diff --git a/modules/home-manager/profiles/base.nix b/modules/home-manager/profiles/base.nix
index 09e2332..0d1907e 100644
--- a/modules/home-manager/profiles/base.nix
+++ b/modules/home-manager/profiles/base.nix
@@ -4,7 +4,7 @@
   {
     imports = with inputs.self.homeModules; [
       rebuild
-      ssh
+      # ssh
       git
       shell-tools
     ];
diff --git a/modules/home-manager/programs/ssh.nix b/modules/home-manager/programs/ssh.nix
index 9c95d32..9641d4f 100644
--- a/modules/home-manager/programs/ssh.nix
+++ b/modules/home-manager/programs/ssh.nix
@@ -117,4 +117,17 @@ in
       };
     };
   };
+
+  flake.modules.nixos.ssh = {
+    services.openssh = {
+      enable = true;
+      # require public key authentication for better security
+      settings.PasswordAuthentication = false;
+      settings.KbdInteractiveAuthentication = false;
+    };
+
+    home-manager.sharedModules = with inputs.self.homeModules; [
+      ssh
+    ];
+  };
 }
diff --git a/modules/hosts/janus.nix b/modules/hosts/janus.nix
index ab9ee77..29a5449 100644
--- a/modules/hosts/janus.nix
+++ b/modules/hosts/janus.nix
@@ -8,11 +8,18 @@ in
     imports = [
       inputs.self.modules.nixos.lxc
       inputs.self.modules.nixos."${username}"
+      # inputs.self.modules.nixos.step-ca
+      inputs.self.modules.nixos.docker
     ];
     home-manager.users."${username}" = {
-      imports = [
-        # inputs.self.homeModules."${username}"
+      imports = with inputs.self.homeModules; [
+        ssh
       ];
+      docker.enable = true;
+      ssh.matchSets = {
+        certs = true;
+        homelab = true;
+      };
     };
   };
 
diff --git a/modules/home-manager/programs/docker.nix b/modules/services/docker.nix
similarity index 63%
rename from modules/home-manager/programs/docker.nix
rename to modules/services/docker.nix
index be24043..aa7dfc4 100644
--- a/modules/home-manager/programs/docker.nix
+++ b/modules/services/docker.nix
@@ -1,4 +1,17 @@
+{ inputs, ... }:
 {
+  flake.modules.nixos.docker = {
+    virtualisation.docker = {
+      enable = true;
+    };
+    home-manager.sharedModules = [
+      inputs.self.homeModules.docker
+    ];
+    # users.users.john = {
+    #   extraGroups = [ "docker" ];
+    # };
+  };
+
   flake.homeModules.docker = { config, lib, pkgs, ... }:
   {
     options.docker = {
@@ -13,9 +26,6 @@
         docker
         docker-compose
         lazydocker
-        (pkgs.writeShellScriptBin "test-docker" ''
-          echo "Hello from docker.nix!"
-        '')
       ];
       home.shellAliases = {
         lzd = "lazydocker";
diff --git a/modules/services/step-ca/ca.json b/modules/services/step-ca/ca.json
new file mode 100644
index 0000000..e6912aa
--- /dev/null
+++ b/modules/services/step-ca/ca.json
@@ -0,0 +1,129 @@
+{
+  "root": "/etc/step-ca/certs/root_ca.crt",
+  "federatedRoots": null,
+  "crt": "/etc/step-ca/certs/intermediate_ca.crt",
+  "key": "/etc/step-ca/secrets/intermediate_ca_key",
+  "address": ":443",
+  "insecureAddress": "",
+  "dnsNames": [
+    "janus.john-stream.com",
+    "192.168.1.113"
+  ],
+  "ssh": {
+    "hostKey": "/etc/step-ca/secrets/ssh_host_ca_key",
+    "userKey": "/etc/step-ca/secrets/ssh_user_ca_key"
+  },
+  "logger": {
+    "format": "text"
+  },
+  "db": {
+    "type": "badgerv2",
+    "dataSource": "/var/lib/step-ca/db",
+    "badgerFileLoadingMode": ""
+  },
+  "authority": {
+    "provisioners": [
+      {
+        "type": "ACME",
+        "name": "acme"
+      },
+      {
+        "type": "SSHPOP",
+        "name": "sshpop",
+        "claims": {
+          "enableSSHCA": true
+        }
+      },
+      {
+        "type": "JWK",
+        "name": "admin",
+        "key": {
+          "use": "sig",
+          "kty": "EC",
+          "kid": "xoxgOJFbveSLIL2gm1Yu5ZiRb9v8Jxe44F56i3v-Nf8",
+          "crv": "P-256",
+          "alg": "ES256",
+          "x": "zFO8hPx_eH0Iyz7UJI-w8ODMusEKCZ28M76sGWmWYxA",
+          "y": "XIWLLyKDzqxV9UH-2KeAkKPDrgLoPrxxW9-PzkXggME"
+        },
+        "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiUVJnTnJVTF9KcmxJYkJMVTlGNVRPZyJ9.DMu7xBNCq5pr-_--YTxNr5Hrcqy6ZmSVHsWurfVXL7Hk0Q3vyYRxiw.h-CnFiYc-DhxThI3.plx3_Qa_0kU-2TwnqFNfAfGnCpfQ2e0iiCMLruNHbLMnHeXQ1BysHBqps45_02zZXIRdHoDgYGtXRSfcdUYYoS0pLoPzC6m301ZFNSAFdRVlSZ3Q6VmWdixPXXnEB4EgSKTT_wxR33L8t9OpFzD85KfY-b_Un1l99ufjCnfg-EYkcICTn_G4-8bcW3eFIvJ6setzu-l0jHMhLQdIweqncn9on9xBXBD-ANhZfP95P2BJt-APqCi8eqiAvn_vClovdg0PxzRwOVDvWREz66FDw-HTU7xDtGO9hACopT5tfZOXDoykgZw1mJsq9NEq9ZzvKG2hvyk1UXtExxrNtFo.5q1OfGU4Amo4Si-vpeI42g",
+        "claims": {
+          "enableSSHCA": true,
+          "disableRenewal": false,
+          "allowRenewalAfterExpiry": false,
+          "disableSmallstepExtensions": false
+        },
+        "options": {
+          "x509": {},
+          "ssh": {}
+        }
+      }
+    ],
+    "template": {},
+    "backdate": "1m0s"
+  },
+  "tls": {
+    "cipherSuites": [
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+    ],
+    "minVersion": 1.2,
+    "maxVersion": 1.3,
+    "renegotiation": false
+  },
+  "templates": {
+    "ssh": {
+      "user": [
+        {
+          "name": "config.tpl",
+          "type": "snippet",
+          "template": "templates/ssh/config.tpl",
+          "path": "~/.ssh/config",
+          "comment": "#"
+        },
+        {
+          "name": "step_includes.tpl",
+          "type": "prepend-line",
+          "template": "templates/ssh/step_includes.tpl",
+          "path": "${STEPPATH}/ssh/includes",
+          "comment": "#"
+        },
+        {
+          "name": "step_config.tpl",
+          "type": "file",
+          "template": "templates/ssh/step_config.tpl",
+          "path": "ssh/config",
+          "comment": "#"
+        },
+        {
+          "name": "known_hosts.tpl",
+          "type": "file",
+          "template": "templates/ssh/known_hosts.tpl",
+          "path": "ssh/known_hosts",
+          "comment": "#"
+        }
+      ],
+      "host": [
+        {
+          "name": "sshd_config.tpl",
+          "type": "snippet",
+          "template": "templates/ssh/sshd_config.tpl",
+          "path": "/etc/ssh/sshd_config",
+          "comment": "#",
+          "requires": [
+            "Certificate",
+            "Key"
+          ]
+        },
+        {
+          "name": "ca.tpl",
+          "type": "snippet",
+          "template": "templates/ssh/ca.tpl",
+          "path": "/etc/ssh/ca.pub",
+          "comment": "#"
+        }
+      ]
+    }
+  },
+  "commonName": "Step Online CA"
+}
\ No newline at end of file
diff --git a/modules/services/step-ca/step-ca.nix b/modules/services/step-ca/step-ca.nix
new file mode 100644
index 0000000..da090ed
--- /dev/null
+++ b/modules/services/step-ca/step-ca.nix
@@ -0,0 +1,22 @@
+{ inputs, ... }:
+let
+  ipAddress = "0.0.0.0";
+in
+{
+  flake.modules.nixos.step-ca = { pkgs, ... }: {
+    # https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/security/step-ca.nix
+    services.step-ca = {
+      enable = true;
+      openFirewall = true;
+      address = ipAddress;
+      port = 8443;
+
+      # https://smallstep.com/docs/step-ca/configuration/#configuration-options
+      settings = {
+        root = "";
+        crt = "";
+      };
+    };
+    environment.systemPackages = with pkgs; [ step-ca step-cli ];
+  };
+}
\ No newline at end of file
diff --git a/modules/users/john.nix b/modules/users/john.nix
index ccb486c..f1c135f 100644
--- a/modules/users/john.nix
+++ b/modules/users/john.nix
@@ -15,6 +15,7 @@ in
       shell = pkgs.zsh;
       openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAUa4dcg1TWc4pW++uodyhX4eOqrX/QYIxFWtEP7HFJ john@john-pc-ubuntu"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOkGLo4N/L3RYvaIZ1FmePlxa1HK0fMciZxKtRhN58F root@janus"
       ];
     };
     programs.zsh.enable = true;
@@ -31,7 +32,7 @@ in
 
     imports = with inputs.self.homeModules; [
       base
-      docker
+      # docker
 			# resticprofile
 		];
   };