diff --git a/configs/wireguard.nix b/configs/wireguard.nix
index 72f21ed..32692cd 100644
--- a/configs/wireguard.nix
+++ b/configs/wireguard.nix
@@ -1,7 +1,7 @@
 {
   wireguard-desktop-public = "yQH91i1Kqxet5iGi3nFMgu7h68Oie6eHOQJHMkhLmWs=";
   wireguard-framework-public = "plnKdyh11Z3779LpHQmfU69z7LfCfDATLSxphhcj/3U=";
-  wireguard-mbp-public = "GQZ + lfEFQxTl5K5O623tlvWjTzBEeG0gSdvVA61H1z4=";
+  wireguard-mbp-public = "GQZ+lfEFQxTl5K5O623tlvWjTzBEeG0gSdvVA61H1z4=";
   wireguard-mini-public = "C9dfZUwmKLVpjeXVNkoVyMSXfogdqEK3yMgClpeYzHg=";
   wireguard-raspberrypi-public = "AB0k5pgI0fsnncNN3GkexWWbA8q/is9JaKY3x8jw4kY=";
   wireguard-vps-public = "gXG2XaFJZq3/MDva1vbaicRs9z9XfAR2wPLHmg4hRlI=";
diff --git a/machine/thinkpad.nix b/machine/thinkpad.nix
new file mode 100644
index 0000000..54b93fd
--- /dev/null
+++ b/machine/thinkpad.nix
@@ -0,0 +1,164 @@
+{ config, pkgs, lib, ... }:
+let
+  secrets = import ../configs/secrets.nix;
+  be = import ../configs/borg-exclude.nix;
+in
+{
+  imports =
+    [
+      <nixos-hardware/lenovo/thinkpad/x1-extreme>
+      /etc/nixos/hardware-configuration.nix
+      ../configs/gui.nix
+      ../configs/docker.nix
+      ../configs/libvirt.nix
+      ../configs/common.nix
+      ../configs/user.nix
+      #../configs/user-gui.nix
+      #../configs/user-gui-applications.nix
+      #../configs/bspwm.nix
+      #../configs/pantheon.nix
+      <home-manager/nixos>
+    ];
+
+  boot = {
+    initrd = {
+      preLVMCommands = lib.mkBefore 400 "sleep 1";
+      availableKernelModules = [ "e1000e" ];
+      systemd.enable = true;
+      luks.forceLuksSupportInInitrd = true;
+      network = {
+        enable = true;
+        ssh = {
+          enable = true;
+          port = 22;
+          authorizedKeys = [
+            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPSzeNjfkz7/B/18TcJxxmNFUhvTKoieBcexdzebWH7oncvyBXNRJp8vAqSIVFLzz5UUFQNFuilggs8/N48U84acmFOxlbUmxlkf8KZgeB/G6uQ8ncQh6M1HNNPH+9apTURgfctr7eEZe9seLIEBISQLXB2Sf3F1ogfDj25S8kH9RM4wM1/jDFK5IecWHScKxwQPmCoXeGE1LEJq6nkQLXMDsWhSihtWouaTxSR0p7/wp/Rqt/hzLEWj8e3+qLMc5JrrdaWksupUCysme7CnSfGSzNUv9RKiRCTFofYPT9tbRn5JzdpQ55v22S6OvmmXUHjST1MOzI8MpVPZCCqd/ZQ1E+gErFiMwjG4sn/xxdPK9/jbQaXMjLklbKtR+C5090Ew2u2kj78jqGk/8COhF1MXh/9qjcG+C51uD1AS9d410kfjPwkaUt4U2KktDMQ942nWywrvIWM0Gt2kgDLYotsy/70q/aTJ8bvaCoWoDOGmpWcyNNBalz4OYYGI2Z0WHrVTs0FpzSk/XeQz0OLkmueoh5GDGd8zrfO6Nf5LWI17aWGRePTpQP5mJIg6jC3j8/QVrthEP6QyIIkZsnfsmvSiMWVfXqEy1BxVlu3T6aLffaj679KCsxY+mx5mTH2hwd4ZdbSI4F0GCIt+WGaFhHs2V3ZQitoEZuraRPEc4HGw== alexander@szczepan.ski"
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOYEaT0gH9yJM2Al0B+VGXdZB/b2qjZK7n01Weq0TcmQ alex@framework"
+          ];
+          hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
+        };
+        postCommands = let
+          # I use a LUKS 2 label. Replace this with your disk device's path.
+          disk = "/dev/disk/by-label/nixos";
+        in ''
+          echo 'cryptsetup open ${disk} root --type luks && echo > /tmp/continue' >> /root/.profile
+          echo 'starting sshd...'
+        '';
+      };
+      postDeviceCommands = ''
+        echo 'waiting for root device to be opened...'
+        mkfifo /tmp/continue
+        cat /tmp/continue
+      '';
+    };
+    loader = {
+      systemd-boot = {
+	enable = true;
+        configurationLimit = 10;
+      	editor = false;
+      };
+      efi = {
+        canTouchEfiVariables = false;
+      };
+    };
+  #  plymouth.enable = true;
+  };
+
+  boot.initrd.luks.devices."nixos".preLVM = true;
+
+  time.timeZone = "Europe/Berlin";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+
+  networking = {
+    hostName = "thinkpad";
+    useDHCP = false;
+    firewall = { enable = false; };
+    interfaces.enp0s31f6.useDHCP = true;
+    wireguard.interfaces = {
+      wg0 = {
+        ips = [ "10.100.0.8/24" ];
+        privateKey = secrets.wireguard-thinkpad-private;
+
+        peers = [{
+          publicKey = secrets.wireguard-vps-public;
+          presharedKey = secrets.wireguard-preshared;
+          allowedIPs = [ "10.100.0.0/24" ];
+          endpoint = "207.180.220.97:51820";
+          persistentKeepalive = 25;
+        }];
+      };
+    };
+  };
+
+  # Select internationalisation properties.
+  # i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "latarcyrheb-sun32";
+    keyMap = "us";
+  };
+
+  # Enable sound.
+  sound.enable = true;
+  hardware.pulseaudio = {
+    enable = true;
+    support32Bit = true;
+    daemon = {
+      config = {
+        avoid-resampling = "yes";
+      };
+    };
+    configFile = pkgs.runCommand "default.pa" { } ''
+      sed 's/module-udev-detect$/module-udev-detect tsched=0/' \
+        ${pkgs.pulseaudio}/etc/pulse/default.pa > $out
+    '';
+  };
+
+  services = {
+    thinkfan = {
+      enable = true;
+      levels = [
+        [ 0 0 67 ]
+        [ 1 65 75 ]
+        [ 2 73 80 ]
+        [ 3 78 85 ]
+        [ 4 83 90 ]
+        [ 6 88 95 ]
+        [ 7 93 32767 ]
+      ];
+    };
+    xserver = {
+	enable = true;
+  	displayManager.sddm.enable = true;
+	desktopManager.plasma5.enable = true;
+    };
+    xrdp = {
+	enable = true;
+        defaultWindowManager = "startplasma-x11";
+    };
+    power-profiles-daemon.enable = false;
+    auto-cpufreq.enable = true;
+    tlp.enable = false;
+    # tlp = {
+    #   enable = true;
+    #   settings = {
+    #     START_CHARGE_THRESH_BAT0 = 80;
+    #     STOP_CHARGE_THRESH_BAT0 = 90;
+    #   };
+    # };
+  };
+
+  systemd.extraConfig = ''
+    DefaultTimeoutStopSec=10s
+  '';
+
+  environment.systemPackages = with pkgs; [
+    intel-gpu-tools
+  ];
+
+  powerManagement.powertop.enable = true;
+
+  system.stateVersion = "23.05";
+}