diff --git a/configuration.nix b/configuration.nix
index c440357..0b04ce1 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -74,7 +74,6 @@
     allowReboot = config.selfprivacy.autoUpgrade.allowReboot;
     channel = "https://channel.selfprivacy.org/nixos-selfpricacy";
   };
-  system.stateVersion = config.selfprivacy.stateVersion;
   nix = {
     # TODO uncomment when NixOS version is at least 23.05
     # nix.channel.enable = false;
@@ -86,7 +85,7 @@
     # optimise.automatic = true;
 
     gc = {
-      automatic = true;
+      automatic = true; # TODO it's debatable, because of IO&CPU load
       options = "--delete-older-than 7d";
     };
   };
@@ -107,8 +106,9 @@
   nixpkgs.hostPlatform = system;
   services.journald.extraConfig = "SystemMaxUse=500M";
   boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1; # TODO why is it here by default?
+    "net.ipv4.ip_forward" = 1; # TODO why is it here by default, for VPN only?
   };
+  # TODO must be configurable and determined at nixos-infect stage
   swapDevices = [
     {
       device = "/swapfile";
@@ -116,6 +116,7 @@
       size = 2048;
     }
   ];
+  # TODO why is sudo needed?
   security = {
     sudo = {
       enable = true;
diff --git a/flake.nix b/flake.nix
index 240aa4e..6ea490c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -14,6 +14,7 @@
     nixosConfigurations-fun =
       { system
       , hardware-configuration
+      , deployment
       , userdata
       , top-level-flake
       , sp-modules
@@ -23,6 +24,7 @@
           specialArgs = { inherit system; };
           modules = [
             hardware-configuration
+            deployment
             ./configuration.nix
             (import ./files.nix top-level-flake.outPath)
             (import ./userdata-variables.nix userdata)