diff --git a/home/modules/zsh.nix b/home/modules/zsh.nix
index 96364ff..7a0cd6c 100644
--- a/home/modules/zsh.nix
+++ b/home/modules/zsh.nix
@@ -34,7 +34,7 @@ in
       };
       plugins = [
       ];
-      initExtra = ''
+      initContent = ''
         source ${pkgs.zsh-git-prompt}/share/zsh-git-prompt/zshrc.sh
         source ${pkgs.fzf}/share/fzf/key-bindings.zsh
         source ${pkgs.fzf}/share/fzf/completion.zsh
diff --git a/nixos/configurations.nix b/nixos/configurations.nix
index adacb51..14780f1 100644
--- a/nixos/configurations.nix
+++ b/nixos/configurations.nix
@@ -31,6 +31,39 @@ let
     };
 in
 {
+  stolas =
+    let
+      system = "x86_64-linux";
+    in
+    nixosSystem {
+      inherit nixpkgs system;
+
+      extraModules = [
+        # TODO lanzaboote.nixosModules.lanzaboote
+        {
+          nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays;
+          dadada.pkgs = self.packages.${system};
+          dadada.inputs = inputs // {
+            dadada = self;
+          };
+        }
+        nixos-hardware.nixosModules.framework-amd-ai-300-series
+        home-manager.nixosModules.home-manager
+        (
+          { pkgs, ... }:
+          {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+            home-manager.sharedModules = (nixpkgs.lib.attrValues self.hmModules) ++ [
+              { dadada.home.helix.package = pkgs.helix; }
+            ];
+            home-manager.users.dadada = import ../home;
+          }
+        )
+        ./stolas
+      ];
+    };
+
   gorgon =
     let
       system = "x86_64-linux";
@@ -46,12 +79,10 @@ in
             dadada = self;
           };
         }
-
         nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1
-
         home-manager.nixosModules.home-manager
         (
-          { pkgs, lib, ... }:
+          { pkgs, ... }:
           {
             home-manager.useGlobalPkgs = true;
             home-manager.useUserPackages = true;
diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix
index b681d72..0976788 100644
--- a/nixos/modules/profiles/base.nix
+++ b/nixos/modules/profiles/base.nix
@@ -13,8 +13,8 @@ in
     ./upgrade-pg-cluster.nix
   ];
 
-  boot.tmp.useTmpfs = true;
-  boot.tmp.tmpfsSize = "50%";
+  boot.tmp.useTmpfs = lib.mkDefault true;
+  boot.tmp.tmpfsSize = lib.mkDefault "50%";
 
   i18n.defaultLocale = mkDefault "en_US.UTF-8";
   console = mkDefault {
diff --git a/nixos/modules/profiles/laptop.nix b/nixos/modules/profiles/laptop.nix
index d9f0bde..8e0b52f 100644
--- a/nixos/modules/profiles/laptop.nix
+++ b/nixos/modules/profiles/laptop.nix
@@ -48,7 +48,7 @@ with lib;
     alsa.support32Bit = true;
     pulse.enable = true;
   };
-  hardware.pulseaudio.enable = false;
+  services.pulseaudio.enable = false;
 
   dadada.backupClient.gs = {
     enable = true;
diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix
new file mode 100644
index 0000000..e526eff
--- /dev/null
+++ b/nixos/stolas/default.nix
@@ -0,0 +1,297 @@
+{ config, lib, pkgs, ... }:
+{
+
+  imports = [
+    ../modules/profiles/laptop.nix
+  ];
+
+  ### TODO double check with generated hw-config
+
+  boot = {
+    # TODO lanzaboote = {
+    #  enable = true;
+    #  pkiBundle = "/var/lib/sbctl";
+    #};
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ];
+    initrd = {
+      availableKernelModules = [
+        "nvme"
+        "ehci_pci"
+        "xhci_pci"
+        "usb_storage"
+        "sd_mod"
+        "rtsx_pci_sdmmc"
+      ];
+      # TODO disable for lanzaboote
+      systemd.enable = true;
+      # Lanzaboote currently replaces the systemd-boot module.
+      # This setting is usually set to true in configuration.nix
+      # generated at installation time. So we force it to false
+      # for now.
+      #boot.loader.systemd-boot.enable = lib.mkForce false;
+      luks.devices = {
+        root = {
+          # TODO 
+          device = "/dev/disk/by-uuid/todo";
+          allowDiscards = true;
+          # TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL
+          #crypttabExtraOpts = [ "fido2-device=auto" ];
+        };
+      };
+    };
+  };
+
+  environment.systemPackages = [
+    # For debugging and troubleshooting Secure Boot.
+    pkgs.sbctl
+  ];
+
+  # TODO compare with nixos-generate-config --show-hardware-config
+  fileSystems = {
+    "/boot" = {
+      # TODO
+      device = "/dev/disk/by-uuid/todo";
+      fsType = "vfat";
+    };
+
+    "/" = {
+      # TODO
+      device = "/dev/disk/by-uuid/todo";
+      fsType = "btrfs";
+      options = [
+        "subvol=root"
+        "compress=zstd"
+      ];
+    };
+
+    "/home" = {
+      # TODO
+      device = "/dev/disk/by-uuid/todo";
+      options = [
+        "compress=zstd"
+        "subvol=home"
+      ];
+    };
+
+    "/home/dadada" = {
+      # TODO
+      device = "/dev/disk/by-uuid/todo";
+      options = [
+        "compress=zstd"
+        "subvol=home/dadada"
+      ];
+    };
+
+    "/nix" = {
+      # TODO
+      device = "/dev/disk/by-uuid/todo";
+      fsType = "btrfs";
+      options = [
+        "noatime"
+        "compress=zstd"
+        "subvol=nix"
+      ];
+    };
+
+    "/nix/var/nix/builds" =  {
+      device = "none";
+      fsType = "tmpfs";
+      options = [
+        # Max 80% of available RAM
+        "size=80%"
+        # Only owner (nix daemon may write)
+        "mode=755"
+      ];
+    };
+
+    "/root" = {
+      # TODO
+      device = "/dev/disk/by-uuid/todo";
+      fsType = "btrfs";
+      options = [
+        "compress=zstd"
+        "subvol=root"
+      ];
+    };
+
+    "/var" = {
+      # TODO
+      device = "/dev/disk/by-uuid/todo";
+      fsType = "btrfs";
+      options = [
+        "compress=zstd"
+        "subvol=var"
+      ];
+    };
+
+    "/var/lib/paperless" = {
+      # TODO
+      device = "/dev/disk/by-uuid/todo";
+      fsType = "btrfs";
+      options = [
+        "compress=zstd"
+        "subvol=var/lib/paperless"
+      ];
+    };
+
+    "/var/swap" = {
+      # TODO
+      device = "/dev/disk/by-uuid/todo";
+      fsType = "btrfs";
+      options = [
+        "noatime"
+        "subvol=swap"
+      ];
+    };
+
+    # NOTE: /tmp is tmpfs because of config in base.nix
+  };
+
+  # TODO btrfs filesystem mkswapfile --uuid clear /var/swap/swapfile
+  # swapDevices = [{ 
+  #   device = "/var/swap/swapfile"; 
+  #   size = 80*1024; # Creates an 80GB swap file 
+  # }];
+
+  hardware = {
+    # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features
+    bluetooth.enable = true;
+    framework.laptop13.audioEnhancement.enable = true;
+    graphics = {
+      enable = true;
+      extraPackages = with pkgs; [
+        vaapiVdpau
+        libvdpau-va-gl
+      ];
+    };
+  };
+
+  powerManagement = {
+    enable = true;
+    cpuFreqGovernor = "schedutil";
+    # TODO: Limit charge of battery, does this work without kernel patches from hardware.frameworkenableKmod?
+    powerUpCommands = ''
+      echo 80 > /sys/class/power_supply/BAT0/charge_control_stop_threshold
+    '';
+  };
+
+  networking = {
+    hostName = "stolas";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22000 # Syncthing
+      ];
+      allowedUDPPorts = [
+        21027 # Syncthing
+      ];
+    };
+  };
+
+  nix = {
+    settings.max-jobs = lib.mkDefault 16;
+  };
+
+  # TODO dadada.backupClient.backup1.enable = true;
+  # dadada.backupClient.backup2 = {
+  #   enable = true;
+  #   passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase".path;
+  #   sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path;
+  #   repo = "u355513-subX@u355513-subX.your-storagebox.de:/home/backup";
+  # };
+
+  programs = {
+    adb.enable = true;
+    firefox = {
+      enable = true;
+      package = pkgs.firefox-wayland;
+    };
+    gnupg.agent.enable = true;
+    ssh.startAgent = true;
+    wireshark.enable = true;
+  };
+
+  services = {
+    avahi.enable = true;
+    desktopManager.plasma6.enable = true;
+    displayManager = {
+      sddm.enable = true;
+      sddm.wayland.enable = true;
+    };
+    gnome.gnome-keyring.enable = lib.mkForce false;
+    smartd.enable = true;
+    printing = {
+      enable = true;
+      browsing = true;
+    };
+    paperless = {
+      # TODO migrate DB
+      enable = true;
+      passwordFile = config.age.secrets.paperless.path;
+    };
+    tlp.enable = false;
+  };
+
+  system = {
+    stateVersion = "25.05";
+  };
+
+  systemd.tmpfiles.rules =
+    let
+      cfg = config.services.paperless;
+    in
+    [
+      (
+        if cfg.consumptionDirIsPublic then
+          "d '${cfg.consumptionDir}' 777 - - - -"
+        else
+          "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
+      )
+    ];
+
+  systemd.services = {
+    modem-manager.enable = lib.mkForce false;
+    "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false;
+  };
+
+  systemd.sleep.extraConfig = ''
+    HibernateDelaySec=1h
+  '';
+
+  virtualisation.libvirtd.enable = true;
+
+  users = {
+    users = {
+      dadada = {
+        isNormalUser = true;
+        extraGroups = [
+          "wheel"
+          "networkmanager"
+          "libvirtd"
+          "adbusers"
+          "kvm"
+          "video"
+          "scanner"
+          "lp"
+          "docker"
+          "dialout"
+          "wireshark"
+          "paperless"
+        ];
+        shell = "/run/current-system/sw/bin/zsh";
+      };
+    };
+  };
+
+  age.secrets = {
+    paperless = {
+      file = "${config.dadada.secrets.path}/paperless.age";
+      mode = "700";
+      owner = "paperless";
+    };
+  };
+  
+  # Create compressing swap space in RAM
+  zramSwap.enable = true;
+}