diff --git a/install/install.sh b/install/install.sh
index 0d135a7..ff86fa6 100644
--- a/install/install.sh
+++ b/install/install.sh
@@ -1,4 +1,9 @@
 #!/usr/bin/env bash
+ENCRYPT_ROOT=true
+ENCRYPT_SWAP=false
+FORMAT_BOOT_PARTITION=false
+
+DEVICE_NAME=NixOS-VM
 DEVICE=/dev/nvme0n1
 BOOT_PARTITION=/dev/nvme0n1p1
 SWAP_PARTITION=/dev/nvme0n1p3
@@ -6,12 +11,22 @@ ROOT_PARTITION=/dev/nvme0n1p2
 SWAP_NAME=cryptswap
 ROOT_NAME=cryptnixos
 
+
 gdisk $DEVICE
 
-# mkfs.vfat -n BOOT $BOOT_PARTITION
-cryptsetup --type luks2 --cipher aes-xts-plain64 --key-size 256 --hash sha512 luksFormat $ROOT_PARTITION
-cryptsetup luksOpen $ROOT_PARTITION $ROOT_NAME
-mkfs.btrfs -f -L root /dev/mapper/$ROOT_NAME
+# Format boot partition
+if [[ "$FORMAT_BOOT_PARTITION" == true ]]; then
+  mkfs.vfat -n BOOT $BOOT_PARTITION
+fi
+# Create luks partition
+if [[ "$ENCRYPT_ROOT" == true ]]; then
+  cryptsetup --type luks2 --cipher aes-xts-plain64 --key-size 256 --hash sha512 luksFormat $ROOT_PARTITION
+  cryptsetup luksOpen $ROOT_PARTITION $ROOT_NAME
+  mkfs.btrfs -f -L root /dev/mapper/$ROOT_NAME
+else
+  mkfs.btrfs -f -L root $ROOT_PARTITION
+fi
+# read -p "Press enter to continue"
 mount -t btrfs -o compress=zstd,noatime,ssd /dev/mapper/$ROOT_NAME /mnt
 btrfs subvolume create /mnt/@nixos
 btrfs subvolume create /mnt/@nix-store
@@ -27,16 +42,31 @@ mount -t btrfs -o subvol=@home,compress=zstd,noatime,ssd /dev/mapper/$ROOT_NAME
 mount -t btrfs -o subvol=@nix-store,compress=zstd,noatime,ssd /dev/mapper/$ROOT_NAME /mnt/nix/store
 btrfs subvolume create /mnt/tmp
 btrfs subvolume create /mnt/var
+# read -p "Press enter to continue"
+# Mount boot
 mkdir /mnt/boot
 mount $BOOT_PARTITION /mnt/boot
-# create swap
-dd count=1 bs=256 if=/dev/urandom of=/mnt/root/swap.key
-cryptsetup --type luks2 --cipher aes-xts-plain64 --key-size 256 --hash sha512 --key-file /mnt/root/swap.key luksFormat $SWAP_PARTITION
-cryptsetup --key-file /mnt/root/swap.key luksOpen $SWAP_PARTITION $SWAP_NAME
-mkswap -L swap /dev/mapper/cryptswap
-swapon -L swap
+# read -p "Press enter to continue"
+# Create swap
+if [[ "$ENCRYPT_SWAP" == true ]]; then
+  dd count=1 bs=256 if=/dev/urandom of=/mnt/root/swap.key
+  cryptsetup --type luks2 --cipher aes-xts-plain64 --key-size 256 --hash sha512 --key-file /mnt/root/swap.key luksFormat $SWAP_PARTITION
+  cryptsetup --key-file /mnt/root/swap.key luksOpen $SWAP_PARTITION $SWAP_NAME
+  mkswap -L swap /dev/mapper/cryptswap
+else
+  mkswap -L swap $SWAP_PARTITION
+fi
+# Generate config (hardware)
 nixos-generate-config --root /mnt/
-cp ./min-config.nix /mnt/etc/nixos/configuration.nix
+# Copy config to new system
+mkdir -p /mnt/root/nixos-config
+cp -r $(pwd)/.. /mnt/root/nixos-config
+echo "import /mnt/root/nixos-config \"$DEVICE_NAME\"" > /mnt/etc/nixos/configuration.nix
 nano /mnt/etc/nixos/configuration.nix
+sed -i 's/\/etc\/nixos/\/mnt\/etc\/nixos/g' /mnt/root/nixos-config/default.nix
+read -p "Please, add swap device into nixos-config/modules/filesystems.nix before continue"
 read -p "Press enter to continue"
 nixos-install -I nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz
+sed -i 's/\/mnt\/etc\/nixos/\/etc\/nixos/g' /mnt/root/nixos-config/default.nix
+sed -i 's/\/mnt\/root/\/root/g' /mnt/etc/nixos/configuration.nix
+read -p "Installation complete!"
diff --git a/modules/applications/packages.nix b/modules/applications/packages.nix
index 44cb04e..d5f0f1a 100644
--- a/modules/applications/packages.nix
+++ b/modules/applications/packages.nix
@@ -19,6 +19,8 @@ with deviceSpecific; {
     lxqt.pavucontrol-qt
     bibata-cursors
     i3lock-fancy
+
+    # mullvad-vpn
     # Samba support
     cifs-utils
     # Utils
@@ -30,6 +32,7 @@ with deviceSpecific; {
     libva-utils
     lm_sensors
     libnotify
+    tree
     (youtube-to-mpv.override { isLaptop = isLaptop; })
     # Other
     (vivaldi.override { proprietaryCodecs = true; })
diff --git a/modules/default.nix b/modules/default.nix
index 76db5bb..9bf01d7 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -22,6 +22,7 @@
     ./workspace/xresources.nix
     ./workspace/barrier.nix
     ./themes.nix
+    ./mullvad.nix
     ./applications.nix
     ./secrets.nix
     ./devices.nix
diff --git a/modules/filesystems.nix b/modules/filesystems.nix
index 47fefa8..26bc238 100644
--- a/modules/filesystems.nix
+++ b/modules/filesystems.nix
@@ -71,6 +71,8 @@ with deviceSpecific; {
     {
       device = if device == "Dell-Laptop" then
           "/dev/disk/by-partuuid/2de40bc4-a91c-4c89-a2cd-cbf34a0adf01"
+        else if device == "NixOS-VM" then
+          "/dev/disk/by-partuuid/afa18996-0fbc-448d-86ba-acf3f046671d"
         else
           "";
       randomEncryption.enable = true;
diff --git a/modules/mullvad.nix b/modules/mullvad.nix
new file mode 100644
index 0000000..c02904a
--- /dev/null
+++ b/modules/mullvad.nix
@@ -0,0 +1,50 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.networking.mullvad;
+in {
+  ###### interface
+
+  options = {
+    networking.mullvad = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          This option enables mullvad vpn daemon.
+        '';
+      };
+      enableOnBoot = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          When enabled mullvad daemon is started on boot.
+        '';
+      };
+    };
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.mullvad-vpn ];
+
+    systemd.services.mullvad-daemon = {
+      description = "Mullvad VPN daemon";
+      wantedBy = optional cfg.enableOnBoot "multi-user.target";
+      wants = [ "network.target" ];
+      after = [
+        "network-online.target"
+        "NetworkManager.service"
+        "systemd-resolved.service"
+      ];
+      startLimitIntervalSec = 20;
+      serviceConfig = {
+        ExecStart = "${pkgs.mullvad-vpn}/bin/mullvad-daemon -v --disable-stdout-timestamps";
+        Restart = "always";
+        RestartSec = 1;
+      };
+    };
+  };
+
+}
\ No newline at end of file
diff --git a/modules/network.nix b/modules/network.nix
index 2e1a2d5..35b9110 100644
--- a/modules/network.nix
+++ b/modules/network.nix
@@ -18,6 +18,8 @@
     firewall.enable = false;
     # usePredictableInterfaceNames = false;
     hostName = config.deviceSpecific.hostName;
+
+    mullvad.enable = true;
   };
   # systemd.services.dhcpcd.serviceConfig.Type = lib.mkForce
   # "simple"; # TODO Make a PR with this change; forking is not acceptable for dhcpcd.
diff --git a/modules/packages.nix b/modules/packages.nix
index b15579e..58d9c41 100644
--- a/modules/packages.nix
+++ b/modules/packages.nix
@@ -10,6 +10,13 @@
   nixpkgs.config = {
     packageOverrides = pkgs: {
       i3lock-fancy = pkgs.callPackage ./applications/i3lock-fancy.nix {};
+      # mullvad-vpn = pkgs.mullvad-vpn.overrideAttrs (oldAttrs: rec {
+      #   version = "2019.8";
+      #   src = pkgs.fetchurl {
+      #     url = "https://www.mullvad.net/media/app/MullvadVPN-${version}_amd64.deb";
+      #     sha256 = "0cjc8j8pqgdhnax4mvwmvnxfcygjsp805hxalfaj8wa5adph96hz";
+      #   };
+      # });
     };
   };
 }
\ No newline at end of file
diff --git a/secret.nix.gpg b/secret.nix.gpg
index 94c9b51..c135608 100644
Binary files a/secret.nix.gpg and b/secret.nix.gpg differ