diff --git a/.sops.yaml b/.sops.yaml
index 5870150..a861312 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -5,9 +5,11 @@ keys:
   # Hosts
   # nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
   - &aristotle age1hm6pkvt4d640wmjhxg5wxfwkp9zhcqre9klr4zg5kx2qx7vyhuuqlytmnp
+  - &blacksteel age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
 creation_rules:
   - path_regex: secrets.yaml$
     key_groups:
       - age:
           - *guanranwang
           - *aristotle
+          - *blacksteel
diff --git a/flake.nix b/flake.nix
index 7de637a..e31f6a9 100755
--- a/flake.nix
+++ b/flake.nix
@@ -142,6 +142,7 @@
     ### NixOS
     nixosConfigurations = {
       "aristotle" = mkNixOS "x86_64-linux" [./hosts/aristotle];
+      "blacksteel" = mkNixOS "x86_64-linux" [./hosts/blacksteel];
     };
 
     ### Darwin
diff --git a/hosts/blacksteel/anti-feature.nix b/hosts/blacksteel/anti-feature.nix
new file mode 100644
index 0000000..6941724
--- /dev/null
+++ b/hosts/blacksteel/anti-feature.nix
@@ -0,0 +1,27 @@
+{lib, ...}: {
+  nixpkgs.config = {
+    # only needed on older version of nvidia
+    #nvidia.acceptLicense = true;
+
+    allowNonSource = false;
+    allowNonSourcePredicate = pkg:
+      builtins.elem (lib.getName pkg) [
+        "adoptopenjdk-hotspot-bin"
+        "cargo-bootstrap"
+        "cef-binary"
+        "rustc-bootstrap"
+        "rustc-bootstrap-wrapper"
+        "sof-firmware"
+        "spotify"
+        "vscodium"
+      ];
+
+    allowUnfree = false;
+    allowUnfreePredicate = pkg:
+      builtins.elem (lib.getName pkg) [
+        "nvidia-x11"
+        "spotify"
+        "broadcom-sta"
+      ];
+  };
+}
diff --git a/hosts/blacksteel/default.nix b/hosts/blacksteel/default.nix
new file mode 100644
index 0000000..d801d08
--- /dev/null
+++ b/hosts/blacksteel/default.nix
@@ -0,0 +1,24 @@
+{...}: {
+  imports = [
+    # OS
+    ../../nixos/profiles/laptop
+    ../../nixos/profiles/common/opt-in/zram-generator.nix
+    ../../nixos/profiles/common/opt-in/clash-meta-client
+
+    # Hardware
+    ./hardware-configuration.nix
+    ./anti-feature.nix
+  ];
+
+  networking.hostName = "blacksteel";
+  time.timeZone = "Asia/Shanghai";
+
+  # TODOs:
+  # [x] networkmanager - > iwd
+  # [ ] nouveau -> nvidia
+  # [ ] secureboot (???)
+  # [ ] impermanence
+  # [ ] backlight is always 33% when booted up
+  # [ ] fan is *blasting* even after I installed mbpfans
+  # [ ] audio quality isnt too great (compared to macOS, or i might have wooden ears)
+}
diff --git a/hosts/blacksteel/hardware-configuration.nix b/hosts/blacksteel/hardware-configuration.nix
new file mode 100644
index 0000000..354ddd5
--- /dev/null
+++ b/hosts/blacksteel/hardware-configuration.nix
@@ -0,0 +1,49 @@
+{
+  inputs,
+  config,
+  ...
+}: {
+  imports = [
+    inputs.nixpkgs.nixosModules.notDetected
+    inputs.nixos-hardware.nixosModules.apple-macbook-pro
+    inputs.nixos-hardware.nixosModules.common-cpu-intel
+    inputs.nixos-hardware.nixosModules.common-gpu-intel
+    #inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime
+    inputs.nixos-hardware.nixosModules.common-hidpi
+    inputs.nixos-hardware.nixosModules.common-pc-laptop
+    inputs.nixos-hardware.nixosModules.common-pc-laptop-ssd
+  ];
+
+  myFlake.hardware.components = {
+    audio.enable = true;
+    bluetooth.enable = true;
+    tpm.enable = true;
+  };
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
+  boot.kernelModules = ["kvm-intel" "wl"];
+  boot.extraModulePackages = [config.boot.kernelPackages.broadcom_sta];
+
+
+  #hardware.nvidia.modesetting.enable = true;
+  #hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+  system.stateVersion = "23.11";
+
+  # no disko because dual booting with macOS isnt very flexible
+  boot.initrd.luks.devices."luks-8c26de19-f0d4-4ac7-a73c-a28dafd30544".device = "/dev/disk/by-uuid/8c26de19-f0d4-4ac7-a73c-a28dafd30544";
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/ab9b92a9-b67b-43b4-b0d9-9dd59ccd594b";
+      fsType = "btrfs";
+      options = ["subvol=@"];
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/E5DE-9C92";
+      fsType = "vfat";
+    };
+  };
+
+  swapDevices = [];
+}
diff --git a/secrets.yaml b/secrets.yaml
index cecded0..7aa52da 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -18,20 +18,29 @@ sops:
         - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RFg4SlluSVhQd0wvdE5l
-            T0ZoQ3ZYdFBxcFE2bnBNM1pKL0MrTGtKVmk4Ci9kUE5hWWVBZFR3NVJDQ3htSzdi
-            YjNpelRBbEh6OVVBTU5mbHNtenJXNXMKLS0tIEQ5VmZNMWFFQmltc0JKcGZOTmVv
-            V0tISUZkbXRUR0U4UzA4UlRuKzJkUjQKHgY1Hp6slqeHlchclqSvpSXeBbaHKdfY
-            9U6QKaMHyUgjblXJl9gKRl6niJgHArSRADC44rTMF2/lSvHwFyNYRg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXL3R3UWF2UjFBZXlVWmEr
+            L3Nva3ZnMW9kUVN0bzhlVlE3UWRWSlRqY3lzCmp4SDlkZUdIQmFMb1UrWWk3SXBI
+            TExucEFodlZaZjFGQ3lkOWh1NFFsckUKLS0tIEZTL0QvZmVVWlVBOWtVczFaYnFl
+            ejFYb0J0dmtSL0VURDBHZEhER0FZeEUKErLL9cf65O/YmLt0JVpdXuK2sXLh4x/O
+            YVv9lzzECDAMZbh2RScw5z91zWM9kB5vx17XrpcUnF4ouH+jnlOx8Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hm6pkvt4d640wmjhxg5wxfwkp9zhcqre9klr4zg5kx2qx7vyhuuqlytmnp
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRE54b3l5WTM1NHk4UFpZ
-            MEpaSHJ5M2MzMWdVY0cyRElxS09JM2NUOUZJCkdKT1hFcjMrUDN6NjArb3lrTUds
-            Y1BkNTVpdnZybmY5WE14Q2QrWEpseE0KLS0tIC9lblVvSzkzYVFSNEVPYTFJWThm
-            bEdVQ0dicTVaRkJUNFB0d3Y1S1hmL3MKFVPyIyjRkQcdimUE/tWxQzQU1cqkB5lN
-            o+7a8JuA5gOxG7OInWbfkDe9/wSFCJW2S5z9jON/tLy6atPdmPYUdg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHN2RPVVFlYzlyRitlS0Fn
+            SGJaR2srdExaT3V5dFd3OFFraXBlbVY0K2d3CnNRUmFkSHJuTWlUeW9haS9lQ2N2
+            S3JmU3FmWUtLblRoYnRwK05OY05RK0kKLS0tIGQ2d2REbkFuQnFkT1I1QnFIc1Z6
+            TlhnYmhQWnRBWG1CeWp6bktmemNxbk0KXYImIHhtlXUS2H+Ot81zGbC/BaMkba8D
+            GUJeizpBBbA6BSjeQYx1Hd/mJJ4eqbN9abnLgYhQ42i9KfWWC4Eu1w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0N2FtN1UvTXQ3MXZPQVN2
+            bTBCQzR1cmhhdmV5K0g4ODZySk42V09aZVE0CndxWTRVZS9Pek85VU1nK1hEYjc5
+            RnFjZEFmVytIYVBtN1IxOU1uSHVLUGcKLS0tIFB2UzlFeFJWOGJ3SFBDNENxT1FN
+            MFdBdDhnbWFwTVd1aFgvUHdRZkhTV3MKIcvIbGmAMVAu5KcOi8xsjIvwAzp8etAn
+            cXbkj9HfU/FHWv2fJNC/2Dda3AKKfDFNQJIk0MYOuyFR+JMu6Dah/g==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-02-12T06:09:46Z"
     mac: ENC[AES256_GCM,data:EYe/XOQo+zbsx/2Iwqa8o2Ez2MoE+OacQnXSwyL+YM5olk7uvDFnnnfDBIth5tIqsXJ3HzJqW82rTotwUCrQ7UYbfwq72j3gIF18XQe+n1ahoTBkzudBFXJb84sY7tQDexUzA+SC3LTIJGiHItZ+H23ou6iKFEU6V6FCdJRlLb8=,iv:XDeKRZfx9Lej9Ql4jY/gMWGlY+thx9y4bXRanhOAa3E=,tag:6c91OAH3bAjndpQr+0e90g==,type:str]