diff --git a/configuration.nix b/configuration.nix
index e21ff16..16c59a6 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -150,6 +150,7 @@
   # VirtualBox
   virtualisation.docker.enable = true;
   virtualisation.virtualbox.host.enable = true;
+  virtualisation.virtualbox.host.package = pkgs.locked.virtualbox;
   virtualisation.virtualbox.host.enableExtensionPack = true;
   users.extraGroups.vboxusers.members = [ "lgm" ];
 
diff --git a/flake.lock b/flake.lock
index fbd894a..79c9c36 100644
--- a/flake.lock
+++ b/flake.lock
@@ -92,6 +92,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-fresh": {
+      "locked": {
+        "lastModified": 1699781429,
+        "narHash": "sha256-UYefjidASiLORAjIvVsUHG6WBtRhM67kTjEY4XfZOFs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e44462d6021bfe23dfb24b775cc7c390844f773d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-lib": {
       "locked": {
         "dir": "lib",
@@ -110,6 +126,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-locked": {
+      "locked": {
+        "lastModified": 1699781429,
+        "narHash": "sha256-UYefjidASiLORAjIvVsUHG6WBtRhM67kTjEY4XfZOFs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e44462d6021bfe23dfb24b775cc7c390844f773d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1699596684,
@@ -131,6 +163,8 @@
         "home-manager": "home-manager",
         "nh": "nh",
         "nixpkgs": "nixpkgs",
+        "nixpkgs-fresh": "nixpkgs-fresh",
+        "nixpkgs-locked": "nixpkgs-locked",
         "nixpkgs-stable": "nixpkgs-stable"
       }
     }
diff --git a/flake.nix b/flake.nix
index a4fd46b..91e4a98 100644
--- a/flake.nix
+++ b/flake.nix
@@ -7,20 +7,19 @@
     # which represents the GitHub repository URL + branch/commit-id/tag.
 
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    # separate inputs to lock some packages
+    # locked - stuff to be updated very unfrequently
+    # fresh - mostly desktop apps
+    nixpkgs-locked.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-fresh.url = "github:NixOS/nixpkgs/nixos-unstable";
     nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.05";
     # nix-index-database.url = "github:nix-community/nix-index-database";
     # nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
     # nur = {
     #   url = "github:nix-community/NUR";
     # };
-    # nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
-    # home-manager, used for managing user configuration
     home-manager = {
       url = "github:nix-community/home-manager/master";
-      # The `follows` keyword in inputs is used for inheritance.
-      # Here, `inputs.nixpkgs` of home-manager is kept consistent with
-      # the `inputs.nixpkgs` of the current flake,
-      # to avoid problems caused by different versions of nixpkgs.
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nh = {
@@ -31,22 +30,48 @@
 
   outputs = inputs@{
     nixpkgs,
+    nixpkgs-locked,
+    nixpkgs-fresh,
     nixpkgs-stable,
     # nix-index-database,
     # nur,
     home-manager,
     ...
-  }: {
+  }: 
+  let
+    system = "x86_64-linux";
+    overlay-locked = final: prev: {
+      locked = import nixpkgs-locked {
+        inherit system;
+        config.allowUnfree = true;
+      };
+    };
+    overlay-fresh = final: prev: {
+      fresh = import nixpkgs-fresh {
+        inherit system;
+        config.allowUnfree = true;
+      };
+    };
+    overlay-stable = final: prev: {
+      stable = import nixpkgs-stable {
+        inherit system;
+        config.allowUnfree = true;
+      };
+    };
+    my-overlays = [
+      overlay-locked
+      overlay-fresh
+      overlay-stable
+    ];
+  in
+  {
     nixosConfigurations.lgm-nixos = nixpkgs.lib.nixosSystem rec {
-      system = "x86_64-linux";
+      inherit system;
       specialArgs = {
-        pkgs-stable = import nixpkgs-stable {
-          system = system;
-          config.allowUnfree = true;
-        };
         secrets = import ./secrets {};
       };
       modules = [
+        ({ config, pkgs, ... }: { nixpkgs.overlays = my-overlays; })
         # nur.nixosModules.nur
         inputs.nh.nixosModules.default
         ./configuration.nix
@@ -63,7 +88,6 @@
           home-manager.users.lgm = import ./home.nix;
 
           home-manager.extraSpecialArgs = with specialArgs; {
-            inherit pkgs-stable;
             inherit secrets;
           };
         }
diff --git a/home.nix b/home.nix
index 6f53f7b..47911a4 100644
--- a/home.nix
+++ b/home.nix
@@ -1,4 +1,4 @@
-{ config, osConfig, secrets, pkgs, pkgs-stable, ... }:
+{ config, osConfig, secrets, pkgs, ... }:
 
 {
   home.username = "lgm";
@@ -12,7 +12,6 @@
     ((import ./scripts/rebuild.nix) {inherit pkgs;})
     wineWowPackages.waylandFull
     openconnect
-    ani-cli
     # file editing
     onlyoffice-bin
     # theming
@@ -41,7 +40,7 @@
     protonvpn-gui
     protonvpn-cli
     # security
-    keepassxc
+    fresh.keepassxc
     onlykey
     onlykey-agent
     libsForQt5.plasma-vault
@@ -52,12 +51,11 @@
     libsForQt5.kgpg
 
     # messaging
-    (discord.override {
+    (fresh.discord.override {
         withOpenASAR = true;
-        withVencord = true;
     })
-    vesktop
-    telegram-desktop
+    fresh.vesktop
+    fresh.telegram-desktop
     libsForQt5.tokodon
     libsForQt5.neochat
 #     pkgs-unstable.cinny-desktop
@@ -75,6 +73,7 @@
     lutris
     # dev
     jetbrains.idea-community
+    packwiz
     # vscodium # see programs.vscode
     rnix-lsp
     #nnn # terminal file manager
@@ -86,6 +85,9 @@
 #     p7zip
 
     # utils
+    ani-cli
+    yt-dlp
+    mosh
     appimage-run
     kate
     ncdu