diff --git a/hosts/norman/configuration.nix b/hosts/norman/configuration.nix
index fc379738..86a4947d 100644
--- a/hosts/norman/configuration.nix
+++ b/hosts/norman/configuration.nix
@@ -26,13 +26,6 @@
     ]; # Clients and peers can use the same port, see listenport
   };
 
-  hardware.nitrokey.enable = true;
-
-  programs.gnupg.agent = {
-    enable = true;
-    enableSSHSupport = true;
-  };
-
   services.tlp = {
     enable = true;
     settings = {
diff --git a/hosts/norman/hardware-configuration.nix b/hosts/norman/hardware-configuration.nix
index 2b6778e7..6f0b50b2 100644
--- a/hosts/norman/hardware-configuration.nix
+++ b/hosts/norman/hardware-configuration.nix
@@ -16,19 +16,17 @@
   boot.extraModulePackages = [];
 
   boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.loader.grub.trustedBoot = {
-    enable = true;
-    systemHasTPM = "YES_TPM_is_activated";
-  };
 
   boot.initrd.luks.devices."cryptroot" = {
     device = "/dev/disk/by-uuid/cdc29f0f-5b18-4ee7-8d38-1f4bac80b1e6";
+    allowDiscards = true;
     bypassWorkqueues = true;
   };
 
   fileSystems."/" = {
     device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61";
     fsType = "ext4";
+    options = [ "discard" ];
   };
 
   fileSystems."/boot" = {
diff --git a/hosts/norman/wireguard.nix b/hosts/norman/wireguard.nix
index 2b5f896d..276fcf95 100644
--- a/hosts/norman/wireguard.nix
+++ b/hosts/norman/wireguard.nix
@@ -17,6 +17,7 @@
         "10.0.0.13/32"
         "fc00:200::13/128"
       ];
+      mtu = 1400;
       listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
 
       # Path to the private key file.
@@ -61,6 +62,7 @@
       ips = [
         "10.0.1.121"
       ];
+      mtu = 1400;
       listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
 
       # Path to the private key file.