diff --git a/common.nix b/common.nix
index 7078347..6749e01 100644
--- a/common.nix
+++ b/common.nix
@@ -7,87 +7,92 @@ all: {
 }: {
   imports = [all];
 
-  config = {
-    services.haveged.enable = lib.mkDefault true;
-
-    security.rtkit.enable = lib.mkDefault true;
-
-    hardware.cpu.amd.updateMicrocode = lib.mkDefault true;
-    hardware.cpu.intel.updateMicrocode = lib.mkDefault true;
-
-    services.earlyoom.enable = lib.mkDefault true;
-
-    programs.mosh.enable = lib.mkDefault true;
-
-    systemd.services.nix-gc.serviceConfig.IOSchedulingPriority =
-      lib.mkDefault 7;
-    systemd.services.nix-gc.serviceConfig.IOSchedulingClass =
-      lib.mkDefault "idle";
-    systemd.services.nix-gc.serviceConfig.CPUSchedulingPolicy =
-      lib.mkDefault "idle";
-
-    nix = {
-      gc = {
-        automatic = lib.mkDefault true;
-        dates = lib.mkDefault "20:00";
-        options = lib.mkDefault "--delete-older-than 40d";
-      };
-
-      daemonIOSchedPriority = lib.mkDefault 7;
-      daemonIOSchedClass = lib.mkDefault "idle";
-      daemonCPUSchedPolicy = lib.mkDefault "idle";
-
-      settings = {
-        trusted-users = ["root" "builder" "@wheel"];
-        builders-use-substitutes = true;
-        experimental-features = ["nix-command" "flakes" "repl-flake"];
-        keep-outputs = true;
-        keep-derivations = true;
-      };
-    };
-
-    # make nginx have good logging and defaults
-    services.nginx = {
-      recommendedGzipSettings = lib.mkDefault true;
-      recommendedOptimisation = lib.mkDefault true;
-      recommendedProxySettings = lib.mkDefault true;
-      appendHttpConfig = ''
-        error_log stderr;
-        access_log syslog:server=unix:/dev/log combined;
-      '';
-    };
-
-    # set some basic system props
-    security.sudo.wheelNeedsPassword = lib.mkDefault false;
-    networking.networkmanager.enable = lib.mkDefault true;
-
-    # package list
-    environment.systemPackages = with pkgs; [
-      exfat
-
-      # to stop NixOS breaking
-      git
-    ];
-
-    services.openssh = {
-      # Allow ssh
-      enable = lib.mkDefault true;
-      # lol no
-      permitRootLogin = lib.mkDefault "no";
-      passwordAuthentication = lib.mkDefault false;
-      # allow reverse ssh port shit to be public sometimes
-      gatewayPorts = lib.mkDefault "clientspecified";
-      extraConfig = ''
-        StreamLocalBindUnlink yes
-      '';
-    };
-
-    # Use a firewall
-    networking.firewall.enable = lib.mkDefault true;
-    networking.firewall.allowPing = true;
-    networking.firewall.allowedTCPPorts = lib.mkDefault [22];
-
-    programs.fish.enable = lib.mkDefault true;
-    users.defaultUserShell = lib.mkOverride 900 pkgs.fish;
+  boot.loader = {
+    efi.canTouchEfiVariables = lib.mkDefault true;
+    systemd-boot.editor = lib.mkDefault false;
+    # having a user makes sure `superusers=""` gets set, which prevents editing like the above
+    grub.users.grubby = {};
   };
+
+  services.haveged.enable = lib.mkDefault true;
+
+  security.rtkit.enable = lib.mkDefault true;
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault true;
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault true;
+
+  services.earlyoom.enable = lib.mkDefault true;
+
+  programs.mosh.enable = lib.mkDefault true;
+
+  systemd.services.nix-gc.serviceConfig.IOSchedulingPriority =
+    lib.mkDefault 7;
+  systemd.services.nix-gc.serviceConfig.IOSchedulingClass =
+    lib.mkDefault "idle";
+  systemd.services.nix-gc.serviceConfig.CPUSchedulingPolicy =
+    lib.mkDefault "idle";
+
+  nix = {
+    gc = {
+      automatic = lib.mkDefault true;
+      dates = lib.mkDefault "20:00";
+      options = lib.mkDefault "--delete-older-than 40d";
+    };
+
+    daemonIOSchedPriority = lib.mkDefault 7;
+    daemonIOSchedClass = lib.mkDefault "idle";
+    daemonCPUSchedPolicy = lib.mkDefault "idle";
+
+    settings = {
+      trusted-users = ["root" "builder" "@wheel"];
+      builders-use-substitutes = true;
+      experimental-features = ["nix-command" "flakes" "repl-flake"];
+      keep-outputs = true;
+      keep-derivations = true;
+    };
+  };
+
+  # make nginx have good logging and defaults
+  services.nginx = {
+    recommendedGzipSettings = lib.mkDefault true;
+    recommendedOptimisation = lib.mkDefault true;
+    recommendedProxySettings = lib.mkDefault true;
+    appendHttpConfig = ''
+      error_log stderr;
+      access_log syslog:server=unix:/dev/log combined;
+    '';
+  };
+
+  # set some basic system props
+  security.sudo.wheelNeedsPassword = lib.mkDefault false;
+  networking.networkmanager.enable = lib.mkDefault true;
+
+  # package list
+  environment.systemPackages = with pkgs; [
+    exfat
+
+    # to stop NixOS breaking
+    git
+  ];
+
+  services.openssh = {
+    # Allow ssh
+    enable = lib.mkDefault true;
+    # lol no
+    permitRootLogin = lib.mkDefault "no";
+    passwordAuthentication = lib.mkDefault false;
+    # allow reverse ssh port shit to be public sometimes
+    gatewayPorts = lib.mkDefault "clientspecified";
+    extraConfig = ''
+      StreamLocalBindUnlink yes
+    '';
+  };
+
+  # Use a firewall
+  networking.firewall.enable = lib.mkDefault true;
+  networking.firewall.allowPing = true;
+  networking.firewall.allowedTCPPorts = lib.mkDefault [22];
+
+  programs.fish.enable = lib.mkDefault true;
+  users.defaultUserShell = lib.mkOverride 900 pkgs.fish;
 }
diff --git a/modules/workstation.nix b/modules/workstation.nix
index 8e9a13b..bd6dced 100644
--- a/modules/workstation.nix
+++ b/modules/workstation.nix
@@ -23,12 +23,34 @@ in {
   };
 
   config = mkIf cfg.enable {
-    boot.plymouth.enable = lib.mkDefault true;
-    # as soon as this stops breaking _all_ my machines
-    boot.initrd.systemd.enable = lib.mkDefault false;
     # until https://github.com/NixOS/nixpkgs/pull/199784 is merged
     systemd.services.plymouth-start.restartIfChanged = false;
 
+    console = {
+      earlySetup = lib.mkDefault false;
+    };
+
+    boot = {
+      consoleLogLevel = lib.mkDefault 0;
+      initrd.verbose = lib.mkDefault false;
+      plymouth.enable = lib.mkDefault true;
+      kernelParams = [
+        "quiet"
+        "loglevel=3"
+        "rd.systemd.show_status=no"
+        "rd.udev.log_level=3"
+        "udev.log_priority=3"
+        "vt.global_cursor_default=0"
+      ];
+
+      loader.timeout = 0;
+
+      kernel.sysctl = {
+        # lol anti-cheat
+        "abi.vsyscall32" = lib.mkDefault 0;
+      };
+    };
+
     services.avahi = {
       enable = lib.mkDefault true;
       nssmdns = lib.mkDefault true;
@@ -276,13 +298,6 @@ in {
     services.dbus.enable = lib.mkDefault true;
     services.dbus.packages = with pkgs; [dconf];
 
-    boot.kernel.sysctl = {
-      # better default swap
-      "vm.swappiness" = lib.mkDefault 45;
-      # lol anti-cheat
-      "abi.vsyscall32" = 0;
-    };
-
     # self explanatory
     fuckingprint.enable = lib.mkDefault true;