diff --git a/.gitignore b/.gitignore
index 762b6e3..b8dfe78 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,7 @@
 .DS_Store
-deploy/result
-configuration.nix
+./configuration.nix
 darwin-configuration.nix
+deploy/result
+
+# the secrets folder should be a symlink to the relevant password store
+secrets
diff --git a/machines/zoro/configuration.nix b/machines/zoro/configuration.nix
new file mode 100644
index 0000000..b2c4d48
--- /dev/null
+++ b/machines/zoro/configuration.nix
@@ -0,0 +1,99 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules/minimal-server.nix
+  ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking = {
+    hostName = "zoro";
+    domain = "mrflos.pw";
+    nameservers = ["80.67.169.12" "2001:910:800::12" "80.67.169.40" "2001:910:800::40"];
+    wg-quick.interfaces = {
+      wg0 = {
+        address = [ "10.42.0.3/32"];
+        privateKeyFile = "/etc/wireguard_private_key";
+
+        peers = [
+          {
+            publicKey = "2MZzEGJzA3HrwkHf91TaKJEHwCNyVvsTLWoIYHrCxhY=";
+            presharedKeyFile = "/etc/wireguard_preshared_key";
+            allowedIPs = [ "10.42.0.0/24" ];
+            endpoint = "195.201.63.240:8098";
+            persistentKeepalive = 15;
+          }
+        ];
+      };
+    };
+  };
+
+  time.timeZone = "Europe/Moscow";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  users.users.optisseur = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ]; 
+    initialPassword = "ACHANGER";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBM+2TwkopAQF7splTWjORQoxjcp67VhodwzvTMlL8g florian@florian-LinuxMint-MBP"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRG0CyeeMMrrjTTm/PHgRXD/I4lH/bBPBCGUiL+cBdq douzeb@tux-12"
+    ];
+  };
+
+  security.sudo.extraRules= [
+  { 
+    users = [ "optisseur" ];
+    commands = [
+       { command = "ALL" ;
+         options= [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea
+      }
+    ];
+  }
+  ];
+
+  services.openssh.enable = true;
+  services.openssh.ports = [ 4222 ];
+  services.openssh.settings = {
+    PermitRootLogin = "no";
+    PasswordAuthentication = false;
+    KbdInteractiveAuthentication = false;
+  };
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances = {
+      distrilab = {
+        enable = true;
+        name = networking.hostName;
+        url = "https://git.distrilab.fr";
+        token = "/etc/forgejo/runner.token";
+        labels = [
+                  "debian-latest:docker://node:20-bullseye"
+                  "ubuntu-latest:docker://node:20-bullseye"
+                  "nixos:docker://nixos/nix:latest"
+        ];
+      };
+      mrflospw = {
+        enable = true;
+        name = networking.hostName;
+        url = "https://forge.mrflos.pw";
+        token = "/etc/forgejo/runner.token";
+        labels = [
+                  "debian-latest:docker://node:20-bullseye"
+                  "ubuntu-latest:docker://node:20-bullseye"
+                  "nixos:docker://nixos/nix:latest"
+        ];
+      };
+    };
+  };
+
+
+  networking.firewall.allowedTCPPorts = [ 80 443 4222 ];
+
+  system.stateVersion = "24.05"; 
+}
+