diff --git a/flake.nix b/flake.nix
index e14dd4f..933f307 100644
--- a/flake.nix
+++ b/flake.nix
@@ -52,13 +52,13 @@
 
       mkSystem =
         if !(self ? rev) then throw "Dirty git tree detected." else
-        nixpkgs: name: arch: enableGUI: nixpkgs.lib.nixosSystem {
+        nixpkgs: name: arch: enableGUI: extraModules: nixpkgs.lib.nixosSystem {
           system = arch;
           modules = [
             { nixpkgs.overlays = overlays; }
             agenix.nixosModules.age
             (./hosts + "/${name}")
-          ];
+          ] ++ extraModules;
           specialArgs = {
             inherit inputs enableGUI;
             modules = import ./modules { lib = nixpkgs.lib; };
@@ -66,10 +66,16 @@
         };
     in
     {
-      nixosConfigurations."blossom" = mkSystem nixpkgs "blossom" "x86_64-linux" true;
+      nixosConfigurations."blossom" = mkSystem nixpkgs "blossom" "x86_64-linux" true [];
 
-      nixosConfigurations."caramel" = mkSystem nixpkgs-porcupine "caramel" "aarch64-linux" false;
-      nixosConfigurations."sugarcane" = mkSystem nixpkgs-porcupine "sugarcane" "x86_64-linux" false;
+      nixosConfigurations."caramel" = mkSystem nixpkgs-porcupine "caramel" "aarch64-linux" false [{
+        nixpkgs.overlays = [
+          (self: super: {
+            makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; });
+          })
+        ];
+      }];
+      nixosConfigurations."sugarcane" = mkSystem nixpkgs-porcupine "sugarcane" "x86_64-linux" false [];
 
       packages."x86_64-linux" =
         let
@@ -92,18 +98,7 @@
         {
           inherit (pkgs) nixUnstable;
 
-          caramel-iso = nixos-generators.nixosGenerate {
-            inherit pkgs;
-            format = "sd-aarch64";
-            modules = [
-              agenix.nixosModules.age
-              ./hosts/caramel
-            ];
-            specialArgs = {
-              inherit inputs;
-              modules = import ./modules { lib = nixpkgs-porcupine.lib; };
-            };
-          };
+          caramel-img = self.nixosConfigurations."caramel".config.system.build.sdImage;
         };
 
       # TODO: currently broken
diff --git a/hosts/caramel/default.nix b/hosts/caramel/default.nix
index 1e3bd35..098042f 100644
--- a/hosts/caramel/default.nix
+++ b/hosts/caramel/default.nix
@@ -1,4 +1,4 @@
-{ config, inputs, modules, overlays, pkgs, ... }: {
+{ config, inputs, modules, modulesPath, overlays, pkgs, ... }: {
   networking.hostName = "caramel";
   system.stateVersion = "21.11";
   time.timeZone = "Asia/Phnom_Penh";
@@ -12,6 +12,7 @@
   };
   imports =
     (with modules.system; [
+      "${builtins.toString modulesPath}/installer/sd-card/sd-image-aarch64.nix"
       inputs.home-manager-porcupine.nixosModule
 
       base
@@ -19,19 +20,23 @@
       input
       nix-porcupine
       security
+      transmission
       wireguard
 
       ./filesystem.nix
       ./kernel.nix
+      ./image.nix
       ./networking.nix
       ./packages.nix
 
       ../../users/hana
     ]) ++
     (with modules.services; [
-      nginx
-      postgres
-      synapse
+#       nginx
+#       postgres
+#       synapse
+      jellyfin
+      sonarr
       tmptsync
       unbound
       vaultwarden
diff --git a/hosts/caramel/filesystem.nix b/hosts/caramel/filesystem.nix
index c03acda..5cc264c 100644
--- a/hosts/caramel/filesystem.nix
+++ b/hosts/caramel/filesystem.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, ... }:
 let
   bind = src: {
     depends = [ "/persist" ];
@@ -9,16 +9,31 @@ let
   };
 in {
   fileSystems = {
-    "/" = {
+    "/" = lib.mkForce {
       device = "rootfs";
       fsType = "tmpfs";
-      options = [ "defaults" "size=2G" "mode=755" ];
+      options = [ "defaults" "size=1G" "mode=755" ];
     };
 
-    "/nix" = {
+    # "/nix" = {
+    #   device = "overlayfs";
+    #   fsType = "overlay";
+    #   options = [
+    #     "lowerdir=/mnt/image/nix"
+    #     "upperdir=/persist/nix-overlay"
+    #     "workdir=/persist/.overlaytmp"
+    #   ];
+    #   noCheck = true;
+    #   depends = [ "/mnt/image" "/persist" ];
+    # };
+
+    "/nix" = (bind "/mnt/image/nix") // { depends = [ "/mnt/image" ]; };
+
+    "/mnt/image" = {
       device = "/dev/disk/by-label/NIXOS_SD";
       fsType = "ext4";
       options = [ "defaults" "noatime" ];
+      neededForBoot = true;
     };
 
     "/persist" = {
@@ -28,9 +43,8 @@ in {
       neededForBoot = true;
     };
 
-    "/var/persist" = bind "/persist";
     "/var/lib/acme" = bind "/persist/acme";
     "/var/log/journal" = bind "/persist/journal";
-    "/boot" = (bind "/nix/persist/boot") // { depends = [ "/nix" ]; };
+    "/boot" = (bind "/mnt/image/boot") // { depends = [ "/mnt/image" ]; };
   };
 }
diff --git a/hosts/caramel/image.nix b/hosts/caramel/image.nix
new file mode 100644
index 0000000..a7e9975
--- /dev/null
+++ b/hosts/caramel/image.nix
@@ -0,0 +1,29 @@
+{ config, lib, pkgs, ... }: {
+  sdImage.expandOnBoot = false;
+  boot.postBootCommands = ''
+    # On the first boot do some maintenance tasks
+    if [ -f /mnt/image/nix-path-registration ]; then
+      set -euo pipefail
+      set -x
+      # Figure out device names for the boot device and root filesystem.
+      rootPart=$(${pkgs.util-linux}/bin/findmnt -n -o SOURCE /mnt/image)
+      bootDevice=$(lsblk -npo PKNAME $rootPart)
+      partNum=$(lsblk -npo MAJ:MIN $rootPart | ${pkgs.gawk}/bin/awk -F: '{print $2}')
+
+      # Resize the root partition and the filesystem to fit the disk
+      echo ",+," | sfdisk -N$partNum --no-reread $bootDevice
+      ${pkgs.parted}/bin/partprobe
+      ${pkgs.e2fsprogs}/bin/resize2fs $rootPart
+
+      # Register the contents of the initial Nix store
+      ${config.nix.package.out}/bin/nix-store --load-db < /mnt/image/nix-path-registration
+
+      # nixos-rebuild also requires a "system" profile and an /etc/NIXOS tag.
+      touch /etc/NIXOS
+      ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
+
+      # Prevents this from running on later boots.
+      rm -f /mnt/image/nix-path-registration
+    fi
+  '';
+}
diff --git a/hosts/caramel/kernel.nix b/hosts/caramel/kernel.nix
index e621ed3..8c8e9a8 100644
--- a/hosts/caramel/kernel.nix
+++ b/hosts/caramel/kernel.nix
@@ -1,11 +1,15 @@
-{ config, inputs, pkgs, ... }: {
+{ config, inputs, lib, pkgs, ... }: {
   imports = [
     inputs.nixos-hardware.nixosModules.raspberry-pi-4
   ];
   hardware.raspberry-pi."4".fkms-3d.enable = true;
 
-  boot.kernel.sysctl = {
-    "kernel.core_pattern" = "|/bin/false";
-    "kernel.sysrq" = 1;
+  boot = {
+    initrd.kernelModules = [ "overlay" ];
+    supportedFilesystems = lib.mkForce [ "btrfs" "vfat" ];
+    kernel.sysctl = {
+      "kernel.core_pattern" = "|/bin/false";
+      "kernel.sysrq" = 1;
+    };
   };
 }
diff --git a/hosts/sugarcane/filesystem.nix b/hosts/sugarcane/filesystem.nix
index c929023..cc3db8e 100644
--- a/hosts/sugarcane/filesystem.nix
+++ b/hosts/sugarcane/filesystem.nix
@@ -22,7 +22,7 @@ in {
       neededForBoot = true;
     };
 
-    "/var/persist" = bind "/nix/persist";
+    "/persist" = bind "/nix/persist";
     "/var/log/journal" = bind "/nix/persist/journal";
     "/boot" = bind "/nix/persist/boot";
   };
diff --git a/modules/default.nix b/modules/default.nix
index ed774ca..5287a7e 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -15,8 +15,10 @@ let
   );
 in {
   services = mkAttrsFromPaths [
+    ./services/jellyfin.nix
     ./services/nginx.nix
     ./services/postgres.nix
+    ./services/sonarr.nix
     ./services/synapse.nix
     ./services/tmptsync.nix
     ./services/unbound.nix
diff --git a/modules/services/jellyfin.nix b/modules/services/jellyfin.nix
new file mode 100644
index 0000000..4a52ed6
--- /dev/null
+++ b/modules/services/jellyfin.nix
@@ -0,0 +1,28 @@
+{ ... }:
+let
+  dir = "/persist/jellyfin";
+in
+{
+  fileSystems."/var/lib/jellyfin" = {
+    depends = [ "/persist" ];
+    device = dir;
+    fsType = "none";
+    options = [ "bind" ];
+  };
+  system.activationScripts."jellyfin-create-bind-mount" = {
+    deps = [ "users" "groups" ];
+    text = ''
+      mkdir -p ${dir}
+      chown jellyfin:jellyfin ${dir}
+      chmod 700 ${dir}
+    '';
+  };
+  systemd.tmpfiles.rules = [
+    "d /tmp/jelly-transcodes 700 jellyfin jellyfin"
+    "L+ /var/lib/jellyfin/transcodes - - - - /tmp/jelly-transcodes"
+  ];
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+}
diff --git a/modules/services/sonarr.nix b/modules/services/sonarr.nix
new file mode 100644
index 0000000..b64d5ef
--- /dev/null
+++ b/modules/services/sonarr.nix
@@ -0,0 +1,11 @@
+{ ... }:
+let
+  dir = "/persist/sonarr";
+in
+{
+  services.sonarr = {
+    enable = true;
+    dataDir = dir;
+    openFirewall = true;
+  };
+}
diff --git a/modules/system/base.nix b/modules/system/base.nix
index af1106a..0ca07dc 100644
--- a/modules/system/base.nix
+++ b/modules/system/base.nix
@@ -1,10 +1,10 @@
 { config, enableGUI, inputs, modules, overlays, ... }: {
   environment.etc = {
-    "machine-id".source = "/var/persist/machine-id";
-    "ssh/ssh_host_rsa_key".source = "/var/persist/ssh_host_rsa_key";
-    "ssh/ssh_host_rsa_key.pub".source = "/var/persist/ssh_host_rsa_key.pub";
-    "ssh/ssh_host_ed25519_key".source = "/var/persist/ssh_host_ed25519_key";
-    "ssh/ssh_host_ed25519_key.pub".source = "/var/persist/ssh_host_ed25519_key.pub";
+    "machine-id".source = "/persist/machine-id";
+    "ssh/ssh_host_rsa_key".source = "/persist/ssh_host_rsa_key";
+    "ssh/ssh_host_rsa_key.pub".source = "/persist/ssh_host_rsa_key.pub";
+    "ssh/ssh_host_ed25519_key".source = "/persist/ssh_host_ed25519_key";
+    "ssh/ssh_host_ed25519_key.pub".source = "/persist/ssh_host_ed25519_key.pub";
   };
   environment.pathsToLink = [ "/share/zsh" ];
 
diff --git a/modules/system/security.nix b/modules/system/security.nix
index eeedda7..a0399f0 100644
--- a/modules/system/security.nix
+++ b/modules/system/security.nix
@@ -15,12 +15,12 @@
     hostKeys = [
       {
         bits = 4096;
-        path = "/var/persist/ssh_host_rsa_key";
+        path = "/persist/ssh_host_rsa_key";
         rounds = 100;
         type = "rsa";
       }
       {
-        path = "/var/persist/ssh_host_ed25519_key";
+        path = "/persist/ssh_host_ed25519_key";
         rounds = 100;
         type = "ed25519";
       }
diff --git a/modules/system/transmission.nix b/modules/system/transmission.nix
index 9c1d27c..202b5ae 100644
--- a/modules/system/transmission.nix
+++ b/modules/system/transmission.nix
@@ -12,6 +12,8 @@
       alt-speed-time-enabled = true;
       alt-speed-time-end = 1380;
       alt-speed-up = 256;
+      download-dir = "/persist/transmission/Downloads";
+      incomplete-dir = "/persist/transmission/.incomplete";
       ratio-limit-enabled = true;
       rpc-bind-address = "0.0.0.0";
       rpc-enabled = true;
diff --git a/res/authorized_keys b/res/authorized_keys
new file mode 100644
index 0000000..9e9178d
--- /dev/null
+++ b/res/authorized_keys
@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15 rin@blossom
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ5l9t8dc6mPsKKYqZlPKvhOdyqz+DS5UOcvHuh3uVGt @strawberry
diff --git a/users/hana/default.nix b/users/hana/default.nix
index 4bef521..9ccf5e5 100644
--- a/users/hana/default.nix
+++ b/users/hana/default.nix
@@ -24,8 +24,8 @@
     ];
 
     programs.git.signing.signByDefault = lib.mkForce false;
-    programs.zsh.history.path = lib.mkForce "/nix/persist/hana/zsh_history";
+    programs.zsh.history.path = lib.mkForce "/persist/hana/zsh_history";
 
-    home.file.".ssh/authorized_keys".source = config.lib.file.mkOutOfStoreSymlink "/nix/persist/hana/authorized_keys";
+    home.file.".ssh/authorized_keys".source = ../../res/authorized_keys;
   };
 }