diff --git a/README.md b/README.md
index eade381..f64c4c7 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,3 @@
-# nix-server
+# NixOS Server Config
 
-Minimal NixOS server with Docker, SSH on port 222, and basic sysadmin tools.
\ No newline at end of file
+Minimal NixOS server with Docker, SSH on port 222, and basic sysadmin tools.
diff --git a/configuration.nix b/configuration.nix
new file mode 100644
index 0000000..997d2c6
--- /dev/null
+++ b/configuration.nix
@@ -0,0 +1,95 @@
+{ config, pkgs, ... }:
+
+{
+  # Minimal system packages
+  environment.systemPackages = with pkgs; [
+    vim
+    nano
+    git
+    curl
+    htop
+    tmux
+    rsync
+    ncdu
+    iotop
+    nethogs
+    lsof
+    strace
+    jq
+    tree
+    unzip
+    zip
+    pciutils
+    usbutils
+    smartmontools
+    lm_sensors
+    nmap
+    tcpdump
+    nettools
+    bind.dnsutils
+    openssl
+    ethtool
+    sysstat
+    logrotate
+    cron
+  ];
+
+  # Nix optimization and garbage collection
+  nix.settings = {
+    auto-optimise-store = true;
+    allowed-users = [ "@users" ];
+  };
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 90d";
+  };
+
+  # Docker configuration
+  virtualisation.docker.enable = true;
+
+  # Bootloader configuration
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
+
+  # SSH Server configuration
+  services.openssh = {
+    enable = true;
+    ports = [ 222 ];
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "prohibit-password";
+    };
+  };
+
+  # SSHGuard — monitors logs for brute-force attempts and blocks offending IPs
+  services.sshguard.enable = true;
+
+  # Security
+  security.sudo.wheelNeedsPassword = true;
+
+  # User configuration
+  users.users.root = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMniNzAzuI527bfk/EipqFILFayUCwYXDoZ3R7+QgYq6 kawaiipunk@ZeroCool"
+    ];
+  };
+
+  # Firewall configuration — only expose HTTP, HTTPS, and SSH
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 80 443 222 ];
+  };
+
+  # VM configuration (used when building with nixos-rebuild build-vm)
+  virtualisation.vmVariant = {
+    virtualisation = {
+      memorySize = 2048;
+      cores = 2;
+    };
+  };
+
+  system.stateVersion = "25.05";
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..8ba7c17
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,24 @@
+{
+  description = "Minimal NixOS Docker Swarm server";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+  };
+
+  outputs = { self, nixpkgs, ... }@inputs: {
+    nixosConfigurations.server = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      specialArgs = { inherit inputs; };
+      modules = [
+        ./configuration.nix
+        {
+          nix.settings.experimental-features = [ "nix-command" "flakes" ];
+          nix.registry.nixpkgs.flake = nixpkgs;
+          nix.nixPath = [ "nixpkgs=flake:nixpkgs" ];
+        }
+      ];
+    };
+
+    formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
+  };
+}