diff --git a/hosts/default.nix b/hosts/default.nix
index f86454b..aa8d2fb 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -119,6 +119,20 @@
 
         };
       };
+
+      tpol = {
+        extraModules = with inputs; [
+          lix-module.nixosModules.default
+        ];
+        secrets = {
+          "tpol-wireguard-private-key" = { };
+        };
+        vpn = {
+          ip = "10.100.0.7";
+          publicKey = "b/Pi7koTFo5CMAAzcL2ulvQ/0dUjKzbmXpvh4Lb/Bgo=";
+        };
+        extraHmModulesUser = "mara";
+      };
     };
 
     vpnExtra = {
diff --git a/hosts/spock/default.nix b/hosts/spock/default.nix
new file mode 100644
index 0000000..c564f78
--- /dev/null
+++ b/hosts/spock/default.nix
@@ -0,0 +1,48 @@
+{
+  lib,
+  modulesPath,
+  ...
+}:
+{
+  imports = [
+    "${modulesPath}/installer/sd-card/sd-image-aarch64.nix"
+  ];
+
+  sdImage.compressImage = false;
+
+  nixpkgs = {
+    # hostPlatform = lib.mkDefault "armv6-linux";
+    # config = {
+    #   allowUnfree = true;
+    # };
+    # overlays = [
+    #   # Workaround: https://github.com/NixOS/nixpkgs/issues/154163
+    #   # modprobe: FATAL: Module sun4i-drm not found in directory
+    #   (final: super: {
+    #     makeModulesClosure = x:
+    #       super.makeModulesClosure (x // {allowMissing = true;});
+    #   })
+    # ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+      options = [ "noatime" ];
+    };
+  };
+
+  networking = {
+    networkmanager.enable = false;
+  };
+
+  # Set your time zone.
+  time.timeZone = "Europe/Rome";
+
+  # Allow the user to log in as root without a password.
+  users.users.root.initialHashedPassword = "";
+
+  hardware.enableRedistributableFirmware = true;
+  system.stateVersion = "24.11";
+}
diff --git a/hosts/tpol/default.nix b/hosts/tpol/default.nix
new file mode 100644
index 0000000..9677c3d
--- /dev/null
+++ b/hosts/tpol/default.nix
@@ -0,0 +1,95 @@
+{
+  modulesPath,
+  fleetModules,
+  pkgs,
+  lib,
+  vpn,
+  config,
+  ...
+}:
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix") ]
+    ++ fleetModules [
+      "common"
+      "ssh"
+      "nix"
+      "networkmanager"
+      "dbus"
+      "udisks2"
+      "xdg"
+      "printing"
+      "mara"
+      "xfce"
+      "battery"
+      "printing"
+      "wireguard-client"
+    ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ehci_pci"
+    "ahci"
+    "usb_storage"
+    "sd_mod"
+    "sr_mod"
+    "rtsx_pci_sdmmc"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+  boot.loader.grub.device = "/dev/sda";
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/1522f8d9-5251-408d-9b6e-ed6da7da916a";
+    fsType = "btrfs";
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/e111fbc7-8e5d-4fcb-95c9-249f53ab0adc"; }
+  ];
+
+  mara = {
+    enable = true;
+    modules = [
+      "shell"
+      "mpv"
+      "firefox"
+      "git"
+      "chrome"
+      "udiskie"
+      "helix"
+      "remmina"
+    ];
+  };
+
+  # nevertheless this is a laptop the battery is completely gone, so it works only attached to electrictiy
+  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
+
+  networking.firewall.allowedTCPPorts = [ 1234 ];
+
+  hardware.rtl-sdr.enable = true;
+
+  systemd.services.rtl-tcp = {
+    description = "rtl_sdr over TCP";
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      ExecStart = ''
+        ${lib.getExe' pkgs.rtl-sdr "rtl_tcp"} -a ${vpn.${config.networking.hostName}}
+      '';
+    };
+  };
+
+  systemd.services.sdrangelsrv = {
+    description = "sdrangelsrv";
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      ExecStart = ''
+        ${lib.getExe' pkgs.sdrangel "sdrangelsrv"} --remote-tcp-hwtype RTLSDR --remote-tcp-port 1234 --remote-tcp-address ${
+          vpn.${config.networking.hostName}
+        } --remote-tcp
+      '';
+    };
+  };
+
+}
diff --git a/lib/default.nix b/lib/default.nix
index a923f7d..9f885c1 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -12,6 +12,7 @@
       pbp = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFF05LScu9m5BXMlFAT1g+g/AkAi7kvq1dY6W3Rzqq3f";
       picard = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1+1z1IsLVJ6aGarMgzw3NbmFKcpYVgdUjl7xDsewxT";
       deltaflyer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETMwELvGTnhKJbpK0oFs4lK8vm/kV9KdgL9wufYDDQ";
+      tpol = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQxHSow2l0TDWTonBPPaGvTgVvMS/xsQOf1nHnvLSwV";
     };
   };
 }
diff --git a/modules/mara/default.nix b/modules/mara/default.nix
index 8696519..df60577 100644
--- a/modules/mara/default.nix
+++ b/modules/mara/default.nix
@@ -4,6 +4,7 @@
   pkgs,
   fleetHmModules,
   fleetFlake,
+  vpn,
   ...
 }:
 {
@@ -46,20 +47,33 @@
       default = [
         "wheel"
         "fuse"
-        "networkmanager"
+        "video"
         "dialout"
+        "systemd-journal"
+        "camera"
+        "networkmanager"
       ];
     };
   };
 
   config = lib.mkIf config.mara.enable {
+
+    programs.fish.enable = true;
+
+    mara.modules = [
+      "shell"
+      "git"
+      "nix-index"
+      "btop"
+    ];
+
     users.users.mara = {
       uid = 1001;
       inherit (config.mara) hashedPassword;
       description = "Mara Savastano";
       isNormalUser = true;
       inherit (config.mara) extraGroups;
-      shell = pkgs.nushell;
+      shell = pkgs.fish;
       openssh.authorizedKeys.keys = config.mara.authorizedKeys;
     };
 
@@ -68,7 +82,16 @@
     home-manager.useGlobalPkgs = true;
     home-manager.useUserPackages = true;
     home-manager.users.mara = {
-      imports = fleetHmModules config.mara.modules;
+      imports = fleetHmModules config.mara.modules ++ [
+        {
+          _module.args = {
+            inherit (config.age) secrets;
+            inherit vpn;
+            username = "mara";
+            hostname = config.networking.hostName;
+          };
+        }
+      ];
       home.packages = config.mara.packages;
       home.stateVersion = config.system.stateVersion;
     };
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 2cebf84..a322a52 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -182,4 +182,8 @@ with keys.users;
 
     deltaflyer
   ];
+  "tpol-wireguard-private-key.age".publicKeys = [
+    ccr-ssh
+    tpol
+  ];
 }
diff --git a/secrets/tpol-wireguard-private-key.age b/secrets/tpol-wireguard-private-key.age
new file mode 100644
index 0000000..f870a1d
--- /dev/null
+++ b/secrets/tpol-wireguard-private-key.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-rsa /AagBw
+qUiTcrs0L+daa9FAsa80rdJsZCKCJN76KREz7mU7FF3ZBGp4VvisP4hJSjNKheWW
+pfVaefXfuIsw2GvGqUjNZMGHj650gGEqMtO6nLuetMuCIWF7uTdPpnNQMK6BB2ni
+Wlfu2g4rul6aV+S6KNiVBqlKJn521TOkEutsXFjaAJpnRVOG50P/8k9fPzjXNZnj
+NqmMhGjOE8tDs9TM1nWM4yYDX3KMDULvcBHycV3yQRzswEJc4jq9oLS8SbyE+4Hy
+dH6hkWLiRMz06Xg4F0XifGY4lglcMiQqNdNe5xMZtuR33Z1GUiY9HGU5FvXmUbQx
+HTWTklzH8q0vdEmb2tFftCM8AMeodI3CLBt+DNlQ3V0+izUmOJwTGz5OGfT6SiWY
+epMF5kXmZipWu5KsEoY1hv1INvGR84LyicpOT2vPV7cakx9ahlCgV5vhdmcAZy5F
+CRAhnvIsZZMHwGV9lmAMI93wgPyU0ybtwjSpPbHAqv0DQj+CBrEY5ict3+HhSe5J
+QrfcLRsQRox3QuR/jQvixBX63qNaezYFmpBuWP7XI7PuPj7KdUgECNfMctcVmCSb
+xHKmYkf8I8Si1doFOZbYOXheiI/zNk0xLAONPI+LQ6ZemUODhpcpRSSkhcDKQdtC
+srxvyTvYOk4IFjmjuk2JyE1Vp6wg+aiySZlyfFA7WQY
+-> ssh-ed25519 X7Q5KQ UoryJKCMOKeAkI1dbz8On5q0wSd+XIUCdWI31gyS6D4
+exrVhh9tGzQyToDKcv5sspbeKhdTp1q0wKuHWo+onKQ
+--- QkkySHHmaJFZu2BNT0ZZ9NZipUbFqyzxL32YZx5DRbQ
+wc¿^«Ò[v$jªš”ž7Lmt´{øù`¾ü0©—]ÿ¸lè¾…–3¢ñ…ãšð{C²\µ±ßXƒZ§Œ°¸)Z$¿4d›„/.L
\ No newline at end of file