diff --git a/README.md b/README.md
index 6783009..c3773c0 100644
--- a/README.md
+++ b/README.md
@@ -17,25 +17,31 @@
 `./rebuild.sh`
 
 # New machine setup
+
 keys for decrypting password secrets for each users located at ~/.config/sops/age/keys.txt
+> TODO: `keys.txt`` should prob be readable by owning user only?
 
 updating passwords: `sops secrets/secrets.yaml`
 
-TODO: keys.txt should prob be readable by owning user only?
+`nix run github:nix-community/nixos-anywhere/69ad3f4a50cfb711048f54013404762c9a8e201e -- --flake '.#defiant' nixos@192.168.1.130 --extra-files ~/.config/sops/age/`
 
 > how the current config was set up https://www.youtube.com/watch?v=G5f6GC7SnhU
 
-> look into this? `https://technotim.live/posts/rotate-sops-encryption-keys/`
-
 > something about ssh keys for remotes
 
+# Notes:
+- Look into this for fixing nixos-anywhere `https://github.com/lucidph3nx/nixos-config/tree/main`
+- Look into this for rotating sops keys `https://technotim.live/posts/rotate-sops-encryption-keys/`
+- Look into this for openssh known configurations https://search.nixos.org/options?channel=unstable&from=0&size=15&sort=alpha_asc&type=packages&query=services.openssh
+- Look into this for flake templates https://nix.dev/manual/nix/2.22/command-ref/new-cli/nix3-flake-init
+
 # Updating
 `nix flake update`
 
 # Tasks:
 
 ## Tech Debt
-- allowUnfree should be dynamically enabled by the users whenever they need them
+- allowUnfree should be dynamically enabled by the users whenever they need them (this isnt enabled at all right now for some reason???)
 - GNOME default monitors per hardware configuration?
 - graphics driver things should prob be in the hardware-configuration.nix
 - what does `boot.kernelModules = [ "sg" ]` do?
@@ -45,11 +51,12 @@ TODO: keys.txt should prob be readable by owning user only?
 - DISKO for server
 - STOP FROM SLEEPING
 - VS code extensions should be installed declaratively
-- Flake templates - https://nix.dev/manual/nix/2.22/command-ref/new-cli/nix3-flake-init
+- Flake templates
 - Install all the things on the NAS
 - firefox declarative???
 - figure out steam vr things?
 - Open GL?
 - util functions
-- openssh known hosts https://search.nixos.org/options?channel=unstable&from=0&size=15&sort=alpha_asc&type=packages&query=services.openssh
-- limit boot configurations to 2 on defiant
\ No newline at end of file
+- openssh known hosts
+- limit boot configurations to 2 on defiant
+- rotate sops encryption keys
\ No newline at end of file
diff --git a/flake.lock b/flake.lock
index 1e8ab51..1182330 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,25 @@
 {
   "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1725377834,
+        "narHash": "sha256-tqoAO8oT6zEUDXte98cvA1saU9+1dLJQe3pMKLXv8ps=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "e55f9a8678adc02024a4877c2a403e3f6daf24fe",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -86,6 +106,7 @@
     },
     "root": {
       "inputs": {
+        "disko": "disko",
         "home-manager": "home-manager",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
diff --git a/flake.nix b/flake.nix
index e75e133..ee87ab5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -8,6 +8,12 @@
     # encrypt files that contain secreats that I would like to not encrypt
     sops-nix.url = "github:Mic92/sops-nix";
 
+    # declairtive disk configuration
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     # managment per user
     home-manager = {
       url = "github:nix-community/home-manager";
@@ -18,7 +24,7 @@
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
   };
 
-  outputs = { self, nixpkgs, nixos-hardware, ... }@inputs:
+  outputs = { self, nixpkgs, disko, nixos-hardware, ... }@inputs:
     let
       forEachSystem = nixpkgs.lib.genAttrs [
         "aarch64-darwin"
@@ -53,6 +59,8 @@
         defiant = nixpkgs.lib.nixosSystem {
           specialArgs = { inherit inputs; };
           modules = [
+            disko.nixosModules.disko
+            ./hosts/defiant/disko-config.nix
             ./hosts/defiant/configuration.nix
           ];
         };
diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix
index a80c520..bff81ea 100644
--- a/hosts/defiant/configuration.nix
+++ b/hosts/defiant/configuration.nix
@@ -11,19 +11,39 @@
       ../../enviroments/server
     ];
 
-  sops.defaultSopsFile = ../../secrets/secrets.yaml;
-  sops.defaultSopsFormat = "yaml";
+  sops = {
+    defaultSopsFile = ../../secrets/secrets.yaml;
+    defaultSopsFormat = "yaml";
 
-  sops.age.keyFile = "/home/leyla/.config/sops/age/keys.txt";
+    age ={
+      keyFile = "/home/leyla/.config/sops/age/keys.txt";
+      # sshKeyPaths = ["${config.home.homeDirectory}/.ssh/nix-ed25519"];
+      # generateKey = true;
+    };
+  };
+
+  # home.sessionVariables = {
+  #   SOPS_AGE_KEY_FILE = "${config.home.homeDirectory}/.config/sops-nix/key.txt";
+  # };
 
   users.leyla.isThinUser = true;
 
   boot.loader.grub = {
     enable = true;
-    device = "/dev/sda";
-    useOSProber = true;
+    zfsSupport = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    # devices = [ "/dev/disk/by-path/pci-0000:23:00.3-usb-0:1:1.0-scsi-0:0:0:0-part2" ];
+    # mirroredBoots = [
+    #   { devices = [ "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXVEB-part1" ]; path = "/boot1"; efiSysMountPoint = "/boot"; }
+    #   { devices = [ "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXWSC-part1" ]; path = "/boot2"; efiSysMountPoint = "/boot2"; }
+    #   { devices = [ "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTD10EH-part1" ]; path = "/boot3"; efiSysMountPoint = "/boot3"; }
+    # ];
   };
 
+  boot.supportedFilesystems = [ "zfs" ];
+
+  networking.hostId = "c8985fc5"; # TODO: populate this when I get home
   networking.hostName = "defiant"; # Define your hostname.
 
   nixpkgs.config.allowUnfree = true;
diff --git a/hosts/defiant/disko-config.nix b/hosts/defiant/disko-config.nix
new file mode 100644
index 0000000..3a113eb
--- /dev/null
+++ b/hosts/defiant/disko-config.nix
@@ -0,0 +1,120 @@
+{ lib, ... }:
+let
+  bootDisk = devicePath: {
+    type = "disk";
+    device = devicePath;
+    content = {
+      type = "gpt";
+  
+      partitions = {
+        boot = {
+          size = "1M";
+          type = "EF02"; # for grub MBR
+        };
+        ESP = {
+          size = "1G";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+          };
+        };
+        root = {
+          size = "100%";
+          content = {
+            type = "filesystem";
+            format = "ext4";
+            mountpoint = "/";
+          };
+        };
+      };
+    };
+  };
+  zfsDisk = devicePath: {
+    type = "disk";
+    device = devicePath;
+    content = {
+      type = "gpt";
+      partitions = {
+        zfs = {
+          size = "100%";
+          content = {
+            type = "zfs";
+            pool = "zpool";
+          };
+        };
+      };
+    };
+  };
+in {
+  disko.devices = {
+    disk = {
+      boot = bootDisk "/dev/sda"; # "/dev/disk/by-path/pci-0000:23:00.3-usb-0:1:1.0-scsi-0:0:0:0";
+
+      # hd_13_tb_a = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXVEB";
+      # hd_13_tb_b = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXWSC";
+      # hd_13_tb_c = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTD10EH";
+
+      # ssd_2_tb_a = zfsDisk "/dev/disk/by-id/XXX";
+    };
+    # zpool = {
+    #   zpool = {
+    #     type = "zpool";
+    #     mode = {
+    #       topology = {
+    #         type = "topology";
+    #         vdev = [
+    #           {
+    #             # should this only mirror for this inital config with 3 drives we will used raidz2 for future configs???
+    #             mode = "mirror";
+    #             members = [
+    #               "hd_13_tb_a" "hd_13_tb_b" "hd_13_tb_c"
+    #             ];
+    #           }
+    #         ];
+    #         cache = [ ];
+    #         # cache = [ "ssd_2_tb_a" ];
+    #       };
+    #     };
+
+    #     options = {
+    #       ashift = "12";
+    #     };
+
+    #     rootFsOptions = {
+    #       encryption = "on";
+    #       keyformat = "hex";
+    #       keylocation = "prompt";
+    #       compression = "lz4";
+    #       xattr = "sa";
+    #       acltype = "posixacl";
+    #       "com.sun:auto-snapshot" = "false";
+    #     };
+        
+    #     datasets = {
+    #       "root" = {
+    #         type = "zfs_fs";
+    #         mountpoint = "/";
+    #       };
+    #       "nix" = {
+    #         type = "zfs_fs";
+    #         mountpoint = "/nix";
+    #       };
+    #       "home" = {
+    #         type = "zfs_fs";
+    #         mountpoint = "/home";
+    #         options = {
+    #           "com.sun:auto-snapshot" = "true";
+    #         };
+    #       };
+    #       "var" = {
+    #         type = "zfs_fs";
+    #         mountpoint = "/var";
+    #       };
+    #     };
+    #   };
+    # };
+  };
+}
+
diff --git a/hosts/defiant/hardware-configuration.nix b/hosts/defiant/hardware-configuration.nix
index 575ae36..cd075ca 100644
--- a/hosts/defiant/hardware-configuration.nix
+++ b/hosts/defiant/hardware-configuration.nix
@@ -13,10 +13,10 @@
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/dc6a9664-80f2-4988-afd7-fee5bd3ee2ca";
-      fsType = "ext4";
-    };
+  # fileSystems."/" =
+  #   { device = "/dev/disk/by-uuid/dc6a9664-80f2-4988-afd7-fee5bd3ee2ca";
+  #     fsType = "ext4";
+  #   };
 
   swapDevices = [ ];