diff --git a/nixos/systems/heater/default.nix b/nixos/systems/heater/default.nix
index ed7c70c..868cf54 100644
--- a/nixos/systems/heater/default.nix
+++ b/nixos/systems/heater/default.nix
@@ -12,6 +12,7 @@
     (lib')
     flip
     mapAttrs
+    loadSecrets
     singleton
     ;
 
@@ -24,7 +25,7 @@ in {
     specialArgs = {
       config' = config';
       inputs' = inputs;
-      secret = lib'.loadSecrets;
+      secret = loadSecrets inputs.secret;
     };
     modules =
       singleton
@@ -34,32 +35,24 @@ in {
         ...
       }: {
         imports = [
-          ./xserver.nix
-          ../../common/steam.nix
           ./grub.nix
           ./networking.nix
           ./filesystems.nix
           ./hardware.nix
           ./users.nix
           ./nixpkgs.nix
-          ../../common/sound.nix
-        ];
+          ./impermenance.nix
+          ../../common/remote_access.nix
 
-        _module.args.nixinate = {
-          host = secret.network.ips.heater or "";
-          sshUser = "main";
-          buildOn = "local";
-          substituteOnTarget = true;
-          hermetic = false;
-          nixOptions = [
-            "--override-input secret path://$HOME/dotfiles/secret"
-          ];
-        };
+          inputs.notnft.nixosModules.default
+          inputs.self.nixosModules.notnft
+          inputs.impermenance.nixosModules.impermanence
+        ];
 
         services.fwupd.enable = true;
 
         time.timeZone = "Europe/Amsterdam";
-        system.stateVersion = "20.09";
+        system.stateVersion = "23.11";
       });
   };
 }
diff --git a/nixos/systems/heater/filesystems.nix b/nixos/systems/heater/filesystems.nix
index 35820bf..6cc4e08 100644
--- a/nixos/systems/heater/filesystems.nix
+++ b/nixos/systems/heater/filesystems.nix
@@ -1,75 +1,58 @@
 {secret, ...}: let
-  nfsOptions = [
-    "noauto"
-    "X-mount.mkdir"
-    "x-systemd.device-timeout=10"
-    "timeo=14"
-    "soft"
-    "noatime"
-    "x-systemd.after=wireguard-wg0.target"
-    "x-systemd.wants=wireguard-wg0.target"
-  ];
-
-  blowholeAddress = secret.network.ips.blowhole.dns or "";
 in {
+  systemd.services.nix-daemon.environment.TMPDIR = "/nix/tmp";
+
   fileSystems = {
     "/" = {
-      device = "heater-zpool/local/root";
+      device = "none";
+      fsType = "tmpfs";
+      options = ["defaults" "size=512M" "mode=755" "noexec"];
+    };
+
+    "/tmp" = {
+      device = "none";
+      fsType = "tmpfs";
+      options = ["defaults" "size=512M" "mode=755"];
+    };
+
+    "/nix/persist" = {
+      device = "heater-ssd/persist";
       fsType = "zfs";
+      neededForBoot = true;
     };
 
     "/nix" = {
-      device = "heater-zpool/local/nix";
+      device = "heater-ssd/local/nix";
       fsType = "zfs";
     };
 
     "/home" = {
-      device = "heater-zpool/safe/home";
+      device = "heater-ssd/ephemeral/home";
       fsType = "zfs";
+      neededForBoot = true;
     };
 
-    "/var/lib/nomad" = {
-      device = "heater-zpool/persist/nomad";
+    "/root" = {
+      device = "heater-ssd/ephemeral/root";
       fsType = "zfs";
+      neededForBoot = true;
     };
 
-    "/var/lib/syncthing" = {
-      device = "heater-zpool/persist/syncthing";
-      fsType = "zfs";
-    };
-
-    "/etc/vault-agent" = {
-      device = "heater-zpool/persist/vault-agent";
+    "/nix/tmp" = {
+      device = "heater-ssd/ephemeral/nix-tmp";
       fsType = "zfs";
+      neededForBoot = true;
     };
 
     "/boot" = {
-      device = "/dev/disk/by-uuid/5e590840-9e62-4231-8ac5-e6a27325254d";
+      device = "/dev/disk/by-uuid/c0a6bfbb-3553-4dc9-a299-b70070b8a52b";
       fsType = "ext4";
     };
 
     "/boot/EFI" = {
-      device = "/dev/disk/by-uuid/D381-9D12";
+      device = "/dev/disk/by-uuid/90B0-657C";
       fsType = "vfat";
     };
-
-    "/mnt/cartman" = {
-      device = "${blowholeAddress}:/mnt/cartman";
-      fsType = "nfs";
-      options = nfsOptions;
-    };
-
-    "/mnt/kyle" = {
-      device = "${blowholeAddress}:/mnt/kyle";
-      fsType = "nfs";
-      options = nfsOptions;
-    };
-
-    "/mnt/stan" = {
-      device = "${blowholeAddress}:/mnt/stan";
-      fsType = "nfs";
-      options = nfsOptions;
-    };
   };
 
   swapDevices = [];
diff --git a/nixos/systems/heater/grub.nix b/nixos/systems/heater/grub.nix
index 3bcfd24..1d1cd96 100644
--- a/nixos/systems/heater/grub.nix
+++ b/nixos/systems/heater/grub.nix
@@ -3,6 +3,7 @@
   lib,
   ...
 }: {
+  boot.initrd.systemd.enable = true;
   boot.loader = {
     systemd-boot.enable = false;
     efi.canTouchEfiVariables = true;
diff --git a/nixos/systems/heater/hardware.nix b/nixos/systems/heater/hardware.nix
index b29a586..828972f 100644
--- a/nixos/systems/heater/hardware.nix
+++ b/nixos/systems/heater/hardware.nix
@@ -11,7 +11,7 @@
     singleton
     ;
 
-  kernelPackages = pkgs.linuxKernel.packages.linux_6_1;
+  kernelPackages = pkgs.linuxKernel.packages.linux_6_6;
 in {
   boot = {
     initrd.availableKernelModules = [
diff --git a/nixos/systems/heater/impermenance.nix b/nixos/systems/heater/impermenance.nix
new file mode 100644
index 0000000..144d14a
--- /dev/null
+++ b/nixos/systems/heater/impermenance.nix
@@ -0,0 +1,82 @@
+{
+  inputs',
+  pkgs,
+  ...
+}: let
+  rollbackStart = pkgs.writeText "rollback-start" ''
+    ${pkgs.rolling_datasets}/bin/roll_dataset "heater-ssd/ephemeral/home" "10"
+    ${pkgs.rolling_datasets}/bin/roll_dataset "heater-ssd/ephemeral/root" "10"
+    ${pkgs.rolling_datasets}/bin/roll_dataset "heater-ssd/ephemeral/nix-tmp" "10"
+  '';
+in {
+  nixpkgs.overlays = [
+    inputs'.self.overlays.show-files-to-be-deleted
+    inputs'.self.overlays.rolling_datasets
+  ];
+
+  environment.systemPackages = [
+    pkgs.show-files-to-be-deleted
+  ];
+
+  environment.persistence."/nix/persist" = {
+    hideMounts = true;
+
+    directories = [
+      "/var/log"
+      "/var/lib/nixos"
+      "/var/lib/systemd/coredump"
+    ];
+    files = [
+      "/etc/machine-id"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+    ];
+  };
+
+  boot.initrd.systemd.storePaths = with pkgs; [
+    zfs
+    busybox
+    rolling_datasets
+    rollbackStart
+  ];
+  boot.initrd.systemd.services.rollback = {
+    description = "Rollback ZFS datasets to a pristine state";
+    wantedBy = [
+      "initrd.target"
+    ];
+    after = [
+      "zfs-import-heater-ssd.service"
+    ];
+    before = [
+      "sysroot.mount"
+    ];
+    path = with pkgs; [
+      zfs
+      busybox
+    ];
+    unitConfig.DefaultDependencies = "no";
+    serviceConfig.Type = "oneshot";
+    serviceConfig.ExecStart = "/bin/sh ${rollbackStart}";
+  };
+
+  systemd.services."mount-old-datasets" = {
+    description = "Mount old versions of datasets";
+
+    wantedBy = ["local-fs.target"];
+    after = ["local-fs.target"];
+
+    script = ''
+      ${pkgs.rolling_datasets}/bin/mount_datasets "heater-ssd/ephemeral/home" "/home/.old"
+      ${pkgs.rolling_datasets}/bin/mount_datasets "heater-ssd/ephemeral/root" "/root/.old"
+      ${pkgs.rolling_datasets}/bin/mount_datasets "heater-ssd/ephemeral/nix-tmp" "/nix/tmp/.old"
+    '';
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = "yes";
+      TimeoutStartSec = "5m";
+    };
+  };
+}
diff --git a/nixos/systems/heater/nixpkgs.nix b/nixos/systems/heater/nixpkgs.nix
index 9bec6ec..9432997 100644
--- a/nixos/systems/heater/nixpkgs.nix
+++ b/nixos/systems/heater/nixpkgs.nix
@@ -10,12 +10,6 @@
   nixpkgs.overlays =
     (with config'.flake.overlays; [
       emacsclient-remote
-      magic-screenshot
-      emacs-rofi
-      tree-sitter-grammars
-      emacs-master-nativecomp
-      ledger-compat
-      thingiverse-downloader
     ])
     ++ (with inputs'.nixng.overlays; [
       default
diff --git a/nixos/systems/heater/users.nix b/nixos/systems/heater/users.nix
index fcc3200..7ab5b09 100644
--- a/nixos/systems/heater/users.nix
+++ b/nixos/systems/heater/users.nix
@@ -16,8 +16,8 @@
     secret = secret;
   };
   home-manager.users.main = {
-    imports = [(inputs'.self + "/home-manager/modules/profiles/workstation.nix")];
+    imports = [(inputs'.self + "/home-manager/modules/profiles/server.nix")];
 
-    home.stateVersion = "21.05";
+    home.stateVersion = "23.11";
   };
 }
diff --git a/nixos/systems/heater/xserver.nix b/nixos/systems/heater/xserver.nix
deleted file mode 100644
index 95f4a9f..0000000
--- a/nixos/systems/heater/xserver.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{
-  pkgs,
-  lib,
-  ...
-}: let
-  inherit
-    (lib)
-    getExe
-    ;
-in {
-  imports = [
-    ../../common/xserver.nix
-  ];
-
-  services.xserver.videoDrivers = ["nvidia"];
-}
diff --git a/nixos/systems/omen/firewall.nix b/nixos/systems/omen/firewall.nix
index 8fe877a..aa1c31c 100644
--- a/nixos/systems/omen/firewall.nix
+++ b/nixos/systems/omen/firewall.nix
@@ -124,6 +124,8 @@
             [(is.eq ip.protocol (f: with f; set [tcp])) (is.eq th.dport (set [22 4646 8200])) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (secret.network.ips.toothpick or "")) accept]
             # TCP 22 altra
             [(is.eq ip.protocol (f: with f; set [tcp])) (is.eq th.dport (set [22])) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (secret.network.ips.altra.ip or "")) accept]
+            # TCP 22 heater
+            [(is.eq ip.protocol (f: with f; set [tcp])) (is.eq th.dport (set [22])) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (secret.network.ips.heater or "")) accept]
             # ICMP to blowhole, toothpick, altra
             [(is.eq ip.protocol (f: f.icmp)) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (set [(secret.network.ips.toothpick or "") (secret.network.ips.altra.ip or "") (secret.network.ips.blowhole.ip or "")])) accept]
             [(is.eq ip.protocol (f: f.tcp)) (is.eq th.dport 8883) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (secret.network.ips.altra.ip or "")) accept]