diff --git a/disko/hetzner.nix b/disko/hetzner.nix
new file mode 100644
index 0000000..cc4e60b
--- /dev/null
+++ b/disko/hetzner.nix
@@ -0,0 +1,47 @@
+# USAGE in your configuration.nix.
+# Update devices to match your hardware.
+# {
+#  imports = [ ./disko-config.nix ];
+#  disko.devices.disk.main.device = "/dev/sda";
+# }
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "500M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+              priority = 1;
+            };
+            root = {
+              size = "-1G";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+            encryptedSwap = {
+              size = "1G";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+                priority = 100; # prefer to encrypt as long as we have space for it
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/flake.lock b/flake.lock
index 3a64136..4947de8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -64,6 +64,24 @@
         "owner": "tinted-theming",
         "repo": "base16-vim",
         "rev": "577fe8125d74ff456cf942c733a85d769afe58b7",
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730135292,
+        "narHash": "sha256-CI27qHAbc3/tIe8sb37kiHNaeCqGxNimckCMj0lW5kg=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "ab58501b2341bc5e0fc88f2f5983a679b075ddf5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "latest",
+        "repo": "disko",
         "type": "github"
       }
     },
@@ -625,6 +643,7 @@
     },
     "root": {
       "inputs": {
+        "disko": "disko",
         "firefox-addons": "firefox-addons",
         "flake-compat": "flake-compat",
         "flake-parts": "flake-parts",
diff --git a/flake.nix b/flake.nix
index c85dde6..c16bcdc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -40,6 +40,12 @@
     #     flake-parts.follows = "flake-parts";
     #   };
     # };
+    disko = {
+      url = "github:nix-community/disko/latest";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+      };
+    };
 
     firefox-addons = {
       url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
diff --git a/systems/hetzner-bridge/configuration.nix b/systems/hetzner-bridge/configuration.nix
new file mode 100644
index 0000000..78319a7
--- /dev/null
+++ b/systems/hetzner-bridge/configuration.nix
@@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../../disko/hetzner.nix
+    ./networking.nix
+  ];
+  disko.devices.disk.main.device = "scsi-0QEMU_QEMU_HARDDISK_55513992";
+
+  boot = {
+    useSystemdBoot = true;
+  };
+
+  hardware.enableAllFirmware = true;
+
+  system.stateVersion = "24.05";
+}
diff --git a/systems/hetzner-bridge/default.nix b/systems/hetzner-bridge/default.nix
new file mode 100644
index 0000000..a83c03a
--- /dev/null
+++ b/systems/hetzner-bridge/default.nix
@@ -0,0 +1,8 @@
+{ inputs, ... }:
+{
+  users = [ "alice" ];
+  modules = [
+    # inputs.attic.nixosModules.atticd
+    inputs.disko.nixosModules.disko
+  ];
+}
diff --git a/systems/hetzner-bridge/hardware-configuration.nix b/systems/hetzner-bridge/hardware-configuration.nix
new file mode 100644
index 0000000..142a05c
--- /dev/null
+++ b/systems/hetzner-bridge/hardware-configuration.nix
@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    availableKernelModules = [
+      "ahci"
+      "xhci_pci"
+      "virtio_pci"
+      "virtio_scsi"
+      "sd_mod"
+      "sr_mod"
+    ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/systems/hetzner-bridge/networking.nix b/systems/hetzner-bridge/networking.nix
new file mode 100644
index 0000000..256e872
--- /dev/null
+++ b/systems/hetzner-bridge/networking.nix
@@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  systemd.network.enable = true;
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "enp1s0"; # either ens3 or enp1s0 depending on system, check 'ip addr'
+    networkConfig.DHCP = "ipv4";
+  };
+}