diff --git a/flake.nix b/flake.nix
index 2d12fa3c..9326a5ed 100644
--- a/flake.nix
+++ b/flake.nix
@@ -232,6 +232,7 @@
             pkgs.agenix-rekey
             pkgs.age-plugin-fido2-hmac
             colmena.packages.${pkgs.system}.colmena
+            disko.packages.${pkgs.system}.disko
           ];
         };
         deploy = pkgs.mkShell {
diff --git a/hosts/servers/trenderhoof.nix b/hosts/servers/trenderhoof.nix
new file mode 100644
index 00000000..e3c1a25c
--- /dev/null
+++ b/hosts/servers/trenderhoof.nix
@@ -0,0 +1,123 @@
+{
+  networking.hostName = "trenderhoof";
+
+  ocf.network = {
+    enable = true;
+    lastOctet = 128;
+  };
+
+  ocf.nfs-export = {
+    enable = true;
+    # https://github.com/ocf/puppet/blob/a081b2210691bd46d585accc8548c985188486a0/modules/ocf_filehost/manifests/init.pp#L10-L16
+    exports = [
+      {
+        directory = "/opt/homes";
+        hosts = [
+          "admin"
+          "www"
+          "ssh"
+          "apphost"
+          "adenine"
+          "guanine"
+          "cytosine"
+          "thymine"
+          "fluttershy"
+          "rainbowdash"
+        ];
+        options = [
+          "rw"
+          "fsid=0"
+          "no_subtree_check"
+          "no_root_squash"
+        ];
+      }
+    ];
+  };
+
+
+  boot.loader = {
+    grub.enable = true;
+    systemd-boot.enable = false;
+  };
+
+  # FIXME remove and make sure it still boots
+  hardware.enableAllHardware = true;
+
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/disk/by-id/ata-Micron_5100_MTFDDAK960TBY_1725190CE6F0";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            MBR = {
+              type = "EF02";
+              size = "1M";
+              priority = 1;
+            };
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  boot.swraid = {
+    enable = true;
+    mdadmConf = ''
+      MAILADDR postmaster@ocf.berkeley.edu
+      ARRAY /dev/md/nfs metadata=1.2 UUID=46b10914:9f84099b:dd54304a:917d7898 name=dataloss:nfs
+    '';
+  };
+
+  fileSystems = {
+    "/opt/homes" = {
+      device = "/dev/md/nfs";
+      fsType = "ext4";
+      options = [
+        "noacl"
+        "noatime"
+        "nodev"
+        "usrquota"
+      ];
+    };
+
+    # Bind mount /opt/homes/home to /home. This allows running
+    #     mount trenderhoof:/home /home
+    # In fact, since home is CNAMEd to filehost is CNAMEd to trenderhoof, even
+    #     mount homes:/home /home
+    # works and that's what the Puppet config in modules/ocf/manifests/nfs.pp does.
+    "/home" = {
+      device = "/opt/homes/home";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+    "/services" = {
+      device = "/opt/homes/services";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+  };
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  system.stateVersion = "25.11";
+}
diff --git a/modules/ocf/managed-deployment.nix b/modules/ocf/managed-deployment.nix
index 4c6b275f..a26802d7 100644
--- a/modules/ocf/managed-deployment.nix
+++ b/modules/ocf/managed-deployment.nix
@@ -30,6 +30,7 @@ in
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdAe7sPMxaidnqOah3UVrjt41KFHHOYleS1VWGH+ZUc" # storce
         "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICW8L5pydSCGwBstSlXWNSQh//wmRB03RmAWaT3u7+8hAAAABHNzaDo=" # sbwilliams primary hardware token
         "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIsQXwbC4lVR8qMbduDWHVNvjfqD1m8yYbjdEOGCNVNPAAAABHNzaDo=" # sbwilliams secondary hardware token
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6TAvD4mDHB7BRgCgG50IOc0417lgpYxG8qZ2d7DesV" # dotlambda
       ];
     };
 
diff --git a/modules/ocf/nfs-export.nix b/modules/ocf/nfs-export.nix
new file mode 100644
index 00000000..72164102
--- /dev/null
+++ b/modules/ocf/nfs-export.nix
@@ -0,0 +1,62 @@
+{ config, lib, ... }:
+
+let
+  inherit (lib)
+    concatMapStrings
+    concatMapStringsSep
+    concatStringsSep
+    mkEnableOption
+    mkIf
+    mkOption
+    types
+    ;
+  cfg = config.ocf.nfs-export;
+in
+{
+  options.ocf.nfs-export = {
+    enable = mkEnableOption "NFS exports";
+    exports = mkOption {
+      type = types.listOf (
+        types.submodule {
+          options = {
+            directory = mkOption {
+              type = types.path;
+            };
+            hosts = mkOption {
+              description = "Hosts with which the export is shared";
+              example = [
+                "192.168.0.0/28"
+                "*.ocf.io"
+              ];
+              type = with types; nonEmptyListOf str;
+            };
+            options = mkOption {
+              default = [ ];
+              description = "NFS options applied to all hosts";
+              example = [ "rw" ];
+              type = with types; listOf str;
+            };
+          };
+        }
+      );
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.nfs.server = {
+      enable = true;
+      # https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/5/html/deployment_guide/s1-nfs-server-config-exports
+      exports = concatMapStrings (export: ''
+        ${export.directory} \
+          ${concatMapStringsSep " \\\n  " (
+            host: "${host}(${concatStringsSep "," export.options})"
+          ) export.hosts}
+      '') cfg.exports;
+    };
+
+    networking.firewall.allowedTCPPorts = [
+      # sufficient for NFSv4
+      2049
+    ];
+  };
+}
diff --git a/secrets/host-keys/trenderhoof.pub b/secrets/host-keys/trenderhoof.pub
new file mode 100644
index 00000000..615b2a81
--- /dev/null
+++ b/secrets/host-keys/trenderhoof.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMHZpj8sV40I6Pab3Jup+f+eH+9Bf3CEhajswD5eGHTZ
diff --git a/secrets/rekeyed/trenderhoof/872e797c25248dc68a76c6aee374dd25-tsig-secret.age b/secrets/rekeyed/trenderhoof/872e797c25248dc68a76c6aee374dd25-tsig-secret.age
new file mode 100644
index 00000000..169493f2
--- /dev/null
+++ b/secrets/rekeyed/trenderhoof/872e797c25248dc68a76c6aee374dd25-tsig-secret.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 RgUMkQ 8ggGWkHW67SV/BktBgTolq4ZUXYDdgmJR88THMx2Jz8
+zFEvazxXmtrfT6d1KAoQOvgKcAgQ0MGBXZmbP+FaJt4
+-> EUK3R-grease
+/5H1MwTh69z1pszb5c8p/a26xe4Am04Pnqsrf8ixJFAgEpAX7U+fPVNXkMeF1zzJ
+Wo3t1Ndzk5FTC7/oS3kKTn/aMRHfN/NJCtcEtazhtLM/a2ZQSU5pB4bYRGz7Ys7N
+M4Q
+--- +HivWJMJweyF58MlGLkK9RYFjko7bT2lHx2QpyqVdcw
+5��p�ƾpM���"* 5þݸK�Ҍ��D�E��d���j�9�n|��}O A8Lp���N�
+�o��9�ҸԊ�%�<��`�e��������)��k�$�b�C���������
\ No newline at end of file
diff --git a/secrets/rekeyed/trenderhoof/ffdf6714e76099295655f295e8da71f3-root-password-hash.age b/secrets/rekeyed/trenderhoof/ffdf6714e76099295655f295e8da71f3-root-password-hash.age
new file mode 100644
index 00000000..8f3dcd8c
--- /dev/null
+++ b/secrets/rekeyed/trenderhoof/ffdf6714e76099295655f295e8da71f3-root-password-hash.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 RgUMkQ EPL+fghcpX2doHrSHLTy2vQROOwpc+S7QlqZpAepuX0
+LQ1lDiFjWxOF42NR7ZEHCQlJfO6AjtRU4Wufej06PwM
+-> p<I?Z-grease b>$iLTP PkLB|6 (glLp
+q1f8HSAZ3tST4NxMBxQxVBmWTZrReHsT6az5lk5tFeNP+tFrpjuZI5Hv85Sruy+j
+5zjhqTOg4PbsIzjMeJFy7Dk4JM+/kOT0NhyDE4WhHNC3cSrF0G9h+JZbnfngPCkZ
+Qg
+--- q4IVyLNABx+/GKCi+853bvl/foHVUIC5gFjCGR+5YEo
+�'�����m"j����"�4����p�)_q^
�gC�q9���f��;'xj�U����S%{S���\ͷ��5PF�:?���b\��&ӬT*��
+���n�
\ No newline at end of file