diff --git a/machines/gamepc/configuration.nix b/machines/gamepc/configuration.nix
index e889f1f..6217470 100644
--- a/machines/gamepc/configuration.nix
+++ b/machines/gamepc/configuration.nix
@@ -10,7 +10,6 @@ in {
   config = {
     pim = {
       cinnamon.enable = true;
-      inWheel = false;
     };
 
     facter.reportPath = ./facter.json;
@@ -18,9 +17,19 @@ in {
     home-manager.users.pim.imports = [./home.nix];
     programs.steam.enable = true;
 
+    users.users = {
+      root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim;
+
+      pim = {
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = config.pim.ssh.keys.pim;
+      };
+    };
+
     deployment = {
       targetHost = "gamepc";
       targetUser = "root";
+      tags = ["desktop"];
 
       keys = {
         root-sops-age-key = {
@@ -44,11 +53,6 @@ in {
       tailscale.enable = true;
     };
 
-    users.users = {
-      root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim;
-      pim.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim;
-    };
-
     boot.loader.grub = {
       enable = true;
       efiSupport = true;
diff --git a/machines/sue/configuration.nix b/machines/sue/configuration.nix
index 7925c9b..6b553cf 100644
--- a/machines/sue/configuration.nix
+++ b/machines/sue/configuration.nix
@@ -16,9 +16,15 @@ in {
       compliance.enable = true;
     };
 
+    users.users.pim = {
+      isNormalUser = true;
+      extraGroups = ["wheel" "docker" "input" "wireshark" "dialout"];
+    };
+
     deployment = {
       allowLocalDeployment = true;
       targetHost = null;
+      tags = ["desktop"];
 
       keys = {
         # TODO: Create macro for this
diff --git a/nixos/default.nix b/nixos/default.nix
index a289835..e74bb98 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -19,17 +19,12 @@
     ./compliance.nix
     ./cinnamon.nix
     ./ssh.nix
+    ./desktop.nix
   ];
 
-  options.pim.inWheel = lib.mkOption {
-    type = lib.types.bool;
-    default = true;
-  };
-
   config = {
     time.timeZone = "Europe/Amsterdam";
     i18n.defaultLocale = "en_US.UTF-8";
-    programs.ssh.startAgent = true;
     hardware.pulseaudio.enable = false;
 
     systemd = {
@@ -38,23 +33,10 @@
     };
 
     services = {
-      xserver = {
-        enable = true;
-        excludePackages = [pkgs.xterm];
-      };
-
-      tailscale = {
-        useRoutingFeatures = "client";
-        extraSetFlags = ["--accept-routes"];
-      };
-
-      printing = {
-        enable = true;
-        drivers = [pkgs.hplip pkgs.gutenprint];
-      };
+      xserver.excludePackages = [pkgs.xterm];
+      printing.drivers = [pkgs.hplip pkgs.gutenprint];
 
       pipewire = {
-        enable = true;
         alsa.enable = true;
         alsa.support32Bit = true;
         pulse.enable = true;
@@ -62,13 +44,6 @@
       };
     };
 
-    users.users.pim = {
-      isNormalUser = true;
-      extraGroups =
-        ["docker" "input" "wireshark" "dialout"]
-        ++ lib.optional config.pim.inWheel "wheel";
-    };
-
     environment = {
       systemPackages = with pkgs; [
         age
@@ -114,6 +89,7 @@
 
     nix = {
       package = pkgs.nixFlakes;
+      # TODO: "pim" shouldn't be here by default
       settings.trusted-users = ["root" "pim"];
 
       extraOptions = ''
@@ -170,6 +146,7 @@
       useUserPackages = true;
       extraSpecialArgs = {inherit self inputs;};
 
+      # TODO: shouldn't be here by default
       users.pim.imports = ["${self}/home-manager"];
     };
   };
diff --git a/nixos/desktop.nix b/nixos/desktop.nix
new file mode 100644
index 0000000..1b2709f
--- /dev/null
+++ b/nixos/desktop.nix
@@ -0,0 +1,20 @@
+{
+  lib,
+  config,
+  ...
+}: {
+  config = lib.mkIf (builtins.elem "desktop" config.deployment.tags) {
+    programs.ssh.startAgent = true;
+
+    services = {
+      xserver.enable = true;
+      printing.enable = true;
+      pipewire.enable = true;
+
+      tailscale = {
+        useRoutingFeatures = "client";
+        extraSetFlags = ["--accept-routes"];
+      };
+    };
+  };
+}