diff --git a/.sops.yaml b/.sops.yaml
index 2952a9f..5e05ca8 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -4,6 +4,7 @@ keys:
   # Hosts
   - &alto age1qz04yg4h4g22wxqca2pd5k0z574223f6m5c9jy5ny37nlgcd6u4styf06t
   - &cirrus age1dnpwfwh0h95r63e5qfjc2gvffw2tr2tx4new7sq2h3qs90kx9fmq322mx4
+  - &cumulus age1dnru7l0agvnw3t9kmx60u4vh5u4tyd49xdve53zspxkznnp9f34qtec9dl
   - &fern age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e
   - &north age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc
 
@@ -23,6 +24,11 @@ creation_rules:
       - age:
           - *admin
           - *cirrus
+  - path_regex: hosts/cumulus/secrets.yaml$
+    key_groups:
+      - age:
+          - *admin
+          - *cumulus
   - path_regex: hosts/fern/secrets.yaml$
     key_groups:
       - age:
diff --git a/hosts/cumulus/default.nix b/hosts/cumulus/default.nix
new file mode 100644
index 0000000..5e9fa53
--- /dev/null
+++ b/hosts/cumulus/default.nix
@@ -0,0 +1,13 @@
+_: {
+  system.stateVersion = "24.11";
+
+  custom = {
+    sops.enable = true;
+    boot.loader.grub.enable = true;
+
+    services.tailscale = {
+      enable = true;
+      ssh.enable = true;
+    };
+  };
+}
diff --git a/hosts/cumulus/disko.nix b/hosts/cumulus/disko.nix
new file mode 100644
index 0000000..f61c8c6
--- /dev/null
+++ b/hosts/cumulus/disko.nix
@@ -0,0 +1,36 @@
+{
+  disko.devices = {
+    disk.main = {
+      device = "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            size = "1M";
+            type = "EF02";
+          };
+          root = {
+            size = "100%";
+            content = {
+              type = "lvm_pv";
+              vg = "pool";
+            };
+          };
+        };
+      };
+    };
+    lvm_vg.pool = {
+      type = "lvm_vg";
+      lvs.root = {
+        size = "100%FREE";
+        content = {
+          type = "filesystem";
+          format = "ext4";
+          mountpoint = "/";
+          mountOptions = [ "defaults" ];
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/cumulus/hardware.nix b/hosts/cumulus/hardware.nix
new file mode 100644
index 0000000..00772cf
--- /dev/null
+++ b/hosts/cumulus/hardware.nix
@@ -0,0 +1,48 @@
+{ modulesPath, inputs, ... }:
+{
+  imports = [
+    inputs.disko.nixosModules.default
+    "${modulesPath}/profiles/qemu-guest.nix"
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+
+  zramSwap.enable = true;
+
+  networking.useDHCP = false;
+  systemd.network = {
+    enable = true;
+    networks."10-enp1s0" = {
+      matchConfig.Name = "enp1s0";
+      linkConfig.RequiredForOnline = "routable";
+      networkConfig.DHCP = "no";
+      address = [
+        "49.13.231.235/32"
+        "2a01:4f8:1c1e:76fe::1/64"
+      ];
+      routes = [
+        {
+          Gateway = "172.31.1.1";
+          GatewayOnLink = true;
+        }
+        { Gateway = "fe80::1"; }
+      ];
+      dns = [
+        "1.1.1.1"
+        "8.8.8.8"
+        "2606:4700:4700::1111"
+        "2001:4860:4860::8888"
+      ];
+    };
+  };
+  services.resolved.enable = true;
+}
diff --git a/hosts/cumulus/secrets.yaml b/hosts/cumulus/secrets.yaml
new file mode 100644
index 0000000..8b14d6f
--- /dev/null
+++ b/hosts/cumulus/secrets.yaml
@@ -0,0 +1,26 @@
+seb-password: ENC[AES256_GCM,data:laGJomW5c5TB3alpPgZKElQ3Y46OBxPrA0AxVNgx/09oSuG0EM63cnnkwZkrTeZxqjBH2UOryLqCr9DUr9mhZsovqNtZ2t8Uzg==,iv:GpBQNm1jspU8PCN+SzfAUKSps3YySg6JJVYOLOFetOI=,tag:2nARGI9XwzLfJFRhDyGBSw==,type:str]
+tailscale-auth-key: ENC[AES256_GCM,data:FKHQsrLhELUKUg/nuf/UakS14Qj8z3arRR3366Cc3wag8+lpLrVjKXT8a5ZFd4ZtIghrCSvyXUefAKcVmQ==,iv:jvuoo8DD7ls0WZA6ZrCbz3w4O8NCyXZjv1mscnx/T94=,tag:HczecDubwKkCVu04rqhh9w==,type:str]
+sops:
+  age:
+    - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvd29MSnZKanp3OXZxNHhv
+        Vks2ajgwb25qVnVDSWIvZWh1MytGTFBHL1dvCmhDNEF2R3Zac29HVHdLdXljYjJs
+        alZYZDF2MjR2cWdBNWZYQXh1OElSWTgKLS0tIHY0eDJhRlVqbUtJQkFSTUh6cFor
+        TWhBRXFNb3p1NU5udW9SU1Q4L2YyaVUKUMopZJ68KwiAknBFvz01X0TvBVH+1amz
+        PxhHWvrcY54s8vfw9gk6LiN3o4vlZVCSfzHGLGoXxFeylc6RTM4CIw==
+        -----END AGE ENCRYPTED FILE-----
+    - recipient: age1dnru7l0agvnw3t9kmx60u4vh5u4tyd49xdve53zspxkznnp9f34qtec9dl
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhSDhRQmpXaGdocDMvaS9u
+        a0ZyOEtNT2N4bG01NERFQTErc1hFaE1xWFFVClA4YjBwdGVhbTZ3dE9ZSFV2M1Zu
+        ZCtuVHN4R0NMQU16UXFRdVVqQlJLazgKLS0tIDdmWVc4ejFNRWVhY1piSTBXU0cx
+        V1F2cjlmRWNKWkN1U3hwNWl6U2lEb1kKgsj22mpgxpgA5oXTXhoA5DtkySqqcn17
+        OrpUiZmfOABXEZ0b5pnkAD06aW+7j2SqajYpvguxIrD9x1w562FmZA==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2025-06-07T22:49:36Z"
+  mac: ENC[AES256_GCM,data:b1kQnO1ZGo0jKHJv0kpckcb4YDH6V/B/4goEYagSubptuYKOnJr/5v50668kUryporuFmvvRVl9FfiZJ1FA4YFiNEhwWXuzWw7EYAJakT7NEF2jOxWu4HoHo398bv1pKBhY6yoEkv8ui/uZ6uERBS2TqVZgAqITQ2dXCNHQTSZU=,iv:0Gf93jjvZ4U5ewaH9WDy1IsmBSjB73wa2AKWVwH/BDs=,tag:himapC2kA43pL1EX69teaA==,type:str]
+  unencrypted_suffix: _unencrypted
+  version: 3.10.2
diff --git a/users/seb/@cumulus/default.nix b/users/seb/@cumulus/default.nix
new file mode 100644
index 0000000..9f75a8c
--- /dev/null
+++ b/users/seb/@cumulus/default.nix
@@ -0,0 +1,3 @@
+_: {
+  imports = [ ../user.nix ];
+}