diff --git a/default.nix b/default.nix
index 402c71d..165f85e 100755
--- a/default.nix
+++ b/default.nix
@@ -13,21 +13,16 @@ in {
     ]
     ++ (mapModulesRec' (toString ./modules) import);
 
+  # i mostly disagree with state versions, just use the oldest one i have set up
+  # they seem reasonable at first but are so messy across multiple hosts
+  # a lot of the time they're used for stuff that isn't even state (looking at you, home-manager)
   system.stateVersion = mkDefault "25.11";
   system.configurationRevision = with inputs; mkIf (self ? rev) self.rev;
 
-  boot = {
-    kernelPackages = mkDefault pkgs.linuxPackages_latest;
-    kernelParams = [ "pcie_aspm.policy=performance" ];
-  };
+  boot.kernelPackages = mkDefault pkgs.linuxPackages_latest;
 
   time.timeZone = mkDefault "America/Los_Angeles";
 
-  i18n.defaultLocale = mkDefault "en_US.UTF-8";
-
-  hardware.enableRedistributableFirmware = true;
-
-  environment.systemPackages = with pkgs; [
-    git
-  ];
+  # git is needed for flakes, yet, isn't in `environment.corePackages`
+  environment.systemPackages = with pkgs; [ git ];
 }
diff --git a/hosts/nixos-server-reid/default.nix b/hosts/nixos-server-reid/default.nix
index 414c510..f58ad8c 100755
--- a/hosts/nixos-server-reid/default.nix
+++ b/hosts/nixos-server-reid/default.nix
@@ -43,6 +43,13 @@
   };
 
   modules = {
+    core = {
+      # security
+      security.useDoas = true;
+    };
+    hardware = {
+      networking.enable = true;
+    };
     services = {
       ssh.enable = true;
       ssh.enableMoshSupport = true;
@@ -50,8 +57,6 @@
       postgres.enable = true;
       mysql.enable = true;
     };
-
-    security.useDoas = true;
   };
 
   security.doas = {
@@ -65,5 +70,5 @@
   networking.networkmanager.enable = true;
   networking.networkmanager.wifi.backend = "iwd";
   networking.networkmanager.wifi.powersave = false;
-  networking.wireless.iwd.settings.Settings.AutoConnect = true;  
+  networking.wireless.iwd.settings.Settings.AutoConnect = true;
 }
diff --git a/hosts/nixos-server-reid/hardware.nix b/hosts/nixos-server-reid/hardware.nix
index cca53b4..e840b5f 100755
--- a/hosts/nixos-server-reid/hardware.nix
+++ b/hosts/nixos-server-reid/hardware.nix
@@ -6,15 +6,14 @@
     inputs.hardware.nixosModules.common-pc
 
     (modulesPath + "/installer/scan/not-detected.nix")
+
+    ./raspberry-pi-4b.nix
   ];
 
   # use better power management for a device that's always on
   powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 
-  # i have a couple others i don't noramlly include, such as:
-  # uas (uasp, scsi over usb), usbcore (needed(???) for the drive at boot)
-  # pcie_brcmstb (required for pcie), reset-raspberrypi (needed for vl805 firmware to load)
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "pcie_brcmstb" "reset-raspberrypi" "uas" "usbcore" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
@@ -23,18 +22,10 @@
   boot.loader.grub.enable = false;
   boot.loader.generic-extlinux-compatible.enable = true;
 
-  # needed for initial framebuffer logs to appear on raspberry pi
-  # i think. this fixes it but idk if they are all required
-  boot.kernelParams = [
-    "8250.nr_uarts=1"
-    "cma=128M"
-    "console=tty0"
-  ];
-
   fileSystems."/" =
     { device = "/dev/disk/by-uuid/04542424-6899-4b94-9414-fffa569f2c03";
       fsType = "ext4";
-      options = [ "noatime" "nodiratime" "discard" ];
+      options = [ "noatime" ];
     };
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
diff --git a/hosts/nixos-server-reid/raspberry-pi-4b.nix b/hosts/nixos-server-reid/raspberry-pi-4b.nix
new file mode 100644
index 0000000..24672dd
--- /dev/null
+++ b/hosts/nixos-server-reid/raspberry-pi-4b.nix
@@ -0,0 +1,14 @@
+{ pkgs, lib, ... }:
+{
+  # uas (uasp, scsi over usb), usbcore (needed(???) for the drive at boot)
+  # pcie_brcmstb (required for pcie), reset-raspberrypi (needed for vl805 firmware to load)
+  boot.initrd.availableKernelModules = [ "pcie_brcmstb" "reset-raspberrypi" "uas" "usbcore" ];
+
+  # needed for initial framebuffer logs to appear on raspberry pi
+  # i think. this fixes it but idk if they are all required
+  boot.kernelParams = [
+    "8250.nr_uarts=1"
+    "cma=128M"
+    "console=tty0"
+  ];
+}
diff --git a/modules/core/fs/fstrim.nix b/modules/core/fs/fstrim.nix
new file mode 100644
index 0000000..3d7212a
--- /dev/null
+++ b/modules/core/fs/fstrim.nix
@@ -0,0 +1,36 @@
+{ config, lib, ... }:
+
+with lib;
+{
+  # if lvm is enabled, then tell it to issue discards
+  # (this is good for SSDs and has almost no downsides on HDDs, so
+  # it's a good idea to enable it unconditionally)
+  environment.etc."lvm/lvm.conf".text = mkIf config.services.lvm.enable ''
+    devices {
+      issue_discards = 1
+    }
+  '';
+
+  # discard blocks that are not in use by the filesystem, good for SSDs
+  services.fstrim = {
+    # we may enable this unconditionally across all systems becuase it's performance
+    # impact is negligible on systems without a SSD - which means it's a no-op with
+    # almost no downsides aside from the service firing once per week
+    enable = true;
+
+    # the default value, good enough for average-load systems
+    interval = "weekly";
+  };
+
+  # tweak fstrim service to run only when on AC power
+  # and to be nice to other processes
+  # (this is a good idea for any service that runs periodically)
+  systemd.services.fstrim = {
+    unitConfig.ConditionACPower = true;
+
+    serviceConfig = {
+      Nice = 19;
+      IOSchedulingClass = "idle";
+    };
+  };
+}
diff --git a/modules/core/fs/lvm.nix b/modules/core/fs/lvm.nix
new file mode 100644
index 0000000..5da4992
--- /dev/null
+++ b/modules/core/fs/lvm.nix
@@ -0,0 +1,7 @@
+{ config, lib, ... }:
+
+with lib;
+{
+  # i don't use lvm, can be disabled
+  services.lvm.enable = mkDefault false;
+}
diff --git a/modules/core/fs/scrub.nix b/modules/core/fs/scrub.nix
new file mode 100644
index 0000000..0f2eaf3
--- /dev/null
+++ b/modules/core/fs/scrub.nix
@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+
+with lib;
+let
+  supportedFilesystems = builtins.map (builtins.getAttr "fsType") (builtins.attrValues config.fileSystems);
+  mkScrubConfig = fsType: {
+    enable = builtins.elem fsType supportedFilesystems;
+    interval = "weekly";
+  };
+in {
+  services.btrfs.autoScrub = mkScrubConfig "btrfs";
+  services.zfs.autoScrub = mkScrubConfig "zfs";
+
+  # bcachefs exists but it was "ejected from the kernel" for "repeated violations of kernel dev. guidelines"
+  # linus "tech tips" torvalds said himself "nobody sane uses bcachefs and expects it to be stable" (https://en.wikipedia.org/wiki/Bcachefs#Stability)
+}
diff --git a/modules/core/locale.nix b/modules/core/locale.nix
new file mode 100644
index 0000000..db1ac03
--- /dev/null
+++ b/modules/core/locale.nix
@@ -0,0 +1,13 @@
+{ lib, pkgs, inputs, config, ... }:
+
+with lib;
+{
+  i18n.defaultLocale = mkDefault "en_US.UTF-8";
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "qwerty";
+  };
+  console = {
+    useXkbConfig = mkDefault true;
+  };
+}
diff --git a/modules/nix.nix b/modules/core/nix.nix
similarity index 75%
rename from modules/nix.nix
rename to modules/core/nix.nix
index 9b4a31e..639668e 100644
--- a/modules/nix.nix
+++ b/modules/core/nix.nix
@@ -27,10 +27,17 @@
     };
   };
 
-  nix.optimise.automatic = true;
+  nix.optimise.automatic = true; # likely not needed w/ auto-optimise-store, comfy to keep though
   nix.gc = {
     automatic = true;
     dates = "weekly";
     options = "--delete-older-than 30d";
   };
+
+  # compat w/ non-nix programs
+  programs.nix-ld.enable = true;
+  programs.appimage = {
+    enable = true;
+    binfmt = true;
+  };
 }
diff --git a/modules/security.nix b/modules/core/security.nix
similarity index 95%
rename from modules/security.nix
rename to modules/core/security.nix
index c201aa5..6e35883 100755
--- a/modules/security.nix
+++ b/modules/core/security.nix
@@ -2,9 +2,9 @@
 
 with lib;
 let
-  cfg = config.modules.security;
+  cfg = config.modules.core.security;
 in {
-  options.modules.security = {
+  options.modules.core.security = {
     useDoas = mkEnableOption "use opendoas instead of sudo";
   };
 
@@ -64,6 +64,7 @@ in {
       # while this is on by default, i am going to explicitly specify this
       networking.firewall.enable = true;
 
+      # stay up to date on firmware
       services.fwupd.enable = true;
     }
     (mkIf cfg.useDoas {
diff --git a/modules/hardware/default.nix b/modules/hardware/default.nix
new file mode 100644
index 0000000..08fb28a
--- /dev/null
+++ b/modules/hardware/default.nix
@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  config = {
+    hardware.enableRedistributableFirmware = true;
+  };
+}
diff --git a/modules/hardware/networking.nix b/modules/hardware/networking.nix
new file mode 100644
index 0000000..beb57b0
--- /dev/null
+++ b/modules/hardware/networking.nix
@@ -0,0 +1,19 @@
+{ pkgs, config, lib, ... }:
+
+with lib;
+let
+  cfg = config.modules.hardware.networking;
+in {
+  options.modules.hardware.networking = {
+    enable = mkEnableOption "Enable NetworkManager, a daemon for configuring network interfaces";
+  };
+
+  config = mkIf cfg.enable {
+    networking.networkmanager.enable = true;
+    networking.networkmanager.wifi.backend = "iwd";
+    networking.networkmanager.wifi.powersave = false;
+    networking.wireless.iwd.settings.Settings.AutoConnect = true;
+
+    systemd.services.NetworkManager-wait-online.enable = false;
+  };
+}