diff --git a/hardware/pilot1.nix b/hardware/pilot1.nix
new file mode 100644
index 0000000..aaa9e84
--- /dev/null
+++ b/hardware/pilot1.nix
@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+    "rtsx_pci_sdmmc"
+  ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/155b5acf-a0f8-4615-ae03-43a5c193f772";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/31C7-CBD1";
+    fsType = "vfat";
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-uuid/397a1a92-596f-421b-99e1-c9b2cb821309"; } ];
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/home/git.nix b/home/git.nix
index 12e7e2e..0a86f50 100644
--- a/home/git.nix
+++ b/home/git.nix
@@ -17,9 +17,9 @@
       };
       work = {
         name = "Felix Schröter";
-        email = "felix.schroeter@cmdscale.com";
+        email = "fs@upsquared.com";
         # use sign subkey's fingerprint: gpg2 -K --with-subkey-fingerprint
-        signingKey = "5A9D CC6B F70A C69B B0D7  C755 A3A2 2573 CA6D 0E38";
+        signingKey = "16F6 4623 8B1C 80C4 6267  6FF9 4D13 24C5 006E 9B2E";
         dirs = [ "~/dev/work/" ];
       };
     };
diff --git a/hosts/doctr/default.nix b/hosts/doctr.nix
similarity index 100%
rename from hosts/doctr/default.nix
rename to hosts/doctr.nix
diff --git a/hosts/flake-module.nix b/hosts/flake-module.nix
index 70607e7..218e42f 100644
--- a/hosts/flake-module.nix
+++ b/hosts/flake-module.nix
@@ -12,7 +12,7 @@
           inputs.nixos-hardware.nixosModules.common-gpu-amd
           (self.lib.createSystemModule "home-pc" {
             hardwareConfig = ../hardware/home-pc.nix;
-            config = ../hosts/home-pc/default.nix;
+            config = ../hosts/home-pc.nix;
           })
           self.lib.createMediaGroup
           (self.lib.createUserModule "felschr" {
@@ -40,6 +40,31 @@
           inherit inputs;
         };
       };
+      pilot1 = inputs.nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          inputs.nixpkgs.nixosModules.notDetected
+          inputs.nixos-hardware.nixosModules.common-pc
+          inputs.nixos-hardware.nixosModules.common-pc-ssd
+          inputs.nixos-hardware.nixosModules.common-cpu-intel
+          (self.lib.createSystemModule "pilot1" {
+            hardwareConfig = ../hardware/pilot1.nix;
+            config = ../hosts/work-pc.nix;
+          })
+          (self.lib.createUserModule "felschr" {
+            homeModule = self.homeModules.felschr-work;
+            user.extraGroups = [
+              "wheel"
+              "audio"
+              "disk"
+            ];
+            usesContainers = true;
+          })
+        ];
+        specialArgs = {
+          inherit inputs;
+        };
+      };
       home-server = inputs.nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
@@ -51,7 +76,7 @@
           inputs.matrix-appservices.nixosModule
           (self.lib.createSystemModule "home-server" {
             hardwareConfig = ../hardware/lattepanda.nix;
-            config = ../hosts/home-server/default.nix;
+            config = ../hosts/home-server.nix;
           })
           self.lib.createMediaGroup
           (self.lib.createUserModule "felschr" {
diff --git a/hosts/home-pc/default.nix b/hosts/home-pc.nix
similarity index 65%
rename from hosts/home-pc/default.nix
rename to hosts/home-pc.nix
index 7ff949f..2458661 100644
--- a/hosts/home-pc/default.nix
+++ b/hosts/home-pc.nix
@@ -2,24 +2,24 @@
 
 {
   imports = [
-    ../../hardware/base.nix
-    ../../hardware/bluetooth.nix
-    ../../hardware/xbox.nix
-    ../../hardware/steam.nix
-    ../../hardware/ledger.nix
-    ../../system/desktop.nix
-    ../../system/printing/home.nix
-    ../../system/gaming.nix
-    ../../desktop
-    ../../desktop/cosmic.nix
-    ../../virtualisation/containers.nix
-    ../../virtualisation/podman.nix
-    ../../virtualisation/libvirt.nix
-    ../../modules/systemdNotify.nix
-    ../../services/samba/home-pc.nix
-    ../../services/restic/home-pc.nix
-    ../../services/pcscd.nix
-    ../../services/open-webui.nix
+    ../hardware/base.nix
+    ../hardware/bluetooth.nix
+    ../hardware/xbox.nix
+    ../hardware/steam.nix
+    ../hardware/ledger.nix
+    ../system/desktop.nix
+    ../system/printing/home.nix
+    ../system/gaming.nix
+    ../desktop
+    ../desktop/cosmic.nix
+    ../virtualisation/containers.nix
+    ../virtualisation/podman.nix
+    ../virtualisation/libvirt.nix
+    ../modules/systemdNotify.nix
+    ../services/samba/home-pc.nix
+    ../services/restic/home-pc.nix
+    ../services/pcscd.nix
+    ../services/open-webui.nix
   ];
 
   nixpkgs.config.allowUnfree = true;
diff --git a/hosts/home-server/default.nix b/hosts/home-server.nix
similarity index 81%
rename from hosts/home-server/default.nix
rename to hosts/home-server.nix
index f9ab5e8..9f25161 100644
--- a/hosts/home-server/default.nix
+++ b/hosts/home-server.nix
@@ -18,33 +18,33 @@ let
 in
 {
   imports = [
-    ../../hardware/base.nix
-    ../../desktop/x11.nix
-    ../../system/server.nix
-    ../../virtualisation/containers.nix
-    ../../virtualisation/podman.nix
-    ../../modules/inadyn.nix
-    ../../modules/systemdNotify.nix
-    ../../services/postgres
-    ../../services/mail.nix
-    ../../services/lldap.nix
-    ../../services/authelia.nix
-    ../../services/forgejo
-    ../../services/restic/home-server.nix
-    ../../services/samba/home-server.nix
-    # ../../services/kodi.nix
-    ../../services/jellyfin.nix
-    ../../services/etebase.nix
-    ../../services/website.nix
-    ../../services/wkd.nix
-    ../../services/home-assistant
-    ../../services/matrix
-    ../../services/immich.nix
-    ../../services/miniflux.nix
-    ../../services/paperless.nix
-    ../../services/nextcloud.nix
-    ../../services/collabora-office.nix
-    ../../services/calibre-web.nix
+    ../hardware/base.nix
+    ../desktop/x11.nix
+    ../system/server.nix
+    ../virtualisation/containers.nix
+    ../virtualisation/podman.nix
+    ../modules/inadyn.nix
+    ../modules/systemdNotify.nix
+    ../services/postgres
+    ../services/mail.nix
+    ../services/lldap.nix
+    ../services/authelia.nix
+    ../services/forgejo
+    ../services/restic/home-server.nix
+    ../services/samba/home-server.nix
+    # ../services/kodi.nix
+    ../services/jellyfin.nix
+    ../services/etebase.nix
+    ../services/website.nix
+    ../services/wkd.nix
+    ../services/home-assistant
+    ../services/matrix
+    ../services/immich.nix
+    ../services/miniflux.nix
+    ../services/paperless.nix
+    ../services/nextcloud.nix
+    ../services/collabora-office.nix
+    ../services/calibre-web.nix
   ];
 
   age.secrets.cloudflare.file = ../secrets/cloudflare.age;
diff --git a/hosts/penguin/default.nix b/hosts/penguin.nix
similarity index 89%
rename from hosts/penguin/default.nix
rename to hosts/penguin.nix
index 849a79f..1c800f5 100644
--- a/hosts/penguin/default.nix
+++ b/hosts/penguin.nix
@@ -13,7 +13,6 @@
         hostname = "penguin";
         timezone = "Europe/Berlin";
         ipaddr = "192.168.0.1";
-        packages = [ "ds-lite" ];
       };
     };
 }
diff --git a/hosts/work-pc.nix b/hosts/work-pc.nix
new file mode 100644
index 0000000..983f6a7
--- /dev/null
+++ b/hosts/work-pc.nix
@@ -0,0 +1,42 @@
+{ ... }:
+
+{
+  imports = [
+    ../hardware/base.nix
+    ../hardware/bluetooth.nix
+    ../system/desktop.nix
+    ../system/printing/home.nix
+    ../desktop
+    ../virtualisation/containers.nix
+    ../virtualisation/podman.nix
+  ];
+
+  # replace with regenerated hardware-configuration.nix
+  boot.initrd.luks.devices = {
+    enc = {
+      device = "/dev/disk/by-partlabel/nixos";
+      allowDiscards = true;
+    };
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  hardware.logitech.wireless.enable = true;
+  hardware.logitech.wireless.enableGraphical = true;
+
+  programs.adb.enable = true;
+
+  programs.zsh.enable = true;
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      KbdInteractiveAuthentication = false;
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+
+  # only change this when specified in release notes
+  system.stateVersion = "24.11";
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 624c028..12acea1 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -6,9 +6,11 @@ let
   # `ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key`
   home-pc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFTQvIcSdhEKl/Kq+pcS/cPCyyZ1ygj+djfuaXzaRMx";
   home-server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILO+OLPr8zdOMYyKtm98AFJai7zbaxw7JhVWgOwu7K3C";
+  pilot1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEucfNzPbDRdDjTaLG3PzN4lAzDAq3QUkaLvaRjjsCY";
   systems = [
     home-pc
     home-server
+    pilot1
   ];
 in
 {
@@ -16,11 +18,13 @@ in
     felschr
     home-pc
     home-server
+    pilot1
   ];
   "restic/password.age".publicKeys = [
     felschr
     home-pc
     home-server
+    pilot1
   ];
   "smtp.age".publicKeys = [
     felschr