diff --git a/flake.nix b/flake.nix
index 2ff3f100..e66f04dd 100644
--- a/flake.nix
+++ b/flake.nix
@@ -595,6 +595,13 @@
           ];
         };
 
+        nfsroot = nixosSystem' {
+          modules = [
+            microvm.nixosModules.microvm
+            ./hosts/containers/nfsroot
+          ];
+        };
+
       };
 
       nixosModule = self.nixosModules.c3d2;
diff --git a/hosts/containers/nfsroot/default.nix b/hosts/containers/nfsroot/default.nix
new file mode 100644
index 00000000..78c82b12
--- /dev/null
+++ b/hosts/containers/nfsroot/default.nix
@@ -0,0 +1,80 @@
+{ zentralwerk, config, pkgs, ... }:
+{
+  microvm = {
+    hypervisor = "qemu";
+    mem = 1024;
+
+    shares = [ {
+      source = "/nix/store";
+      mountPoint = "/nix/.ro-store";
+      tag = "store";
+      proto = "virtiofs";
+      socket = "store.socket";
+    } ] ++ map (dir: {
+      source = "/var/lib/microvms/${config.networking.hostName}/${dir}";
+      mountPoint = "/${dir}";
+      tag = dir;
+      proto = "virtiofs";
+      socket = "${dir}.socket";
+    }) [ "etc" "home" "var" "var/lib/nfsroot/dacbert" "var/lib/nfsroot/riscbert" ];
+
+    interfaces = [ {
+      type = "tap";
+      id = "nfsroot";
+      mac = "00:de:fa:c8:28:9c";
+    } ];
+  };
+
+  networking = {
+    hostName = "nfsroot";
+
+    useDHCP = false;
+    interfaces.eth0 = {
+      useDHCP = false;
+      ipv4.addresses = [ {
+        address = netConfig.hosts4.${config.networking.hostName};
+        prefixLength = netConfig.subnet4Len;
+      } ];
+    };
+    defaultGateway = netConfig.hosts4.serv-gw;
+    nameservers = [
+      netConfig.hosts4.dnscache "9.9.9.9"
+    ];
+
+    firewall.enable = false;
+  };
+
+  system.stateVersion = "22.05";
+
+
+  services.nfs.server = {
+    enable = true;
+    exports =
+      let
+        allowed = [
+          "172.22.99.0/24"
+          "172.20.72.0/21"
+          "30c:c3d2:b946:76d0::/64"
+          "2a00:8180:2c00:200::/56"
+          "fd23:42:c3d2:500::/56"
+        ];
+        opts = o: fsid:
+          lib.concatStringsSep "," [
+            o "async"
+            "no_subtree_check" "no_root_squash"
+            "fsid=${toString fsid}"
+          ];
+      in ''
+        /var/lib/nfsroot/dacbert ${
+          lib.concatMapStringsSep " " (subnet:
+            "${subnet}(${opts "rw" 1})"
+          ) allowed
+        }
+        /var/lib/nfsroot/riscbert ${
+          lib.concatMapStringsSep " " (subnet:
+            "${subnet}(${opts "rw" 1})"
+          ) allowed
+        }
+    '';
+  };
+}
diff --git a/hosts/server10/microvms.nix b/hosts/server10/microvms.nix
index 103a44d4..dea78229 100644
--- a/hosts/server10/microvms.nix
+++ b/hosts/server10/microvms.nix
@@ -1,7 +1,7 @@
 {
   microvm.autostart = [ "oparl" ];
   c3d2.server.bridgePorts = {
-    serv = [ "oparl" "leon" ];
+    serv = [ "oparl" "leon" "nfsroot" ];
   };
 
   nix = {