diff --git a/README.md b/README.md
index 4b620fd..4785ced 100644
--- a/README.md
+++ b/README.md
@@ -57,16 +57,13 @@ just bootstrap-flash /dev/sdX
    ```
 
    This creates:
-   - `hosts/<hostname>/` directory
-   - `secrets/hosts/<hostname>/` with SSH keys
+   - `hosts/<hostname>/default.nix` file which you should edit
+   - `secrets/hosts/<hostname>/` directory with SSH keys
 
 2. Add host configuration in `hosts/default.nix`:
 
    ```nix
-   <hostname> = mkSystem {
-     hostname = "<hostname>";
-     username = "<username>";
-   };
+   <hostname> = mkSystem { host = .<hostname>; };
    ```
 
 3. Create required files in `hosts/<hostname>/`:
@@ -87,6 +84,37 @@ just bootstrap-flash /dev/sdX
    just secret-rekey
    ```
 
+> [!TIP]
+> If you upload the public key (`secrets/hosts/<hostname>/id_ed25519.pub`) to GitHub, you can pull & push directly from the new host.
+
+## Deploying
+
+### Nixos ISO install
+
+A simple way to install a new machine is to use the official [NixOS ISO](https://nixos.org/download/) to prepare a machine
+
+Copy the private SSH key for the new host to `/etc/ssh/ssh_host_ed25519_key`
+
+Enable flakes support in `/etc/nixos/configuration.nix`
+
+```nix
+{
+  nix = {
+    package = pkgs.nixFlakes;
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+  };
+}
+```
+
+Then run:
+
+```bash
+$ nix develop
+$ just switch <hostname>
+```
+
 ## Secret Management
 
 Secrets are managed with [agenix](https://github.com/ryantm/agenix) + [agenix-rekey](https://github.com/oddlama/agenix-rekey), using a YubiKey as the master identity.
diff --git a/hosts/desktop-wsl/default.nix b/hosts/desktop-wsl/default.nix
index 691f1a4..03749db 100644
--- a/hosts/desktop-wsl/default.nix
+++ b/hosts/desktop-wsl/default.nix
@@ -1,22 +1,14 @@
 {
-  config = rec {
+  config = {
     fireproof = {
       hostname = "desktop-wsl";
       username = "nickolaj";
       work.enable = true;
       dev.enable = true;
+      wsl.enable = true;
     };
 
-    wsl.enable = true;
-    wsl.defaultUser = fireproof.username;
-
-    services.keyd.enable = false;
-
     system.stateVersion = "25.11";
-
-    # WSL doesn't use a bootloader - disable systemd-boot
-    boot.loader.systemd-boot.enable = false;
-    boot.loader.efi.canTouchEfiVariables = false;
   };
 
   imports = [
diff --git a/modules/desktop/default.nix b/modules/desktop/default.nix
index c10dff1..1b2c0eb 100644
--- a/modules/desktop/default.nix
+++ b/modules/desktop/default.nix
@@ -5,6 +5,11 @@
 }: {
   options.fireproof.desktop = {
     enable = lib.mkEnableOption "Enable desktop environment with niri, greetd, and all desktop features";
+    windowManager.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = config.fireproof.desktop.enable;
+      description = "Enable window manager (niri) and dank material shell (dms)";
+    };
   };
 
   imports = [
@@ -18,9 +23,4 @@
     ./gtk/default.nix
     ./dms/default.nix
   ];
-
-  config = lib.mkIf config.fireproof.desktop.enable {
-    # All desktop-related configuration is handled by the individual modules
-    # which check for fireproof.desktop.enable
-  };
 }
diff --git a/modules/desktop/dms/bar.nix b/modules/desktop/dms/bar.nix
index cd80d57..23d1101 100644
--- a/modules/desktop/dms/bar.nix
+++ b/modules/desktop/dms/bar.nix
@@ -3,6 +3,8 @@
   lib,
   ...
 }: let
+  hasMonitors = config.monitors != [];
+
   commonBarSettings = {
     enabled = true;
     position = 0;
@@ -35,11 +37,17 @@
     maximizeDetection = true;
   };
 
-  primaryMonitor = builtins.head config.monitors;
+  primaryMonitor =
+    if hasMonitors
+    then builtins.head config.monitors
+    else {};
   primaryX = primaryMonitor.position.x or 0;
 
   # Partition secondary monitors into left and right based on their x position relative to primary
-  secondaryMonitors = builtins.tail config.monitors;
+  secondaryMonitors =
+    if hasMonitors
+    then builtins.tail config.monitors
+    else [];
   leftMonitors = builtins.filter (m: (m.position.x or 0) <= primaryX) secondaryMonitors;
   rightMonitors = builtins.filter (m: (m.position.x or 0) > primaryX) secondaryMonitors;
 
diff --git a/modules/desktop/dms/default.nix b/modules/desktop/dms/default.nix
index 4fa623d..a82d4d4 100644
--- a/modules/desktop/dms/default.nix
+++ b/modules/desktop/dms/default.nix
@@ -11,7 +11,7 @@
     ./bar.nix
   ];
 
-  config = lib.mkIf config.fireproof.desktop.enable {
+  config = lib.mkIf config.fireproof.desktop.windowManager.enable {
     systemd.user.services.niri-flake-polkit.enable = false;
 
     fireproof.home-manager = {
diff --git a/modules/desktop/greetd.nix b/modules/desktop/greetd.nix
index bb77715..f509870 100644
--- a/modules/desktop/greetd.nix
+++ b/modules/desktop/greetd.nix
@@ -4,7 +4,13 @@
   pkgs,
   ...
 }: {
-  config = lib.mkIf config.fireproof.desktop.enable {
+  options.fireproof.desktop.greeter.enable =
+    lib.mkEnableOption "greeter"
+    // {
+      default = config.fireproof.desktop.enable;
+    };
+
+  config = lib.mkIf config.fireproof.desktop.greeter.enable {
     services.greetd = {
       enable = true;
       settings = {
diff --git a/modules/desktop/niri.nix b/modules/desktop/niri.nix
index 1c2e9b4..6945f78 100644
--- a/modules/desktop/niri.nix
+++ b/modules/desktop/niri.nix
@@ -5,10 +5,13 @@
   inputs,
   ...
 }: let
-  primaryMonitorName = (builtins.head config.monitors).name or "";
+  hasMonitors = config.monitors != [];
+  primaryMonitorName =
+    if hasMonitors
+    then (builtins.head config.monitors).name or ""
+    else "";
 in {
-  config = lib.mkIf config.fireproof.desktop.enable {
-    # TODO: Move these to a separate module
+  config = lib.mkIf config.fireproof.desktop.windowManager.enable {
     programs.xwayland.enable = true;
 
     xdg.portal = {
diff --git a/modules/system/default.nix b/modules/system/default.nix
index 6a1f055..75007e7 100644
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@@ -5,6 +5,7 @@ _: {
     ./boot.nix
     ./hosts.nix
     ./keyd.nix
+    ./wsl.nix
     ./ld.nix
     ./networking.nix
     ./security.nix
diff --git a/modules/system/keyd.nix b/modules/system/keyd.nix
index 8b566a9..e7108c9 100644
--- a/modules/system/keyd.nix
+++ b/modules/system/keyd.nix
@@ -1,15 +1,21 @@
-{lib, ...}: {
-  services.keyd = {
-    enable = lib.mkDefault true;
-    keyboards.mouse = {
-      ids = [
-        "046d:c051:4ae65a29" # Work mouse
-        "046d:407f:ee6ee407" # Home mouse
-      ];
-      settings = {
-        main = {
-          # Bind mouse-back to meta if held
-          mouse1 = "overload(meta, mouse1)";
+{
+  lib,
+  config,
+  ...
+}: {
+  config = lib.mkIf config.fireproof.desktop.enable {
+    services.keyd = {
+      enable = lib.mkDefault true;
+      keyboards.mouse = {
+        ids = [
+          "046d:c051:4ae65a29" # Work mouse
+          "046d:407f:ee6ee407" # Home mouse
+        ];
+        settings = {
+          main = {
+            # Bind mouse-back to meta if held
+            mouse1 = "overload(meta, mouse1)";
+          };
         };
       };
     };
diff --git a/modules/system/wsl.nix b/modules/system/wsl.nix
new file mode 100644
index 0000000..185cd9d
--- /dev/null
+++ b/modules/system/wsl.nix
@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  options.fireproof.wsl.enable = lib.mkEnableOption "Enable WSL configuration";
+
+  config = lib.mkIf config.fireproof.wsl.enable {
+    wsl = {
+      enable = true;
+      defaultUser = config.fireproof.username;
+      startMenuLaunchers = true;
+      interop.includePath = false;
+    };
+
+    # WSL doesn't use a bootloader - disable systemd-boot
+    boot.loader.systemd-boot.enable = false;
+    boot.loader.efi.canTouchEfiVariables = false;
+  };
+}