diff --git a/.sops.yaml b/.sops.yaml
index 22aa91b..aedde85 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -25,3 +25,9 @@ creation_rules:
     - age:
       - *host_defiant
       - *user_felixalb
+
+  - path_regex: secrets/challenger/[^/]+\.yaml$
+    key_groups:
+    - age:
+      # - *host_defiant
+      - *user_felixalb
diff --git a/flake.nix b/flake.nix
index 260a6ae..ecf41a7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -67,6 +67,24 @@
             }
           ];
         };
+        challenger = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          specialArgs = {
+            inherit inputs;
+          };
+          modules = [
+            # Overlays-module makes "pkgs.unstable" available in configuration.nix
+            ({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
+
+            ./hosts/challenger/configuration.nix
+            sops-nix.nixosModules.sops
+            home-manager.nixosModules.home-manager {
+              home-manager.useGlobalPkgs = true;
+              home-manager.useUserPackages = true;
+              home-manager.users."felixalb" = import ./hosts/challenger/home.nix;
+            }
+          ];
+        };
         defiant = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";
           specialArgs = {
diff --git a/hosts/challenger/configuration.nix b/hosts/challenger/configuration.nix
new file mode 100644
index 0000000..182ab36
--- /dev/null
+++ b/hosts/challenger/configuration.nix
@@ -0,0 +1,37 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      ../../base.nix
+      ../../common/metrics-exporters.nix
+      ./hardware-configuration.nix
+      ./exports.nix
+      ./filesystems.nix
+  ];
+
+  networking = {
+    hostName = "challenger";
+    bridges.br0.interfaces = [ "eno1" ]; # TODO
+    interfaces.br0.useDHCP = false;
+    interfaces.br0.ipv4.addresses = [
+      { address = "192.168.10.161"; prefixLength = 24; }
+    ];
+
+    hostId = "828ab735";
+    defaultGateway = "192.168.10.1";
+  };
+
+  sops.defaultSopsFile = ../../secrets/challenger/challenger.yaml;
+
+  environment.variables = { EDITOR = "vim"; };
+  environment.systemPackages = with pkgs; [
+    zfs
+  ];
+
+  virtualisation.docker.enable = true;
+  virtualisation.oci-containers.backend = "docker";
+
+  system.stateVersion = "24.05";
+}
+
diff --git a/hosts/challenger/exports.nix b/hosts/challenger/exports.nix
new file mode 100644
index 0000000..e4fbd7c
--- /dev/null
+++ b/hosts/challenger/exports.nix
@@ -0,0 +1,12 @@
+{ config, pkgs, lib, ... }:
+{
+  # Enable nfs4 only
+  services.nfs.server = {
+    enable = true;
+    exports = ''
+    ''; # TODO
+  };
+
+  networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
+  networking.firewall.allowedUDPPorts = [ 111 20048];
+}
diff --git a/hosts/challenger/filesystems.nix b/hosts/challenger/filesystems.nix
new file mode 100644
index 0000000..626efb6
--- /dev/null
+++ b/hosts/challenger/filesystems.nix
@@ -0,0 +1,18 @@
+{ config, pkgs, lib, ... }:
+{
+  # Boot drives are defined in ./hardware-configuration.nix
+
+  environment.systemPackages = with pkgs; [ cifs-utils ];
+
+  # Local zfs
+  boot = {
+    zfs.extraPools = [ "tank" ];
+    supportedFilesystems = [ "zfs" ];
+    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  };
+  services.zfs.autoScrub = {
+    enable = true;
+    interval = "Wed *-*-8..14 00:00:00";
+  };
+
+}
diff --git a/hosts/challenger/hardware-configuration.nix b/hosts/challenger/hardware-configuration.nix
new file mode 100644
index 0000000..f6d4b2c
--- /dev/null
+++ b/hosts/challenger/hardware-configuration.nix
@@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/TODO";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/TODO";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno2.useDHCP = lib.mkDefault true;
+  # networking.interfaces.idrac.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/challenger/home.nix b/hosts/challenger/home.nix
new file mode 100644
index 0000000..04b5729
--- /dev/null
+++ b/hosts/challenger/home.nix
@@ -0,0 +1,12 @@
+{ pkgs, lib, ... }:
+{
+  imports = [
+    ./../../home/base.nix
+  ];
+
+  programs = {
+    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
+  };
+
+  home.stateVersion = "24.05";
+}