diff --git a/machines/gunpowder/default.nix b/machines/gunpowder/default.nix
new file mode 100644
index 0000000000000000000000000000000000000000..ecc71d202176df9af5e039e51c20ef0c4bbc262c
--- /dev/null
+++ b/machines/gunpowder/default.nix
@@ -0,0 +1,133 @@
+{ pkgs, ... }:
+let
+  username = "jolheiser";
+  key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJh5aUDN/KN28+4tbayXRQliLyKFZaCZtUMEBNaJfHYj";
+in
+{
+  imports = [ ./hardware.nix ];
+
+  boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    kernelParams = [
+      "quiet"
+      "splash"
+    ];
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+      useOSProber = true;
+      enableCryptodisk = true;
+    };
+  };
+
+  boot.initrd.secrets = {
+    "/crypto_keyfile.bin" = null;
+  };
+
+  boot.initrd.luks.devices = {
+    "luks-1f9bde68-9c4c-423c-a95f-17aa170dd2b4".keyFile = "/crypto_keyfile.bin";
+    "luks-a2ca1842-1ce0-437e-ba5e-8864a41e81cb" = {
+      device = "/dev/disk/by-uuid/a2ca1842-1ce0-437e-ba5e-8864a41e81cb";
+      keyFile = "/crypto_keyfile.bin";
+    };
+  };
+
+  networking = {
+    hostName = "gunpowder";
+    networkmanager.enable = true;
+    firewall.enable = true;
+  };
+
+  services = {
+    xserver = {
+      enable = true;
+      displayManager.lightdm.enable = true;
+      desktopManager.xfce.enable = true;
+    };
+    openssh.enable = true;
+    tailscale.enable = true;
+    mullvad-vpn = {
+      enable = true;
+      package = pkgs.mullvad-vpn;
+    };
+    resolved.enable = true;
+
+    # media
+    jellyfin = {
+      enable = true;
+      openFirewall = true;
+    };
+    tailproxy.jellyfin = {
+      enable = true;
+      hostname = "jellyfin";
+      port = 8096;
+      authKey = "tskey-auth-khZwt3ASDX11CNTRL-jYDAVuX7VVLCebLUGdvnVLLoUkeEevXEV"; # One-time key
+    };
+    sonarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    tailproxy.sonarr = {
+      enable = true;
+      hostname = "sonarr";
+      port = 8989;
+      authKey = "tskey-auth-k1mZ4587A511CNTRL-uxq54KBAvb6YuhvZbxscb6rf7x8UwNiP"; # One-time key
+    };
+    radarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    tailproxy.radarr = {
+      enable = true;
+      hostname = "radarr";
+      port = 7878;
+      authKey = "tskey-auth-kjuWphWmFp11CNTRL-dcpVCTbdPTAAiqQHaKVhTA27uNQeHxmq5"; # One-time key
+    };
+    bazarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    tailproxy.bazarr = {
+      enable = true;
+      hostname = "bazarr";
+      port = 6767;
+      authKey = "tskey-auth-kydeAt7KDA21CNTRL-bLfZMG4ip4i4a91DX1b85ipjnZi9KgoN9"; # One-time key
+    };
+    prowlarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    tailproxy.prowlarr = {
+      enable = true;
+      hostname = "prowlarr";
+      port = 9696;
+      authKey = "tskey-auth-koCbGEVEvh11CNTRL-7pxqVBdP4v5xNvsPP5mMv5oW8PrgVQmb"; # One-time key
+    };
+  };
+
+  users = {
+    users = {
+      "${username}" = {
+        extraGroups = [
+          "wheel"
+          "docker"
+          "storage"
+        ];
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [ key ];
+      };
+      "root".openssh.authorizedKeys.keys = [ key ];
+    };
+    groups.media.members = [
+      "jolheiser"
+      "olheiser"
+      "jellyfin"
+      "radarr"
+      "sonarr"
+    ];
+  };
+
+  environment.systemPackages = with pkgs; [ qbittorrent ];
+
+  system.stateVersion = "22.11";
+}
diff --git a/machines/gunpowder/hardware.nix b/machines/gunpowder/hardware.nix
new file mode 100644
index 0000000000000000000000000000000000000000..769cc22055d3d1887053e3492a86c51e14cdd08b
--- /dev/null
+++ b/machines/gunpowder/hardware.nix
@@ -0,0 +1,55 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ehci_pci"
+    "ahci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+    "rtsx_pci_sdmmc"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/a3e3e496-9497-4340-9750-2104e2ab22ab";
+    fsType = "ext4";
+  };
+
+  fileSystems."/mnt/hdd" = {
+    device = "/dev/disk/by-uuid/eb8ad2da-12cf-454b-aa20-e497c4550b7c";
+    fsType = "ext4";
+    options = [
+      "users"
+      "nofail"
+      "gid=users"
+    ];
+  };
+
+  boot.initrd.luks.devices."luks-1f9bde68-9c4c-423c-a95f-17aa170dd2b4".device = "/dev/disk/by-uuid/1f9bde68-9c4c-423c-a95f-17aa170dd2b4";
+
+  swapDevices = [ { device = "/dev/disk/by-uuid/7e84d904-b00a-4c6c-aba4-ec1dde2dff85"; } ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}