diff --git a/cluster/services/acme-client/default.nix b/cluster/services/acme-client/default.nix
index 5a0e0cd..5645123 100644
--- a/cluster/services/acme-client/default.nix
+++ b/cluster/services/acme-client/default.nix
@@ -1,6 +1,6 @@
 {
   services.acme-client = {
-    nodes.client = [ "VEGAS" "prophet" ];
+    nodes.client = [ "checkmate" "VEGAS" "prophet" ];
     nixos.client = ./client.nix;
   };
 }
diff --git a/cluster/services/dns/pdns-api-key.age b/cluster/services/dns/pdns-api-key.age
index 3e90f17..65abafe 100644
--- a/cluster/services/dns/pdns-api-key.age
+++ b/cluster/services/dns/pdns-api-key.age
@@ -1,14 +1,16 @@
 age-encryption.org/v1
--> ssh-ed25519 NO562A 1bb8hrQQunFIVGRUkg9QrAKof4tAAV8D1KRavicuaFY
-y6X5aiD66+jBrfA9u3k3UrWQSEAd9yadLa0j2LgS9GY
--> ssh-ed25519 5/zT0w Ke3Ymtxr2Kvp4piYChcTfBxNnBO4MlYPxVMNqC6z5X4
-CHzxDO2LIUHNjCr4O3hkA/9MSD6LXD3YUQVhtCKp3So
--> ssh-ed25519 d3WGuA qPlzxEKYYe7QYBhsQuO/MI5IikwqjXVZutQL23aq2WQ
-esQyjMbfaWYmtg9CAcHY/WJnsPZiZPITufIQ5TkGzEc
--> ssh-ed25519 6YMlxg YajTOEPRSF/oMzlU4D0DC7DiBL22OxLBNTUN77wMwRY
-RNZFOE7KV6UffoFUTcdnfrgz6wptvkvkZfR7H3GKs0g
--> hI!f;r}-grease |@)
-PVxV1yo85W0ceDE3nuYqdfYoRIQkwyp1VK1WIkxQjBMIs5kIx0Fw+WjdHT6wv/HH
-Xh+qLqlgBfehoy28KZ52gsNRlDHN
---- +rOxrlTfSf4+mvHe8WZB1+xT0Jo/YxzEbEbIyOpLOS0
-4´éì	·†É. ß„þÞÄp—ûZ¨¶ïO)üB~¬ac£ˆTv†•Ú{_¥…UÛÜÕÄÖÄ8=U¶P¹î0¾a"A¾TV…„Ür1Ôèn¦NÜé{7¦À¥HòdþÏîu×çïðÚHgæe{{0d²ëM‹Xy›ÐóÁ™^4RWoÌm¾çzßç–-)Jö9!7.ÏoÑƒÒŠ®9ôe+a´&+‰‡]z}Îº4R×çš‚)ñÕŠ[ž4¯ûAÖÀ±Oã3D/¯’X¿Ä@7ýÁTRÀÒµç6Âã€]‹/	ß½$ê_Hàj‰w°ØØK(ýá“¦9npŽ;HõhbÞÚ2€›ÇYw;W‘æÄ0‚I6¿¾
\ No newline at end of file
+-> ssh-ed25519 NO562A L8hpKYttTvdcgFE0dutUUaUE8PFJ6vL1pUtf9qyrG3s
+pWu4g9K6JIIRqstPodUEKrAKtPFJ6zanBK6N64jMw18
+-> ssh-ed25519 5/zT0w m1YXyS/RJEtc79mY39jfierPxzP/Tj11VfJA2VjFtB8
+5VeWMX7EQ3d+z4M8Nc2uRbrhr37KbSJsKOSAAIsyVqk
+-> ssh-ed25519 TCgorQ ITq5QOMfdpJNpXv7EH3FXaZvUyfCMbeEfAZwq27YAl4
+fHVxtu2wwQDylXFFUgmEwIoTGrltKeSqgYvVdIl/UVs
+-> ssh-ed25519 d3WGuA 9NGFoevYhPhU6tu88PplKtBrw/wP6ESfhAmRe9nV01s
+dBqxeoIv1KGANbooK1s0Lr6c7khJN1nnfua6rFyV78E
+-> ssh-ed25519 6YMlxg oPkKqmsaV95qpewGlWcoaXqTJt2feAmH6TL3CqzymxI
+NMC1SRCdbGtrd+jsCZTz8Dwaf4TFT/JoV8Twih2iDMw
+-> =|z4N-grease
+03zbvyP3U5X8meDamKgLoK8UQe4nFi8e4ycdkPyacFTHk9vp+y4cI2vnEtAz
+--- xEJd9gIQxtWG43mtFiuhZWPb7ajMIYNeA/8MMuFpe2s
+‰Ìóû	uä·u'T­€²Ùv<•	/_ÞßhïÙZº'ß!þ@ìkL%#ÃŠ—Ö‘²@MFdo9Ù‡Ò2 ú/´ù—nV[}—kÇ#úÓÛ©Nà¤‚Ž>{¨Q4Ÿ|‚àv*AôíøR…nÆmi!q¸š©Ü?ÈÚç÷›òHÏ7(È9è¤jÜ`^l6ðM-²>¹À„q[œ…_
+_G‘}3è)ÿõ6k‘òq¾ôš’/p„Ü2bˆæ™¤>wŸú?>|ÙÂÎ©ÂÜÛôkÆ]AnŠžüŠ†Øë‰Ž^W&Œœ¼c÷CURQLz÷	º» ïó˜=”~‘Fo¹«©öî ÃÞ@(ó¹&Ó‰a,QÒ°F	ª}æP
\ No newline at end of file
diff --git a/cluster/services/monitoring/default.nix b/cluster/services/monitoring/default.nix
index 98e3188..0523889 100644
--- a/cluster/services/monitoring/default.nix
+++ b/cluster/services/monitoring/default.nix
@@ -9,7 +9,7 @@
   };
   services.monitoring = {
     nodes = {
-      client = [ "VEGAS" "prophet" ];
+      client = [ "checkmate" "VEGAS" "prophet" ];
     };
     nixos = {
       client = ./client.nix;
diff --git a/cluster/services/nginx/default.nix b/cluster/services/nginx/default.nix
index fa27013..a27752b 100644
--- a/cluster/services/nginx/default.nix
+++ b/cluster/services/nginx/default.nix
@@ -1,6 +1,6 @@
 {
   services.nginx = {
-    nodes.host = [ "VEGAS" "prophet" ];
+    nodes.host = [ "checkmate" "VEGAS" "prophet" ];
     nixos.host = [ ./nginx.nix ];
   };
 }
diff --git a/cluster/services/patroni/default.nix b/cluster/services/patroni/default.nix
index 367c2cc..a490000 100644
--- a/cluster/services/patroni/default.nix
+++ b/cluster/services/patroni/default.nix
@@ -18,7 +18,6 @@ in
   vars.patroni = {
     etcdNodes = lib.genAttrs cfg.nodes.etcd (name: config.links."patroni-etcd-node-peer-${name}");
     etcdNodesClient = lib.genAttrs cfg.nodes.etcd (name: config.links."patroni-etcd-node-client-${name}");
-    etcdExtraNodes = [ "fly=http://10.1.1.151:2380" ];
     passwords = {
       PATRONI_REPLICATION_PASSWORD = ./passwords/replication.age;
       PATRONI_SUPERUSER_PASSWORD = ./passwords/superuser.age;
@@ -35,7 +34,7 @@ in
   services.patroni = {
     nodes = {
       worker = [ "VEGAS" "prophet" ];
-      etcd = [ "VEGAS" "prophet" ];
+      etcd = [ "checkmate" "VEGAS" "prophet" ];
       haproxy = [ "VEGAS" "prophet" ];
     };
     nixos = {
diff --git a/cluster/services/patroni/etcd.nix b/cluster/services/patroni/etcd.nix
index e26bc18..bb4b6fd 100644
--- a/cluster/services/patroni/etcd.nix
+++ b/cluster/services/patroni/etcd.nix
@@ -12,7 +12,7 @@ in
   services.etcd = {
     enable = true;
     dataDir = "/srv/storage/private/etcd";
-    initialCluster = (map mkMember cluster.config.services.patroni.nodes.etcd) ++ vars.patroni.etcdExtraNodes;
+    initialCluster = map mkMember cluster.config.services.patroni.nodes.etcd;
     listenPeerUrls = lib.singleton vars.patroni.etcdNodes.${vars.hostName}.url;
     listenClientUrls = lib.singleton vars.patroni.etcdNodesClient.${vars.hostName}.url;
   };
@@ -20,6 +20,7 @@ in
     # run on any architecture
     environment.ETCD_UNSUPPORTED_ARCH = pkgs.go.GOARCH;
     serviceConfig = {
+      TimeoutStartSec = "900s";
       RestartSec = "5s";
       Restart = "on-failure";
     };
diff --git a/cluster/services/websites/default.nix b/cluster/services/websites/default.nix
index 85c6380..6d12a71 100644
--- a/cluster/services/websites/default.nix
+++ b/cluster/services/websites/default.nix
@@ -1,7 +1,7 @@
 {
   services.websites = {
     nodes = {
-      host = [ "VEGAS" "prophet" ];
+      host = [ "checkmate" "VEGAS" "prophet" ];
     };
     nixos = {
       host = ./host.nix;
diff --git a/cluster/services/wireguard/default.nix b/cluster/services/wireguard/default.nix
index cae81a8..50b6114 100644
--- a/cluster/services/wireguard/default.nix
+++ b/cluster/services/wireguard/default.nix
@@ -14,12 +14,23 @@ in
 {
   vars = {
     mesh = {
+      checkmate = config.links.mesh-node-checkmate.extra;
       VEGAS = config.links.mesh-node-VEGAS.extra;
       prophet = config.links.mesh-node-prophet.extra;
     };
     inherit meshNet;
   };
   links = {
+    mesh-node-checkmate = {
+      ipv4 = getExtAddr hosts.checkmate;
+      extra = {
+        meshIp = "10.1.1.32";
+        inherit meshNet;
+        pubKey = "fZMB9CDCWyBxPnsugo3Uxm/TIDP3VX54uFoaoC0bP3U=";
+        privKeyFile = ./mesh-keys/checkmate.age;
+        extraRoutes = [];
+      };
+    };
     mesh-node-VEGAS = {
       ipv4 = getExtAddr hosts.VEGAS;
       extra = {
@@ -43,7 +54,7 @@ in
   };
   services.wireguard = {
     nodes = {
-      mesh = [ "VEGAS" "prophet" ];
+      mesh = [ "checkmate" "VEGAS" "prophet" ];
     };
     nixos = {
       mesh = ./mesh.nix;
diff --git a/cluster/services/wireguard/mesh-keys/checkmate.age b/cluster/services/wireguard/mesh-keys/checkmate.age
new file mode 100644
index 0000000..0276227
--- /dev/null
+++ b/cluster/services/wireguard/mesh-keys/checkmate.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A rE85lK37XeM803mXkugmTjfAp3LNqKy2yuGGbY4IOAM
+nDielwqyuaW72OKiUBgFPWK45aZhh768+MskQ5+vhUs
+-> ssh-ed25519 5/zT0w QxXHVLpk2qeXjO8c3a0cQ1oKk3fUn9+yIoHAK1hLYgQ
+d4s/F2ck8Z4AsCQReghxj+M0JjBYKoMpfU+K21AzwFg
+-> ssh-ed25519 TCgorQ lqg5aPJuj5NPEAgAaw52lwpQ++eWPxO4BITdpLKoZFg
+KS0kRB2K/+/+U2xfr2VE09XdjVvIflTweU93Vy7Okr8
+-> ?).-grease =%LA 5cVQvduw
+gs9TPdbaRJVf50LDiUdlg7Vr4LUfg2Kj2bPAbN2f2z4LKDnSbWHkJ6B3EfOMDxTN
+KmX8mGCi7QBGOfb1EY3h5cDgteBXiLN4aLh6kpCe0F3/DQ
+--- vLjmBMfCrvOuF1ww5UcHQAmBUo0LgIuJKcNEDlOCZ3g
+ß&„îd!¾Žqƒ©H<oÄžˆ×“5çå±ƒÐ±Ý0&Ÿýâ¬»¯3~Ù´ð5Œ§Ž÷Ñ¡“Ko)å6³üWÜ°‹
\ No newline at end of file
diff --git a/hosts/checkmate/default.nix b/hosts/checkmate/default.nix
new file mode 100644
index 0000000..863ae03
--- /dev/null
+++ b/hosts/checkmate/default.nix
@@ -0,0 +1,27 @@
+tools: {
+  ssh.id = with tools.dns; {
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINImnMfEzUBU5qiuu05DMPrddTGypOtr+cL1/yQN2GFn";
+    hostNames = subResolve "checkmate" "node";
+  };
+
+  interfaces = {
+    primary = {
+      addr = "10.0.243.198";
+      addrPublic = "152.67.73.164";
+      link = "ens3";
+    };
+  };
+
+  hypr = {
+    id = "12D3KooWL84sAtq1QTYwb7gVbhSNX5ZUfVt4kgYKz8pdif1zpGUh";
+    addr = "10.100.3.32";
+    listenPort = 995;
+  };
+
+  enterprise = {
+    subdomain = "node";
+  };
+
+  arch = "x86_64";
+  nixos = import ./system.nix;
+}
diff --git a/hosts/checkmate/hardware-configuration.nix b/hosts/checkmate/hardware-configuration.nix
new file mode 100644
index 0000000..d20bddd
--- /dev/null
+++ b/hosts/checkmate/hardware-configuration.nix
@@ -0,0 +1,12 @@
+{ modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+  fileSystems."/boot" = { device = "/dev/disk/by-partlabel/boot"; fsType = "vfat"; };
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/disk/by-partlabel/rootfs"; fsType = "xfs"; };
+  swapDevices = [ { device = "/dev/disk/by-partlabel/swap"; } ];
+}
diff --git a/hosts/checkmate/system.nix b/hosts/checkmate/system.nix
new file mode 100644
index 0000000..f90913c
--- /dev/null
+++ b/hosts/checkmate/system.nix
@@ -0,0 +1,38 @@
+{ aspect, inputs, hosts, ... }:
+
+{
+  imports =
+    [
+      # Hardware
+      ./hardware-configuration.nix
+
+      inputs.agenix.nixosModules.age
+
+      aspect.modules.hyprspace
+      aspect.modules.sss
+    ]
+    ++ aspect.sets.server;
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "checkmate";
+  networking.nameservers = [ hosts.VEGAS.interfaces.vstub.addr ];
+
+  time.timeZone = "Europe/Zurich";
+
+  networking.useDHCP = false;
+  networking.interfaces.ens3.useDHCP = true;
+
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  services.openssh.enable = true;
+
+  zramSwap.enable = true;
+  zramSwap.algorithm = "zstd";
+
+  system.stateVersion = "21.11";
+
+}
+
diff --git a/hosts/default.nix b/hosts/default.nix
index 426072a..fb4ffac 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -6,6 +6,7 @@ in with tools.dns; {
   VEGAS = import ./VEGAS tools;
   prophet = import ./prophet tools;
   soda = import ./soda tools;
+  checkmate = import ./checkmate tools;
 
   # Non-NixOS machine metadata
   AnimusAlpha = let hostNames = [ "alpha.animus.com" "animus.com" ]; in {
diff --git a/secrets.nix b/secrets.nix
index 5c1ec48..b17c593 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -7,7 +7,7 @@ in with hosts;
   "cluster/services/dns/pdns-admin-oidc-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/dns/pdns-admin-salt.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/dns/pdns-admin-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
+  "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ checkmate VEGAS prophet ];
   "cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/hercules-ci-multi-agent/secrets/hci-cache-config.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/hercules-ci-multi-agent/secrets/hci-cache-credentials-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
@@ -24,6 +24,7 @@ in with hosts;
   "cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
+  "cluster/services/wireguard/mesh-keys/checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
   "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
   "secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
@@ -40,6 +41,7 @@ in with hosts;
   "secrets/hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hydra-s3.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "secrets/hyprspace-key-checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
   "secrets/hyprspace-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hyprspace-key-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
   "secrets/keycloak-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
diff --git a/secrets/hyprspace-key-checkmate.age b/secrets/hyprspace-key-checkmate.age
new file mode 100644
index 0000000..19a490c
Binary files /dev/null and b/secrets/hyprspace-key-checkmate.age differ