diff --git a/flake.lock b/flake.lock
index ab333f71..075b12a4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -512,11 +512,11 @@
         "openwrt-imagebuilder": "openwrt-imagebuilder"
       },
       "locked": {
-        "lastModified": 1651782857,
-        "narHash": "sha256-EPkyxja/JOwrQnzbbmpSmMRzR5Dsp1QQwBPCvFWqn3Y=",
+        "lastModified": 1652490131,
+        "narHash": "sha256-lWB9YzE8VR7d+zBJlXcSPRonH08aSsidFMZn9HkRrQM=",
         "ref": "master",
-        "rev": "52dbdc237abae93fc93ad9ca8b3d349c36989ad0",
-        "revCount": 1388,
+        "rev": "497cebb86d13fa5942ab0e9f1625ec98fe73b263",
+        "revCount": 1392,
         "type": "git",
         "url": "https://gitea.c3d2.de/zentralwerk/network.git"
       },
diff --git a/flake.nix b/flake.nix
index 85b01f6c..7763f4ac 100644
--- a/flake.nix
+++ b/flake.nix
@@ -539,6 +539,12 @@
           ];
         };
 
+        server10 = nixosSystem' {
+          modules = [
+            ./hosts/server10
+          ];
+        };
+
       };
 
       nixosModule = self.nixosModules.c3d2;
diff --git a/host-registry.nix b/host-registry.nix
index 6915d6de..8fafade0 100644
--- a/host-registry.nix
+++ b/host-registry.nix
@@ -119,4 +119,6 @@
 
   # Hack
   rpi-netboot.ip4 = "127.0.0.1";
+
+  server10.ip6 = "server10.cluster.zentralwerk.org";
 }
diff --git a/hosts/server10/default.nix b/hosts/server10/default.nix
new file mode 100644
index 00000000..92390ec7
--- /dev/null
+++ b/hosts/server10/default.nix
@@ -0,0 +1,41 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ./network.nix
+    ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+  boot.kernelParams = [
+    "preempt=none"
+    # No server/router runs any untrusted user code
+    "mitigations=off"
+  ];
+  
+  networking.hostName = "server10"; # Define your hostname.
+  networking.hostId = "10101010";
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 22 ];
+  };
+  services.openssh.enable = true;
+  
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+}
diff --git a/hosts/server10/hardware-configuration.nix b/hosts/server10/hardware-configuration.nix
new file mode 100644
index 00000000..50ffe4f0
--- /dev/null
+++ b/hosts/server10/hardware-configuration.nix
@@ -0,0 +1,53 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+  boot.supportedFilesystems = [ "ext2" "zfs" ];
+  boot.zfs.devNodes = "/dev/";
+
+  fileSystems."/" =
+    { device = "server10/nixos";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "server10/nixos/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix/var" =
+    { device = "server10/nixos/nix/var";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix/store" =
+    { device = "server10/nixos/nix/store";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var" =
+    { device = "server10/nixos/var";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "server10/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/b13a876b-2488-47a3-b9bd-3b03fbac6c85";
+      fsType = "ext2";
+    };
+
+  swapDevices = [ ];
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/server10/network.nix b/hosts/server10/network.nix
new file mode 100644
index 00000000..4bc2ef59
--- /dev/null
+++ b/hosts/server10/network.nix
@@ -0,0 +1,117 @@
+{ zentralwerk, config, lib, ... }:
+
+let
+  inherit (config.networking) hostName;
+
+  zwNets = zentralwerk.lib.config.site.net;
+  zwHostConfig = zentralwerk.lib.config.site.hosts.${hostName};
+  zwHostBridges = builtins.attrNames (
+    lib.filterAttrs (_: { type, ... }: type == "bridge")
+      zwHostConfig.interfaces
+  );
+
+in
+{
+  networking.useDHCP = false;
+  networking.useNetworkd = true;
+
+  boot.kernelParams = [
+    # Prevents automatic creation of interface bond0 by the kernel
+    "bonding.max_bonds=0"
+  ];
+
+  systemd.network = {
+    enable = true;
+
+    netdevs = {
+      bond0.netdevConfig = {
+        Kind = "bond";
+        Name = "bond0";
+      };
+      # LACP
+      bond0.bondConfig.Mode = "802.3ad";
+    } // (
+      builtins.foldl' (result: net: result // {
+        # Bridges are named just like the corresponding net.
+        "${net}" = {
+          netdevConfig = {
+            Kind = "bridge";
+            Name = "${net}";
+          };
+          extraConfig = ''
+            [Bridge]
+            ForwardDelaySec=2
+            STP=true
+          '';
+        };
+        # External VLAN interface
+        "ext-${net}" = {
+          netdevConfig = {
+            Kind = "vlan";
+            Name = "ext-${net}";
+          };
+          vlanConfig.Id = zwNets.${net}.vlan;
+        };
+      }) {} zwHostBridges
+    );
+
+    networks = {
+      en = {
+        # physical ethernet ports
+        matchConfig.Name = "en*";
+        networkConfig = {
+          Bond = "bond0";
+          LLDP = true;
+          EmitLLDP = true;
+        };
+      };
+      bond0 = {
+        DHCP = "no";
+        matchConfig.Name = "bond0";
+        networkConfig = {
+          VLAN = map (net: "ext-${net}") zwHostBridges;
+          LinkLocalAddressing = "no";
+          LLDP = true;
+          EmitLLDP = true;
+        };
+      };
+    } // (builtins.foldl' (result: net: result // {
+      "${net}" = {
+        matchConfig.Name = net;
+        networkConfig = {
+          LLDP = true;
+          EmitLLDP = true;
+          DHCP = "no";
+        } // (lib.optionalAttrs (! zwNets.${net}.hosts4 ? ${hostName})) {
+          # Disable all automatic addressing on bridges. It will delay
+          # networkd going into operational state.
+          LinkLocalAddressing = lib.mkDefault "no";
+        };
+        addresses =
+          let
+            netConfig = zwNets.${net};
+            address = netConfig.hosts4.${hostName};
+            prefixLen = netConfig.subnet4Len;
+          in
+            lib.optional (netConfig.hosts4 ? ${hostName}) {
+              addressConfig.Address = "${address}/${toString prefixLen}";
+            } ++
+            builtins.concatMap (hosts6:
+              lib.optional (hosts6 ? ${hostName}) {
+                addressConfig.Address = "${hosts6.${hostName}}/64";
+              }
+            ) (builtins.attrValues netConfig.hosts6);
+
+        gateway = lib.optionals (net == "cluster") [
+          zwNets.cluster.hosts4.cls-gw
+          zwNets.cluster.hosts6.dn42.cls-gw
+        ];
+      };
+      "ext-${net}" = {
+        matchConfig.Name = "ext-${net}";
+        # Attach eth*/bond0/VLAN to bridge
+        networkConfig.Bridge = net;
+      };
+    }) {} zwHostBridges);
+  };
+}