diff --git a/hosts/servers/rainbowdash.nix b/hosts/servers/rainbowdash.nix
new file mode 100644
index 00000000..1ac1ed50
--- /dev/null
+++ b/hosts/servers/rainbowdash.nix
@@ -0,0 +1,27 @@
+{ pkgs, lib, config, ... }:
+
+{
+  imports = [ ../../hardware/virtualized.nix ];
+
+  networking.hostName = "rainbowdash";
+
+  ocf.network = {
+    enable = true;
+    lastOctet = 129;
+  };
+
+  ocf.nfs = {
+    enable = true;
+    mountHome = true;
+    mountServices = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    ocf-utils
+    openldap
+    ldapvi
+    ipmitool
+  ];
+
+  system.stateVersion = "25.05";
+}
diff --git a/modules/nfs.nix b/modules/nfs.nix
new file mode 100644
index 00000000..c88742b3
--- /dev/null
+++ b/modules/nfs.nix
@@ -0,0 +1,38 @@
+{ pkgs, lib, config, ... }:
+
+let
+  cfg = config.ocf.nfs;
+in
+{
+  options.ocf.nfs = {
+    enable = lib.mkEnableOption "Enable NFS Mounts";
+
+    mountHome = lib.mkOption {
+      type = lib.types.bool;
+      description = "Mount /home from NFS.";
+      default = false;
+    };
+
+    mountServices = lib.mkOption {
+      type = lib.types.bool;
+      description = "Mount /services from NFS.";
+      default = false;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    boot.supportedFilesystems = [ "nfs" ];
+
+    fileSystems."/home" = lib.mkIf cfg.mountHome {
+      device = "homes:/home";
+      fsType = "nfs4";
+      options = [ "rw" "bg" "noatime" "nodev" "nosuid" ];
+    };
+
+    fileSystems."/services" = lib.mkIf cfg.mountHome {
+      device = "services:/services";
+      fsType = "nfs4";
+      options = [ "rw" "bg" "noatime" "nodev" "nosuid" ];
+    };
+  };
+}
diff --git a/secrets/host-keys/rainbowdash.pub b/secrets/host-keys/rainbowdash.pub
new file mode 100644
index 00000000..13cd6f60
--- /dev/null
+++ b/secrets/host-keys/rainbowdash.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuA9ZE0li8vj6YAzJS5wE2grmjMeMcYmbZqVJJNEFxQ root@rainbowdash
diff --git a/secrets/rekeyed/rainbowdash/e6b22b150c94e1ff1c4b47be77d49d63-root-password-hash.age b/secrets/rekeyed/rainbowdash/e6b22b150c94e1ff1c4b47be77d49d63-root-password-hash.age
new file mode 100644
index 00000000..c36e05b8
--- /dev/null
+++ b/secrets/rekeyed/rainbowdash/e6b22b150c94e1ff1c4b47be77d49d63-root-password-hash.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 5JSvLg B+luhG32LFQZzKdNAr8XT67kPyF4a0ZHzTOQb6EChDc
+pkXXY4u6+VqaApg4T3py7F4RTH9WAlGBlwHiL41QMKs
+-> 0T(c-grease Y?gF`v B7^oT e9S'^7 5C'L8T
+vQ5Y14nt4YY5AmEmuzTZVLJu1HZpOvIpoYnBpdgbCLuGI7TBNzYtfhzntnF2CHqm
+EHEL3UyT
+--- 7yvaVIiAr2wyz1xHSzPs7RUy2Ho7xwfc2uSASHRM+9M
+˜
+JþJŒ×µ.iìÕ_	æl£?ó§¹ò¾©ùÖ×;[­—@[<…¢€Øuvç˜˜e	…L/ŸŒlI¾À$ò@=ƒ6MÉ©I¢îðÏL"NÏ*Gàr~W»ïìÔ¬
\ No newline at end of file
diff --git a/secrets/rekeyed/rainbowdash/fd99637bd8cfae41bd7e65d9eff137ec-tsig-secret.age b/secrets/rekeyed/rainbowdash/fd99637bd8cfae41bd7e65d9eff137ec-tsig-secret.age
new file mode 100644
index 00000000..4fc78e2c
--- /dev/null
+++ b/secrets/rekeyed/rainbowdash/fd99637bd8cfae41bd7e65d9eff137ec-tsig-secret.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 5JSvLg Fiv98mqbByNGQWlSAw/ih84P5gSv9UqvpK5LGNounwI
+QtWMkea2HC3dPDgm1gEFLKkwRb4l2m5sKrh3ubidQ/s
+-> vW-grease 1<9 rR_60% bxfbx2y
+qLwzBmoNa5KNOQms+CgwZg9r5VhS+MLmVtSgCOYL4dprorekGVhCE6oaBGQoolUJ
+ePluoWzYlKObSnMT4A
+--- QWOis4tkxTebsONeMIJhgkr9HJHA2MyK27fz34HePe0
+‹ÏbgfÀ×lÄ|Âdk>š6aK€ '#aXÔñdMŽ„’*§¡m0û{He1¡+AŠ#÷súrE5"¨qÜ~¹M»’gáñÊ‹<£c&\«"£“2ZN;ž£bÿ+0BÑÄô¢¶ƒ”¸#õ`÷Öý`ôÅ=³§ä²Åb¦“­
\ No newline at end of file