diff --git a/README.md b/README.md
index 486235b..1291c18 100644
--- a/README.md
+++ b/README.md
@@ -55,4 +55,7 @@ just --list
 * boot with an install media and go through setup
 
 #### Post-Install Setup
+* clone password-manager and infra repositories
+* `chmod --recursive g-rwx,o-rwx ~/.gnupg`
+* gpg2: ultimately trust my own key
 * `gpg2 --edit-card; fetch`
diff --git a/nix/os/devices/steveej-t14/boot.nix b/nix/os/devices/steveej-t14/boot.nix
new file mode 100644
index 0000000..2f5f8ea
--- /dev/null
+++ b/nix/os/devices/steveej-t14/boot.nix
@@ -0,0 +1,8 @@
+{ lib
+, ...
+}:
+
+{
+  boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
+  boot.loader.efi.canTouchEfiVariables = lib.mkForce false; 
+}
diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix
new file mode 100644
index 0000000..3828dd1
--- /dev/null
+++ b/nix/os/devices/steveej-t14/configuration.nix
@@ -0,0 +1,14 @@
+{ ... }:
+
+{
+  imports = [
+    ../../profiles/common/configuration.nix
+    ../../profiles/graphical/configuration.nix
+    ../../modules/encryptedDisk.nix
+
+    ./system.nix
+    ./hw.nix
+    ./pkg.nix
+    ./user.nix
+  ];
+}
diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix
new file mode 100644
index 0000000..dd4c4a3
--- /dev/null
+++ b/nix/os/devices/steveej-t14/hw.nix
@@ -0,0 +1,30 @@
+{ ... }:
+
+let
+  stage1Modules =  [
+    "aesni_intel"
+    "kvm-intel"
+    "aes_x86_64"
+    "nvme"
+    "nvme_core"
+
+    "pcieport"
+    "thunderbolt"
+    "e1000e"
+    "xhci_pci"
+    "hxci_hcd"
+  ];
+
+in
+{
+  # TASK: new device
+  hardware.encryptedDisk = {
+    enable = true;
+    diskId = "nvme-SKHynix_HFS001TD9TNI-L2B0B_CJ0AN89731030AV3Q";
+  };
+
+  # boot.initrd.availableKernelModules = stage1Modules;
+  boot.initrd.kernelModules = stage1Modules;
+  boot.extraModprobeConfig = ''
+  '';
+}
diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix
new file mode 100644
index 0000000..01b4cba
--- /dev/null
+++ b/nix/os/devices/steveej-t14/pkg.nix
@@ -0,0 +1,12 @@
+{ pkgs
+, ...
+}:
+
+{
+  nixpkgs.config.packageOverrides = pkgs: with pkgs; {
+    nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath;
+  };
+  home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix { inherit pkgs; };
+  services.teamviewer.enable = true;
+  system.stateVersion = "20.09";
+}
diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix
new file mode 100644
index 0000000..cfe6f1d
--- /dev/null
+++ b/nix/os/devices/steveej-t14/system.nix
@@ -0,0 +1,78 @@
+{ pkgs
+, lib
+, config
+, ... }:
+
+let
+  keys = import ../../../variables/keys.nix;
+in {
+
+  # TASK: new device
+  networking.hostName = "steveej-t14"; # Define your hostname.
+
+  networking.bridges."virbr1".interfaces = [];
+  networking.interfaces."virbr1".ipv4.addresses = [
+      { address = "10.254.254.254"; prefixLength = 24; }
+  ];
+
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [
+    # syncthing
+    22000
+
+    # iperf3
+    5201
+  ];
+
+  networking.firewall.logRefusedConnections = false;
+  networking.usePredictableInterfaceNames = false;
+
+  services.printing = {
+    enable = true;
+    drivers = with pkgs; [
+      hplip
+      mfcl3770cdw.driver
+      mfcl3770cdw.cupswrapper
+    ];
+  };
+
+  services.fprintd.enable = true;
+  security.pam.services = {
+    login.fprintAuth = true;
+    sudo.fprintAuth = true;
+  };
+
+  # virtualization
+  virtualisation = {
+    libvirtd = {
+      enable = true;
+    };
+
+    virtualbox.host = {
+      enable = false ;
+      addNetworkInterface = false;
+    };
+
+    docker = {
+      enable = true;
+      extraOptions = "--experimental";
+    };
+  };
+
+
+  security.pki.certificateFiles = [
+    "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+  ];
+
+  services.xserver.videoDrivers = [ "modesetting" ];
+  services.xserver.serverFlagsSection = ''
+    Option "BlankTime" "0"
+    Option "StandbyTime" "0"
+    Option "SuspendTime" "0"
+    Option "OffTime" "0"
+  '';
+
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+
+  hardware.ledger.enable = true;
+}
diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix
new file mode 100644
index 0000000..f07b2ac
--- /dev/null
+++ b/nix/os/devices/steveej-t14/user.nix
@@ -0,0 +1,15 @@
+{ config
+, pkgs
+, ... }:
+
+let
+  passwords = import ../../../variables/passwords.crypt.nix;
+  keys = import ../../../variables/keys.nix;
+  inherit (import ../../lib/default.nix { }) mkUser;
+
+in {
+  users.extraUsers.steveej2 = mkUser {
+    uid = 1001;
+    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
+  };
+}
diff --git a/nix/os/devices/steveej-t14/versions.nix b/nix/os/devices/steveej-t14/versions.nix
new file mode 100644
index 0000000..ddbd1ee
--- /dev/null
+++ b/nix/os/devices/steveej-t14/versions.nix
@@ -0,0 +1,30 @@
+let
+  nixpkgs = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-20.09";
+    rev = "3d2d8f281a27d466fa54b469b5993f7dde198375";
+  };
+in
+
+{
+  inherit nixpkgs;
+  nixos = nixpkgs // {
+    suffix = "/nixos";
+  };
+  "channels-nixos-stable" = nixpkgs;
+  "channels-nixos-unstable" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-unstable";
+    rev = "e9158eca70ae59e73fae23be5d13d3fa0cfc78b4";
+  };
+  "nixpkgs-master" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "master";
+    rev = "2a058487cb7a50e7650f1657ee0151a19c59ec3b";
+  };
+  "home-manager-module" = {
+    url = "https://github.com/nix-community/home-manager";
+    ref = "release-20.09";
+    rev = "63f299b3347aea183fc5088e4d6c4a193b334a41";
+  };
+}
diff --git a/nix/os/devices/steveej-t14/versions.tmpl.nix b/nix/os/devices/steveej-t14/versions.tmpl.nix
new file mode 100644
index 0000000..09f95fd
--- /dev/null
+++ b/nix/os/devices/steveej-t14/versions.tmpl.nix
@@ -0,0 +1,30 @@
+let
+  nixpkgs = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-20.09";
+    rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+in
+
+{
+  inherit nixpkgs;
+  nixos = nixpkgs // {
+    suffix = "/nixos";
+  };
+  "channels-nixos-stable" = nixpkgs;
+  "channels-nixos-unstable" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-unstable";
+    rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+  "nixpkgs-master" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "master";
+    rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+  "home-manager-module" = {
+    url = "https://github.com/nix-community/home-manager";
+    ref = "release-20.09";
+    rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-20.09 | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+}