diff --git a/flake.nix b/flake.nix
index f91d05a..cd135a9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -134,6 +134,18 @@
           ./hosts/wob-vpn-gw.forkos.org
         ];
       };
-    };
+
+    } // (lib.listToAttrs (lib.genList (i: lib.nameValuePair "builder-${toString i}" {
+
+      imports = [
+        inputs.agenix.nixosModules.default
+        inputs.hydra.nixosModules.hydra
+        ./services
+        ./common
+        {
+          bagel.baremetal.builders = { enable = true; num = i; };
+        }
+      ];
+    }) 12));
   };
 }
diff --git a/services/baremetal-builder/default.nix b/services/baremetal-builder/default.nix
new file mode 100644
index 0000000..95b9f03
--- /dev/null
+++ b/services/baremetal-builder/default.nix
@@ -0,0 +1,85 @@
+{ lib, config, ... }:
+let
+  cfg = config.bagel.baremetal.builders;
+in
+{
+  options = {
+
+    bagel.baremetal.builders = {
+      enable = lib.mkEnableOption "baremetal bagel oven";
+      num = lib.mkOption {
+        type = lib.types.int;
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    boot.initrd.availableKernelModules = [ "ahci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" ];
+    boot.initrd.kernelModules = [ "dm-snapshot" ];
+
+    nixpkgs.hostPlatform = "x86_64-linux";
+    hardware.cpu.intel.updateMicrocode = true;
+
+    boot.loader.systemd-boot.enable = true;
+    boot.loader.efi.canTouchEfiVariables = true;
+    boot.initrd.systemd.enable = true;
+
+    boot.initrd.services.lvm.enable = true;
+
+    fileSystems."/" = {
+      device = "/dev/disk/by-label/root";
+      fsType = "xfs";
+    };
+
+    fileSystems."/boot" = {
+      device = "/dev/disk/by-label/BOOT";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+    boot.kernelParams = [
+      "console=ttyS0,115200"
+      "console=tty1"
+    ];
+
+    networking.useNetworkd = true;
+    networking.hostName = "builder-${toString cfg.num}";
+
+    systemd.network = {
+      netdevs = {
+        "40-uplink" = {
+          netdevConfig = {
+            Kind = "bond";
+            Name = "uplink";
+          };
+          bondConfig = {
+            Mode = "802.3ad";
+            TransmitHashPolicy = "layer3+4";
+          };
+        };
+      };
+      networks = {
+        "40-eno1" = {
+          name = "eno1";
+          bond = [ "uplink" ];
+        };
+        "40-eno2" = {
+          name = "eno2";
+          bond = [ "uplink" ];
+        };
+      };
+    };
+    networking.interfaces.uplink.ipv6.addresses = [
+      { address = "2a01:584:11::1:${toString cfg.num}"; prefixLength = 64; }
+    ];
+    networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
+    deployment.targetHost = "2a01:584:11::1:${toString cfg.num}";
+
+    networking.nameservers = lib.mkForce ["2001:4860:4860::6464"]; # todo: other dns64
+
+    bagel.sysadmin.enable = true;
+
+    system.stateVersion = "24.05";
+  };
+}
diff --git a/services/default.nix b/services/default.nix
index a377c97..cd25088 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -6,5 +6,6 @@
     ./netbox
     ./ofborg
     ./postgres
+    ./baremetal-builder
   ];
 }