diff --git a/nixos-setup/c1-hardware.nix b/nixos-setup/c1-hardware.nix
new file mode 100644
index 0000000..c748107
--- /dev/null
+++ b/nixos-setup/c1-hardware.nix
@@ -0,0 +1,59 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/42e95613-29c2-4a47-a3cc-3627f18fdec2";
+      fsType = "btrfs";
+      options = [ "subvol=root" ];
+    };
+
+  boot.initrd.luks.devices."luksroot".device = "/dev/disk/by-uuid/7fa539a0-6c91-49ec-9df2-e81708a07662";
+
+  fileSystems."/persist" =
+    { device = "/dev/disk/by-uuid/42e95613-29c2-4a47-a3cc-3627f18fdec2";
+      fsType = "btrfs";
+      options = [ "subvol=persist" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/42e95613-29c2-4a47-a3cc-3627f18fdec2";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
+  fileSystems."/var/log" =
+    { device = "/dev/disk/by-uuid/42e95613-29c2-4a47-a3cc-3627f18fdec2";
+      fsType = "btrfs";
+      options = [ "subvol=log" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/D8C2-9216";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/nixos-setup/c2-hardware.nix b/nixos-setup/c2-hardware.nix
new file mode 100644
index 0000000..5e3b959
--- /dev/null
+++ b/nixos-setup/c2-hardware.nix
@@ -0,0 +1,59 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/2d595dde-975b-498a-acb5-2e22751d3cea";
+      fsType = "btrfs";
+      options = [ "subvol=root" ];
+    };
+
+  boot.initrd.luks.devices."luksroot".device = "/dev/disk/by-uuid/03ee7c3b-19d5-491d-bc2e-3b0681e6506f";
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/2d595dde-975b-498a-acb5-2e22751d3cea";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
+  fileSystems."/persist" =
+    { device = "/dev/disk/by-uuid/2d595dde-975b-498a-acb5-2e22751d3cea";
+      fsType = "btrfs";
+      options = [ "subvol=persist" ];
+    };
+
+  fileSystems."/var/log" =
+    { device = "/dev/disk/by-uuid/2d595dde-975b-498a-acb5-2e22751d3cea";
+      fsType = "btrfs";
+      options = [ "subvol=log" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/B543-374F";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/nixos-setup/c3-hardware.nix b/nixos-setup/c3-hardware.nix
new file mode 100644
index 0000000..aebf78d
--- /dev/null
+++ b/nixos-setup/c3-hardware.nix
@@ -0,0 +1,59 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/2b96989f-cec5-40bd-afa8-e5ca0b8f30e9";
+      fsType = "btrfs";
+      options = [ "subvol=root" ];
+    };
+
+  boot.initrd.luks.devices."luksroot".device = "/dev/disk/by-uuid/c4a43a18-b480-43ed-87f2-f78a50f03976";
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/2b96989f-cec5-40bd-afa8-e5ca0b8f30e9";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
+  fileSystems."/persist" =
+    { device = "/dev/disk/by-uuid/2b96989f-cec5-40bd-afa8-e5ca0b8f30e9";
+      fsType = "btrfs";
+      options = [ "subvol=persist" ];
+    };
+
+  fileSystems."/var/log" =
+    { device = "/dev/disk/by-uuid/2b96989f-cec5-40bd-afa8-e5ca0b8f30e9";
+      fsType = "btrfs";
+      options = [ "subvol=log" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/3051-C478";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/nixos-setup/configuration.nix b/nixos-setup/configuration.nix
new file mode 100644
index 0000000..ee93662
--- /dev/null
+++ b/nixos-setup/configuration.nix
@@ -0,0 +1,155 @@
+{ config, pkgs, ... }:
+
+let
+  impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
+in
+{
+  imports =
+    [
+      "${impermanence}/nixos.nix"
+      ./hardware-configuration.nix
+    ];
+
+  networking.hostName = "c1";
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.trusted-users = [ "root" "@wheel" ];
+
+  boot.initrd.kernelModules = [ "usb_storage" ];
+  boot.initrd.luks.devices."luksroot" = {
+      allowDiscards = true;
+      bypassWorkqueues = true;
+      keyFileSize = 4096;
+      keyFile = "/dev/sda";
+  };
+
+  swapDevices = pkgs.lib.mkForce [ {
+    device = "/dev/disk/by-id/nvme-eui.002538b981b03d98-part2";
+    randomEncryption.enable = true;
+  }];
+
+  fileSystems."/".options = ["compress=zstd" "noatime" ];
+  fileSystems."/nix".options = ["compress=zstd" "noatime" ];
+  fileSystems."/persist".options = ["compress=zstd" "noatime" ];
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/var/log".options = ["compress=zstd" "noatime" ];
+  fileSystems."/var/log".neededForBoot = true;
+
+  # reset / at each boot
+  # Note `lib.mkBefore` is used instead of `lib.mkAfter` here.
+  boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''
+    mkdir -p /mnt
+
+    # We first mount the btrfs root to /mnt
+    # so we can manipulate btrfs subvolumes.
+    mount -o subvol=/ /dev/mapper/luksroot /mnt
+
+    # While we're tempted to just delete /root and create
+    # a new snapshot from /root-blank, /root is already
+    # populated at this point with a number of subvolumes,
+    # which makes `btrfs subvolume delete` fail.
+    # So, we remove them first.
+    #
+    # /root contains subvolumes:
+    # - /root/var/lib/portables
+    # - /root/var/lib/machines
+    #
+    # I suspect these are related to systemd-nspawn, but
+    # since I don't use it I'm not 100% sure.
+    # Anyhow, deleting these subvolumes hasn't resulted
+    # in any issues so far, except for fairly
+    # benign-looking errors from systemd-tmpfiles.
+    btrfs subvolume list -o /mnt/root |
+    cut -f9 -d' ' |
+    while read subvolume; do
+      echo "deleting /$subvolume subvolume..."
+      btrfs subvolume delete "/mnt/$subvolume"
+    done &&
+    echo "deleting /root subvolume..." &&
+    btrfs subvolume delete /mnt/root
+
+    echo "restoring blank /root subvolume..."
+    btrfs subvolume snapshot /mnt/root-blank /mnt/root
+
+    # Once we're done rolling back to a blank snapshot,
+    # we can unmount /mnt and continue on the boot process.
+    umount /mnt
+  '';
+
+  # configure impermanence
+  environment.persistence."/persist" = {
+    directories = [
+      "/etc/nixos"
+    ];
+    files = [
+      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+    ];
+  };
+
+  security.sudo = {
+    extraConfig = ''
+      # rollback results in sudo lectures after each reboot
+      Defaults lecture = never
+    '';
+    wheelNeedsPassword = false;
+  };
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.networkmanager.enable = true;
+
+  time.timeZone = "Europe/Lisbon";
+
+  users.mutableUsers = false;
+  users.users.ppetru = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+
+    openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdZ9dHN+DamoyRAIS8v7Ph85KyJ9zYdgwoqkp7F+smEJEdDKboHE5LA49IDQk4cgkR5xNEMtxANpJm+AXNAhQOPVl/w57vI/Z+TBtSvDoj8LuAvKjmmrPfok2iyD2IIlbctcw8ypn1revZwDb1rBFefpbbZdr5h+75tVqqmNebzxk6UQsfL++lU8HscWwYKzxrrom5aJL6wxNTfy7/Htkt4FHzoKAc5gcB2KM/q0s6NvZzX9WtdHHwAR1kib2EekssjDM9VLecX75Xhtbp+LrHOJKRnxbIanXos4UZUzaJctdNTcOYzEVLvV0BCYaktbI+uVvJcC0qo28bXbHdS3rTGRu8CsykFneJXnrrRIJw7mYWhJSTV9bf+6j/lnFNAurbiYmd4SzaTgbGjj2j38Gr/CTsyv8Rho7P3QUWbRRZnn4a7eVPtjGagqwIwS59YDxRcOy2Wdsw35ry/N2G802V7Cr3hUqeaAIev2adtn4FaG72C8enacYUeACPEhi7TYdsDzuuyt31W7AQa5Te4Uda20rTa0Y9N5Lw85uGB2ebbdYWlO2CqI/m+xNYcPkKqL7zZILz782jDw1sxWd/RUbEgJNrWjsKZ7ybiEMmhpw5vLiMGOeqQWIT6cBCNjocmW0ocU+FBLhhioyrvuZOyacoEZLoklatsL0DMkvvkbT0Ew== petru@paler.net" ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    vim
+  ];
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+    extraConfig = ''
+      AllowTcpForwarding yes
+      X11Forwarding no
+      AllowAgentForwarding no
+      AllowStreamLocalForwarding no
+      AuthenticationMethods publickey
+    '';
+  };
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 22 ];
+    allowedUDPPorts = [ ];
+  };
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  system.copySystemConfiguration = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}
+
diff --git a/nixos-setup/fs-diff.sh b/nixos-setup/fs-diff.sh
new file mode 100755
index 0000000..1ee1884
--- /dev/null
+++ b/nixos-setup/fs-diff.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+# fs-diff.sh
+set -euo pipefail
+
+mkdir -p /mnt/root-blank
+mount -o subvol=root-blank /dev/mapper/luksroot /mnt/root-blank
+OLD_TRANSID=$(btrfs subvolume find-new /mnt/root-blank 9999999)
+OLD_TRANSID=${OLD_TRANSID#transid marker was }
+
+sudo btrfs subvolume find-new / "$OLD_TRANSID" |
+sed '$d' |
+cut -f17- -d' ' |
+sort |
+uniq |
+while read path; do
+  path="/$path"
+  if [ -L "$path" ]; then
+    : # The path is a symbolic link, so is probably handled by NixOS already
+  elif [ -d "$path" ]; then
+    : # The path is a directory, ignore
+  else
+    echo "$path"
+  fi
+done
+
+umount /mnt/root-blank
diff --git a/nixos-setup/keys/c1.key b/nixos-setup/keys/c1.key
new file mode 100644
index 0000000..8ae583d
Binary files /dev/null and b/nixos-setup/keys/c1.key differ
diff --git a/nixos-setup/keys/c2.key b/nixos-setup/keys/c2.key
new file mode 100644
index 0000000..0d162c7
Binary files /dev/null and b/nixos-setup/keys/c2.key differ
diff --git a/nixos-setup/keys/c3.key b/nixos-setup/keys/c3.key
new file mode 100644
index 0000000..14eec7c
Binary files /dev/null and b/nixos-setup/keys/c3.key differ
diff --git a/nixos-setup/setup.sh b/nixos-setup/setup.sh
new file mode 100755
index 0000000..2ee9b96
--- /dev/null
+++ b/nixos-setup/setup.sh
@@ -0,0 +1,56 @@
+DISK=/dev/disk/by-id/nvme-eui.002538b981b03d98
+KEY_DISK=/dev/disk/by-id/usb-Intenso_Micro_Line_22080777640496-0:0
+
+parted "$DISK" -- mklabel gpt
+
+parted -a optimal "$DISK" -- mkpart primary 512MiB -8GB
+udevadm trigger
+sleep 1
+cryptsetup -v --keyfile-size 4096 luksFormat "$DISK"-part1 $KEY_DISK
+cryptsetup open --key-file $KEY_DISK --keyfile-size 4096 "$DISK"-part1 luksroot
+mkfs.btrfs -f -L btrfs /dev/mapper/luksroot
+
+parted -a optimal "$DISK" -- mkpart primary linux-swap -8GB 100%
+
+parted -a optimal "$DISK" -- mkpart ESP fat32 1MB 512MiB
+parted "$DISK" -- set 3 esp on
+udevadm trigger
+sleep 1
+mkfs.vfat "$DISK"-part3
+
+mount /dev/mapper/luksroot /mnt
+btrfs subvolume create /mnt/root
+btrfs subvolume create /mnt/nix
+btrfs subvolume create /mnt/persist
+btrfs subvolume create /mnt/log
+btrfs subvolume snapshot -r /mnt/root /mnt/root-blank
+umount /mnt
+
+mount -o subvol=root,compress=zstd,noatime /dev/mapper/luksroot /mnt
+
+mkdir /mnt/nix
+mount -o subvol=nix,compress=zstd,noatime /dev/mapper/luksroot /mnt/nix
+
+mkdir /mnt/persist
+mount -o subvol=persist,compress=zstd,noatime /dev/mapper/luksroot /mnt/persist
+
+mkdir -p /mnt/var/log
+mount -o subvol=log,compress=zstd,noatime /dev/mapper/luksroot /mnt/var/log
+
+mkdir /mnt/boot
+mount "$DISK"-part3 /mnt/boot
+
+nixos-generate-config --root /mnt
+
+# only enable here so that it doesn't get included in hardware-configuration.nix
+mkswap -L swap "$DISK"-part2
+swapon "$DISK"-part2
+
+cp configuration.nix /mnt/etc/nixos
+
+nixos-install
+
+cp /mnt/etc/nixos/* /mnt/persist/etc/nixos
+
+echo "done!"
+