b/nixos/roles/nix_keys.nix
@@ -0,0 +1,6 @@
+{
+  imports = [ ];
+  nix.settings.trusted-public-keys = [
+    "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc="
+  ];
+}