diff --git a/cluster/services/wireguard/default.nix b/cluster/services/wireguard/default.nix
index b8a0ffb..a56e064 100644
--- a/cluster/services/wireguard/default.nix
+++ b/cluster/services/wireguard/default.nix
@@ -31,6 +31,16 @@ in
         extraRoutes = [];
       };
     };
+    mesh-node-thunderskin = {
+      ipv4 = getExtAddr hours.thunderskin;
+      extra = {
+        meshIp = "10.1.1.4";
+        inherit meshNet;
+        pubKey = "xvSsFvCVK8h2wThZJ7E5K0fniTBIEIYOblkKIf3Cwy0=";
+        privKeyFile = ./mesh-keys/thunderskin.age;
+        extraRoutes = [];
+      };
+    };
     mesh-node-VEGAS = {
       ipv4 = getExtAddr hours.VEGAS;
       extra = {
@@ -54,7 +64,7 @@ in
   };
   services.wireguard = {
     nodes = {
-      mesh = [ "checkmate" "VEGAS" "prophet" ];
+      mesh = [ "checkmate" "thunderskin" "VEGAS" "prophet" ];
     };
     nixos = {
       mesh = ./mesh.nix;
diff --git a/cluster/services/wireguard/mesh-keys/thunderskin.age b/cluster/services/wireguard/mesh-keys/thunderskin.age
new file mode 100644
index 0000000..907b504
--- /dev/null
+++ b/cluster/services/wireguard/mesh-keys/thunderskin.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A rdUnhWrA+Y4kORXQj3EXN2g0ocT+fCgWrWUzng4H2h0
+GpDWguEAJbruVKLsyg1UrajayaBTRqV4keuXOlUN4Dw
+-> ssh-ed25519 5/zT0w XhGp6wmN3PiZtYa7z5aTbTOesYsJ0ldJ9FAydDOBHjE
+KJKLJs5W9eVgyIxWvd7PGTCKF6+GKhfjCf/sS9oghKY
+-> ssh-ed25519 FfIUuQ H1Y6kiQrhvhXMFiZ5S1aKFV/squ7NaqduuaCk3T9dms
+8zn45DGkEH+vtkCjsnOlxeiZ+cEW/71bCYyj449axW0
+-> ZxL9h,-grease h7Z
+1EWFRzEk6ikC2LnZLuB4Z3n69SHr/AoxBZHjsha2K1DYKJspfb+NCrNVkC1A9F0t
+SllAo58gJsWkKdpyoKaE2nrV3SXoREMlcQvq/Z2X9WpR+A
+--- IxR5wj2vdqY/Tcsur39cFEICvfxmo2OrcdQFR4LLJRw
+[‚{{ËÈg=<•Ùi—“dJ9‹3ïEÔ;ƒ¨=ÙFeøgAXÞX\#¯¦”.%æÂðáó§=Ö^HT…c>)q|¿{â7Íü
\ No newline at end of file
diff --git a/hosts/part.nix b/hosts/part.nix
index 697b819..ff8f3cc 100644
--- a/hosts/part.nix
+++ b/hosts/part.nix
@@ -11,6 +11,8 @@ in with tools.dns;
     fromLight = {
       checkmate = import ./checkmate tools;
 
+      thunderskin = import ./thunderskin tools;
+
       VEGAS = import ./VEGAS tools;
 
       prophet = import ./prophet tools;
diff --git a/hosts/thunderskin/default.nix b/hosts/thunderskin/default.nix
new file mode 100644
index 0000000..8bcbdd4
--- /dev/null
+++ b/hosts/thunderskin/default.nix
@@ -0,0 +1,29 @@
+tools: {
+  ssh.enable = true;
+  ssh.id = with tools.dns; {
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGV8TbMvGXfAp9R2I9GdR7aLlGjxh2CW1pCZjQSB4TJp";
+    hostNames = subResolve "thunderskin" "node";
+  };
+
+  interfaces = {
+    primary = {
+      addr = "10.0.243.121";
+      addrPublic = "140.238.208.154";
+      link = "ens3";
+    };
+  };
+
+  hyprspace = {
+    enable = true;
+    id = "12D3KooWB9AUPorFoACkWbphyargRBV9osJsYuQDumtQ85j7Aqmg";
+    addr = "10.100.3.4";
+    listenPort = 995;
+  };
+
+  enterprise = {
+    subdomain = "node";
+  };
+
+  system = "x86_64-linux";
+  nixos = ./system.nix;
+}
diff --git a/hosts/thunderskin/hardware-configuration.nix b/hosts/thunderskin/hardware-configuration.nix
new file mode 100644
index 0000000..d20bddd
--- /dev/null
+++ b/hosts/thunderskin/hardware-configuration.nix
@@ -0,0 +1,12 @@
+{ modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+  fileSystems."/boot" = { device = "/dev/disk/by-partlabel/boot"; fsType = "vfat"; };
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/disk/by-partlabel/rootfs"; fsType = "xfs"; };
+  swapDevices = [ { device = "/dev/disk/by-partlabel/swap"; } ];
+}
diff --git a/hosts/thunderskin/system.nix b/hosts/thunderskin/system.nix
new file mode 100644
index 0000000..7a2e451
--- /dev/null
+++ b/hosts/thunderskin/system.nix
@@ -0,0 +1,36 @@
+{ depot, ... }:
+
+{
+  imports =
+    [
+      # Hardware
+      ./hardware-configuration.nix
+
+      depot.inputs.agenix.nixosModules.age
+
+      depot.nixosModules.hyprspace
+      depot.nixosModules.sss
+      depot.nixosModules.serverBase
+    ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "thunderskin";
+  networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
+
+  time.timeZone = "Europe/Zurich";
+
+  networking.useDHCP = false;
+  networking.interfaces.ens3.useDHCP = true;
+
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  services.openssh.enable = true;
+
+  zramSwap.enable = true;
+  zramSwap.algorithm = "zstd";
+
+  system.stateVersion = "22.11";
+}
diff --git a/secrets.nix b/secrets.nix
index e2ac239..71a8517 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -1,6 +1,7 @@
 let
   max = (import ./users/max/userinfo.nix null).sshKeys;
-  hosts = import ./hosts;
+  hosts = builtins.mapAttrs (_: v: v._module.specialArgs.depot.reflection)
+    (builtins.getFlake "git+file:.").nixosConfigurations;
   systemKeys = x: x.ssh.id.publicKey or null;
 in with hosts;
 {
@@ -25,6 +26,7 @@ in with hosts;
   "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/wireguard/mesh-keys/checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
+  "cluster/services/wireguard/mesh-keys/thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];
   "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
   "secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
@@ -42,6 +44,7 @@ in with hosts;
   "secrets/hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hydra-s3.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hyprspace-key-checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
+  "secrets/hyprspace-key-thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];
   "secrets/hyprspace-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hyprspace-key-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
   "secrets/keycloak-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
diff --git a/secrets/hyprspace-key-thunderskin.age b/secrets/hyprspace-key-thunderskin.age
new file mode 100644
index 0000000..01c9502
--- /dev/null
+++ b/secrets/hyprspace-key-thunderskin.age
@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A xFdhijkkXkGwJmF0ekFNV0mgPSp0CaBCz7PdaMV4Ck0
+MgsRuHirIkT6SJSaK5BOVYAdqbIP4cY/3a/mC0MmgsU
+-> ssh-ed25519 5/zT0w uAozit3cZSeov1Otr6JyPVuH/mR4i9IjCSylNA82ZH8
+jMzwI2jUjhJwf/UrI/WDgS1OEmi6jzhbK5HiZ8Osekg
+-> ssh-ed25519 FfIUuQ uTno5RRkc9uAyNorlpV6EkWhRHUaobo7gNjf6VA41Uc
+W+ZNWqC9HScYo2P6880J1YGWtYxneVZ/o0TATZJPNcc
+-> ^?yJ-grease
+3EJ2gFOTRng9qiy8wEbs6CVj1xMhr9M0vFdWMr6kiDNz5Y0zd2GRSnY9sYVlgyxe
+M+XBfn4TvG+JJvbBn3PAXqPl/vGJHCN06mZODd28qYg9lacF4uZQT2QDxS5fvwCI
+xew
+--- fqQAgulJ30Lcl3qbj6a7U4HVAKTed+kl5afz+JmUytk
+Æþ_§Mÿ2­•YŠÐçÁ	ÎÈoä´.÷³åcT+ëª´åAïµãšë„KäÂõ.´!Ñ»n·¥'àò3}Ilù23'*ñ¬õ‡€šÙ£=Ì$ôùOq³EÙ9¿Lë“hÒ©TâÁÀÂÙÝÖÉ\ÕDKZÊ”#ò
+v©^èÏQ¦û‘
\ No newline at end of file