diff --git a/hosts/hydrogen/configuration.nix b/hosts/hydrogen/configuration.nix
index 0807f1e..1954b6f 100644
--- a/hosts/hydrogen/configuration.nix
+++ b/hosts/hydrogen/configuration.nix
@@ -1,72 +1,17 @@
-{ modulesPath, pkgs, lib, ... }: {
+{ modulesPath, lib, ... }: {
   imports =
     lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [
       (modulesPath + "/virtualisation/digital-ocean-config.nix")
 
       ./services
+      ./system
     ];
 
-  networking = {
-    hostName = "hydrogen";
-    domain = "fainsin.bzh";
-    firewall = {
-      allowedTCPPorts = [
-        22 # ssh
-        80 # http
-        443 # https
-      ];
-    };
-  };
-
-  services.fail2ban = {
-    enable = true;
-    maxretry = 5;
-  };
-
-  users.mutableUsers = false;
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu"
-  ];
-
-  environment.systemPackages = with pkgs; [ htop ];
-
-  services.nginx = {
-    enable = true;
-
-    recommendedTlsSettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedProxySettings = true;
-
-    virtualHosts = {
-      "fainsin.bzh" = {
-        enableACME = true;
-        forceSSL = true;
-        locations."/".return =
-          ''301 "$scheme://laurent.fainsin.bzh$request_uri"'';
-      };
-      "laurent.fainsin.bzh" = {
-        enableACME = true;
-        forceSSL = true;
-        root = "/srv/www/";
-      };
-      default = {
-        default = true;
-        locations."/".return = ''301 "$scheme://fainsin.bzh" '';
-      };
-    };
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "acme@fainsin.bzh";
-  };
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.11"; # Did you read the comment?
+  system.stateVersion = "23.05"; # Did you read the comment?
 }
diff --git a/hosts/hydrogen/services/acme/default.nix b/hosts/hydrogen/services/acme/default.nix
new file mode 100644
index 0000000..cbb9991
--- /dev/null
+++ b/hosts/hydrogen/services/acme/default.nix
@@ -0,0 +1,6 @@
+{ ... }: {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@fainsin.bzh";
+  };
+}
diff --git a/hosts/hydrogen/services/default.nix b/hosts/hydrogen/services/default.nix
index 9991407..dff763b 100644
--- a/hosts/hydrogen/services/default.nix
+++ b/hosts/hydrogen/services/default.nix
@@ -1 +1,3 @@
-{ imports = [ ./atuin ./blocky ./gitea ./wireguard ]; }
+{ ... }: {
+  imports = [ ./acme ./atuin ./blocky ./fail2ban ./gitea ./nginx ./wireguard ];
+}
diff --git a/hosts/hydrogen/services/fail2ban/default.nix b/hosts/hydrogen/services/fail2ban/default.nix
new file mode 100644
index 0000000..ce97121
--- /dev/null
+++ b/hosts/hydrogen/services/fail2ban/default.nix
@@ -0,0 +1,6 @@
+{ ... }: {
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+  };
+}
diff --git a/hosts/hydrogen/services/nginx/default.nix b/hosts/hydrogen/services/nginx/default.nix
new file mode 100644
index 0000000..0160b83
--- /dev/null
+++ b/hosts/hydrogen/services/nginx/default.nix
@@ -0,0 +1,12 @@
+{ ... }: {
+  services.nginx = {
+    enable = true;
+
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+  };
+
+  imports = [ ./personal-websites.nix ];
+}
diff --git a/hosts/hydrogen/services/nginx/personal-websites.nix b/hosts/hydrogen/services/nginx/personal-websites.nix
new file mode 100644
index 0000000..58c2f98
--- /dev/null
+++ b/hosts/hydrogen/services/nginx/personal-websites.nix
@@ -0,0 +1,21 @@
+{ ... }: {
+  services.nginx.virtualHosts = {
+
+    "fainsin.bzh" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".return =
+        ''301 "$scheme://laurent.fainsin.bzh$request_uri"'';
+    };
+    "laurent.fainsin.bzh" = {
+      enableACME = true;
+      forceSSL = true;
+      root = "/srv/www/";
+    };
+    default = {
+      default = true;
+      locations."/".return = ''301 "$scheme://fainsin.bzh" '';
+    };
+
+  };
+}
diff --git a/hosts/hydrogen/system/default.nix b/hosts/hydrogen/system/default.nix
new file mode 100644
index 0000000..04c6657
--- /dev/null
+++ b/hosts/hydrogen/system/default.nix
@@ -0,0 +1 @@
+{ ... }: { imports = [ ./networking ./packages ./users ]; }
diff --git a/hosts/hydrogen/system/networking/default.nix b/hosts/hydrogen/system/networking/default.nix
new file mode 100644
index 0000000..f4ed367
--- /dev/null
+++ b/hosts/hydrogen/system/networking/default.nix
@@ -0,0 +1,13 @@
+{ ... }: {
+  networking = {
+    hostName = "hydrogen";
+    domain = "fainsin.bzh";
+    firewall = {
+      allowedTCPPorts = [
+        22 # ssh
+        80 # http
+        443 # https
+      ];
+    };
+  };
+}
diff --git a/hosts/hydrogen/system/packages/default.nix b/hosts/hydrogen/system/packages/default.nix
new file mode 100644
index 0000000..14ecb12
--- /dev/null
+++ b/hosts/hydrogen/system/packages/default.nix
@@ -0,0 +1 @@
+{ pkgs, ... }: { environment.systemPackages = with pkgs; [ htop ]; }
diff --git a/hosts/hydrogen/system/users/default.nix b/hosts/hydrogen/system/users/default.nix
new file mode 100644
index 0000000..6f5b4f3
--- /dev/null
+++ b/hosts/hydrogen/system/users/default.nix
@@ -0,0 +1,6 @@
+{ ... }: {
+  users.mutableUsers = false;
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu"
+  ];
+}