diff --git a/flake.lock b/flake.lock
index e41b5f2..d11401b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -117,11 +117,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1692099905,
-        "narHash": "sha256-/pSusGhmIdSdAaywQRFA5dVbfdIzlWQTecM+E46+cJ0=",
+        "lastModified": 1693208669,
+        "narHash": "sha256-hHFaaUsZ860wvppPeiu7nJn/nXZjJfnqAQEu9SPFE9I=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2a6679aa9cc3872c29ba2a57fe1b71b3e3c5649f",
+        "rev": "5bac4a1c06cd77cf8fc35a658ccb035a6c50cd2c",
         "type": "github"
       },
       "original": {
@@ -174,11 +174,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1692373088,
-        "narHash": "sha256-EPgCecdc9I8aTdmDNoO1l7R72r2WPhZRcesV4nzxBj8=",
+        "lastModified": 1692952286,
+        "narHash": "sha256-TsrtPv3+Q1KR0avZxpiJH+b6fX/R/hEQVHbjl1ebotY=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "7f1836531b126cfcf584e7d7d71bf8758bb58969",
+        "rev": "817e297fc3352fadc15f2c5306909aa9192d7d97",
         "type": "github"
       },
       "original": {
@@ -190,11 +190,11 @@
     },
     "nixos-unstable": {
       "locked": {
-        "lastModified": 1692447944,
-        "narHash": "sha256-fkJGNjEmTPvqBs215EQU4r9ivecV5Qge5cF/QDLVn3U=",
+        "lastModified": 1693158576,
+        "narHash": "sha256-aRTTXkYvhXosGx535iAFUaoFboUrZSYb1Ooih/auGp0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d680ded26da5cf104dd2735a51e88d2d8f487b4d",
+        "rev": "a999c1cc0c9eb2095729d5aa03e0d8f7ed256780",
         "type": "github"
       },
       "original": {
@@ -238,11 +238,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1692525914,
-        "narHash": "sha256-MUgZ9/9mE/EbEQA6JPdcQHkjoR5fgvaKhpy6UO67uEc=",
+        "lastModified": 1693183237,
+        "narHash": "sha256-c7OtyBkZ/vZE/WosBpRGRtkbWZjDHGJP7fg1FyB9Dsc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "475d5ae2c4cb87b904545bdb547af05681198fcc",
+        "rev": "ea5234e7073d5f44728c499192544a84244bf35a",
         "type": "github"
       },
       "original": {
@@ -254,11 +254,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1692698578,
-        "narHash": "sha256-sNiNKomooOWb19XXIcDcJoXmhlBAseYNfgV7UC1dO+0=",
+        "lastModified": 1693241161,
+        "narHash": "sha256-MRJHIKBn2vhX6eslfyKj+H9nb2gj56k80OO8vE0Poy8=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "005dbfacdbf783079ea727d3fc4c09d715224cd2",
+        "rev": "931c534a5d7ee0cf576c1e114cfef7d4f53212c8",
         "type": "github"
       },
       "original": {
diff --git a/home/home.nix b/home/home.nix
index 428805e..bf84f77 100644
--- a/home/home.nix
+++ b/home/home.nix
@@ -30,8 +30,6 @@ let
     (tor-browser-bundle-bin.override {
       mediaSupport = true;
       pulseaudioSupport = true;
-      # prevent segfault on Intel graphics systems
-      useHardenedMalloc = false;
     })
     pdfpc
     quaternion
diff --git a/nixos/configuration.nix b/nixos/configuration.nix
index f6c8c3b..20c09c3 100644
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@@ -14,7 +14,8 @@ in
     [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ./packages.nix
+      ./modules/packages.nix
+      ./modules/nitrokey.nix
     ];
 
   services.davfs2.enable = true;
@@ -45,16 +46,16 @@ in
   environment.systemPackages = [
     pkgs.sbctl
   ];
-   # Lanzaboote currently replaces the systemd-boot module.
-   # This setting is usually set to true in configuration.nix
-   # generated at installation time. So we force it to false
-   # for now.
-   boot.loader.systemd-boot.enable = lib.mkForce false;
+  # Lanzaboote currently replaces the systemd-boot module.
+  # This setting is usually set to true in configuration.nix
+  # generated at installation time. So we force it to false
+  # for now.
+  boot.loader.systemd-boot.enable = lib.mkForce false;
 
-   boot.lanzaboote = {
-     enable = true;
-     pkiBundle = "/etc/secureboot";
-   };
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+  };
 
   # make the boot look good
   boot.plymouth.enable = true;
@@ -143,8 +144,6 @@ in
     package = pkgs.pulseaudioFull;
   };
 
-  # Nitrokey support
-  services.udev.packages = [ pkgs.nitrokey-udev-rules ];
 
   # Enable the X11 windowing system.
   services.xserver.enable = true;
diff --git a/nixos/modules/nitrokey.nix b/nixos/modules/nitrokey.nix
new file mode 100644
index 0000000..dc6ed75
--- /dev/null
+++ b/nixos/modules/nitrokey.nix
@@ -0,0 +1,11 @@
+{ pkgs, lib, ...}:
+{
+hardware.nitrokey.enable = true;
+environment.systemPackages = [ pkgs.pynitrokey ];
+nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+   "nrfutil"
+   "pc-ble-driver-py"
+   "pc-ble-driver"
+   "pypemicro"
+];
+}
diff --git a/nixos/packages.nix b/nixos/modules/packages.nix
similarity index 100%
rename from nixos/packages.nix
rename to nixos/modules/packages.nix