diff --git a/TODOS.md b/TODOS.md
index b5d9028..61d63eb 100644
--- a/TODOS.md
+++ b/TODOS.md
@@ -16,6 +16,13 @@ TODOS
     * [ ] DNS (Dnsmasq or Unbound)
     * [ ] qemu setup
   * P2
+    * [ ] SOPS fixes
+      * [ ] consolidate to single script that works on host or on guest
+      * [ ] If no user key on guest, complain and abort
+      * [ ] Fix error messages that mess with getting fingerprit
+      * [ ] Make sure uid matches <curruser>@localhost, as it tells sops where to look for keyring
+    * [ ] Move hardware config to module config
+      * [ ] DB of hardware, similar to nixos-hardware repo
     * [ ] Backups
     * [ ] Migration of services from HP server, HA
     * [ ] SSO/Authentik
diff --git a/module.nix b/module.nix
index b32c767..c55c608 100644
--- a/module.nix
+++ b/module.nix
@@ -55,7 +55,11 @@
       adminHashedPassword = lib.mkOption {
         type = lib.types.str;
         default = "";
-        description = "Hashed password for the system admin";
+        description = ''
+          Hashed password for the system admin
+          Generate with:
+          mkpasswd --method=SHA-512 --stdin
+        '';
       };
 
       authorizedKeys = lib.mkOption {
@@ -87,13 +91,6 @@
         default = false;
         description = "Enable dynamic DNS client";
       };
-
-      interval = lib.mkOption {
-        type = lib.types.str;
-        default = "10m";
-        description = "Interval for dynamic DNS client";
-      };
-
       protocol = lib.mkOption {
         type = lib.types.str;
         default = "hetzner";
@@ -112,6 +109,12 @@
         description = "Zone for dynamic DNS client";
       };
 
+      interval = lib.mkOption {
+        type = lib.types.str;
+        default = "10m";
+        description = "Interval for dynamic DNS client";
+      };
+
       domains = lib.mkOption {
         type = lib.types.listOf lib.types.str;
         default = [ "*" "www" "dev" ];
diff --git a/profiles/hardware-configuration.nix b/profiles/hardware-configuration.nix
index 8105356..e953ca7 100644
--- a/profiles/hardware-configuration.nix
+++ b/profiles/hardware-configuration.nix
@@ -8,7 +8,7 @@
     [ (modulesPath + "/profiles/qemu-guest.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "ata_piix" "ahci" "xhci_pci" "virtio_pci" "virtio_blk" "floppy" "sd_mod" "sr_mod"  ];
+  boot.initrd.availableKernelModules = [ "ata_piix" "ahci" "xhci_pci" "nvme" "virtio_pci" "virtio_blk" "floppy" "sd_mod" "sr_mod" "usb_storage" "usbhid" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" "kvm-intel" ];
   boot.extraModulePackages = [ ];
@@ -45,4 +45,5 @@
   # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }