diff --git a/hosts/bootstrap/default.nix b/hosts/bootstrap/default.nix
index cc09b4f..088aff6 100644
--- a/hosts/bootstrap/default.nix
+++ b/hosts/bootstrap/default.nix
@@ -1,30 +1,45 @@
-{  lib, pkgs, modulesPath, inputs, ... }:
+{ inputs, config, lib, pkgs, outputs,... }:
 {
-  imports = [
+  imports =
+    [ 
+      # Disk configuration
       inputs.disko.nixosModules.disko
-      ../common/disks/std-disk-config.nix
+      (import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
+      ../common/optional/btrfs-impermanence.nix
+      inputs.impermanence.nixosModules.impermanence
 
       # Import core options
       ./hardware-configuration.nix
       ../common/core
+
       # Import optional options
-#      ../common/optional/openssh
+      ../common/optional/openssh.nix
 
-      # Create users for this host
-      ../common/users/admin
-  ];
+    ];
 
-#  #virtualisation.virtualbox.guest.enable = true;
-#  virtualisation.libvirtd = {
-#    qemu = {
-#      package = pkgs.qemu_kvm; # only emulates host arch, smaller download
-#      swtpm.enable = true; # allows for creating emulated TPM
-#      ovmf.packages = [(pkgs.OVMF.override {
-#        secureBoot = true;
-#        tpmSupport = true;
-#      }).fd]; # or use pkgs.OVMFFull.fd, which enables more stuff
-#    };
-#  };
+  nixpkgs = {
+      overlays = [
+        outputs.overlays.additions
+        outputs.overlays.modifications
+        outputs.overlays.unstable-packages
+      ];
+      config = {
+        allowUnfree = true;
+      };
+    };
+
+  fileSystems."/persist".neededForBoot = true;
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [
+      "/etc/nixos"
+    ];
+    files = [
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/deploy_key-ssh-ed25519"
+    ];
+  };
 
   boot = {
     loader = {
@@ -34,11 +49,13 @@
     };
   };
 
-  i18n.defaultLocale = "en_GB.UTF-8";
-  console = {
-    font = "Lat2-Terminus16";
-    keyMap = "uk";
-    useXkbConfig = false; 
+  users = {
+    mutableUsers = true;
+    extraUsers = {
+      root = {
+        initialPassword = "1234";
+      };
+     };
   };
 
   networking = {
@@ -47,39 +64,40 @@
     enableIPv6 = false;
   };
 
-  services = {
-    qemuGuest.enable = true;
-    openssh = {
-      enable = true;
-      ports = [22]; # FIXME: Make this use configVars.networking
-      settings.PermitRootLogin = "yes";
-      # Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
-      # this mitigates the security issue caused by enabling u2fAuth in pam
-      authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
+  services.openssh = {
+    enable = true;
+    ports = 22;
+    authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
+    hostKeys = [{
+      path = "/persist/etc/ssh/ssh_host_ed25519_key";
+      type = "ed25519";
+    }];
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "yes";
+      PubKeyAuthentication = "yes";
+      StreamLocalBindUnlink = "yes";
+      UsePAM = true;
     };
   };
 
+  programs.ssh.extraConfig = '' 
+    Host git.bitlab21.com
+        IdentitiesOnly yes
+        StrictHostKeyChecking no
+        IdentityFile /etc/ssh/deploy_key-ssh-ed25519
+  ''
+
   security.pam = {
     sshAgentAuth.enable = true;
-    #FIXME the above is deprecated in 24.05 but we will wait until release
-    #sshAgentAuth.enable = true;
-    services = {
-      sudo.u2fAuth = true;
-    };
   };
+  
+  networking.firewall.allowedTCPPorts = [ sshPort ];
 
-  # ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config.
- # programs.ssh.startAgent = true;
-
-  environment.systemPackages = builtins.attrValues {
-    inherit(pkgs)
-    wget
-    curl
-    git
-    rsync;
+  services = {
+    qemuGuest.enable = true;
   };
 
-
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
   system.stateVersion = "23.11";
 }
diff --git a/hosts/sparky/default.nix b/hosts/sparky/default.nix
index a11cd41..3cd3f7c 100644
--- a/hosts/sparky/default.nix
+++ b/hosts/sparky/default.nix
@@ -1,4 +1,7 @@
 { inputs, config, lib, pkgs, outputs,... }:
+let
+  sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path;
+in
 {
   imports =
     [ 
@@ -59,6 +62,15 @@
     };
   };
 
+  users = {
+    mutableUsers = true;
+    extraUsers = {
+      root = {
+        hashedPasswordFile = sopsHashedPasswordFile;
+      };
+     };
+  };
+
   boot = {
     loader = {
       systemd-boot.enable = true;
diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh
index 406b5fb..4f8dfd3 100755
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@@ -18,31 +18,17 @@ read -p "Confirm host had been setup using the above steps...(yes|no): " confirm
 #read -p "Enter username: " username
 #read -p "Enter ip address: " ip
 #read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
-hostname="sparky"
-username="media"
+hostname="bootstrap-nixos"
 ip="192.168.122.192"
-config="sparky"
-
-echo "
-Details entered:
-Hostname: $hostname
-Username: $username
-IP address: $ip
-System to build: $config
-"
-read -p "Is this correct? (yes|no): " check_details
-[ "$check_details" != "yes" ] && echo "Try again. Exiting" && exit 0
+config="bootstrap"
 
 # Generate key name and dir
 HOST_KEY_DIR="$HOME/keys/hosts/$hostname"
-USER_KEY_DIR="$HOME/keys/users/$username"
-mkdir -p "$HOST_KEY_DIR" "$USER_KEY_DIR"
+mkdir -p "$HOST_KEY_DIR"
 
 # Create ssh keys if not exists
 echo "Creating '$hostname' ssh keys"
 bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "host" --username "root" --hostname "$hostname"
-echo "Creating '$username' ssh keys"
-bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "user" --username "$username" --hostname "$hostname"
 
 # Delete key in known hosts if exists
 sed -i "/$ip/d" ~/.ssh/known_hosts 
@@ -54,11 +40,8 @@ ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
 # Generate age key from target host and user public ssh key
 echo "Generating age key from target host and user ssh key"
 nix-shell -p ssh-to-age --run "cat $HOST_KEY_DIR/ssh_host_ed25519_key.pub | ssh-to-age > $HOST_KEY_DIR/age_host_key"
-nix-shell -p ssh-to-age --run "cat $USER_KEY_DIR/id_ed25519.pub | ssh-to-age > $USER_KEY_DIR/age_user_key"
 HOST_AGE_KEY=$(cat "$HOST_KEY_DIR/age_host_key")
-USER_AGE_KEY=$(cat "$USER_KEY_DIR/age_user_key")
 echo -e "Host age key:\n$HOST_AGE_KEY\n"
-echo -e "User age key:\n$USER_AGE_KEY\n"
 echo "These keys needs to be inserted into .sops.yaml file. This will be prompted again later."
 
 # Create temp directory for ssh keys to be copied to host:
@@ -105,30 +88,12 @@ do
 done
 echo "$ip is now online and port 22 is open!"
 
-## Copy host ssh keys to target
-#scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key" "root@$ip:/etc/ssh/ssh_host_ed25519_key"
-#scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key.pub" "root@$ip:/etc/ssh/ssh_host_ed25519_key.pub"
-#
 # Authorise source public key
 echo "Copying pubkey to target host"
-ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "$username@$ip"
-
-# Copy user ssh keys to target
-scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519" "$username@$ip:~/.ssh/id_ed25519"
-scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519.pub" "$username@$ip:~/.ssh/id_ed25519.pub"
+ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
 
 # Copy deploy_key to target for personal repo authorisation
-scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519"
-scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519.pub"
-
-echo "Configuring target host ssh connection to enable connection to gitea repos:"
-read -r -d '' config << EOM
-Host git.bitlab21.com
-    IdentitiesOnly yes
-    StrictHostKeyChecking no
-    IdentityFile ~/.ssh/deploy_key-ssh-ed25519
-EOM
-echo "$config" | ssh "$username@$ip" 'mkdir -p ~/.ssh/ && cat > ~/.ssh/config'
+scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/persist/etc/ssh/deploy_key-ssh-ed25519"
 
 echo -e "
 Complete!
@@ -139,8 +104,6 @@ previously.
 
 Enter the details as following:
 keys:
-- &users:
-    - &$username $USER_AGE_KEY
 - &hosts:
     - &$hostname $HOST_AGE_KEY
 
@@ -148,7 +111,6 @@ creation_rules:
   - path_regex: secrets.yaml$
     key_groups:
       - age:
-        - *$username
         - *$hostname
 
 Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run:
@@ -169,10 +131,8 @@ do
   [ "$confirm" = "yes" ] && break
 done
 
-ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git ~/keep/nixos/'"
-#ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git ~/keep/'"
+ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "root@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git /persist/etc/nixos/'"
 
 echo -e "###\nSuccessfully installed Nixos on the target host!\n###"
-#echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'"
 
 exit 0