diff --git a/nix/nixos-module/container/dhcp-server.nix b/nix/nixos-module/container/dhcp-server.nix
index f70a16f..f0a4beb 100644
--- a/nix/nixos-module/container/dhcp-server.nix
+++ b/nix/nixos-module/container/dhcp-server.nix
@@ -52,6 +52,9 @@ in
                 option domain-name-servers 172.20.73.8, 9.9.9.9;
                 ddns-domainname "${domainName}";
 
+                next-server "${config.site.net.serv.hosts4.netboot}";
+                filename "netboot.xyz.kpxe";
+
                 subnet ${subnet4Net} netmask ${lib.netmasks.${toString subnet4Len}} {
                   range ${dhcp.start} ${dhcp.end};
                 }
diff --git a/nix/nixos-module/container/netboot.nix b/nix/nixos-module/container/netboot.nix
new file mode 100644
index 000000000..c95dd5e
--- /dev/null
+++ b/nix/nixos-module/container/netboot.nix
@@ -0,0 +1,17 @@
+{ lib, pkgs, ... }:
+let
+  netboot_xyz = pkgs.fetchurl {
+    url = "https://github.com/netbootxyz/netboot.xyz/releases/download/2.0.40/netboot.xyz.kpxe";
+    sha256 = "1crkr995i1hv3q548gx2xan1ymxmzcnr7mxaf77s2410mpqfcx82";
+  };
+  tftpRoot = pkgs.runCommand "tftproot" {} ''
+    mkdir -p $out
+    ln -s ${netboot_xyz} $out/netboot.xyz.kpxe
+  '';
+in
+{
+  services.tftpd = {
+    enable = true;
+    path = tftpRoot;
+  };
+}
diff --git a/nix/nixos-module/default.nix b/nix/nixos-module/default.nix
index fb904ca..5ce6fa9 100644
--- a/nix/nixos-module/default.nix
+++ b/nix/nixos-module/default.nix
@@ -40,5 +40,8 @@ in {
   ] ++
   optionals (hostName == "mgmt-gw") [
     ./container/mgmt-gw.nix
+  ] ++
+  optionals (hostName == "netboot") [
+    ./container/netboot.nix
   ];
 }
diff --git a/salt-pillar/hosts/init.sls b/salt-pillar/hosts/init.sls
index a96d41d..0172eab 100644
--- a/salt-pillar/hosts/init.sls
+++ b/salt-pillar/hosts/init.sls
@@ -214,6 +214,7 @@ hosts-inet:
     leonos:       172.20.73.47
     minetest:     172.20.73.48
     hydra:        172.20.73.49
+    netboot:      172.20.73.50
 
   # TODO: generate from subnets
   priv1:
@@ -463,6 +464,7 @@ hosts-inet6:
       stats: fd23:42:c3d2:582:2:0:0:3
       radius: fd23:42:c3d2:582:2:0:0:4
       zeit: fd23:42:c3d2:582:2:0:0:5
+      netboot: fd23:42:c3d2:582:2:0:0:6
       dnscache: fd23:42:c3d2:582:f096:dbff:fee8:427d
       minetest: fd23:42:c3d2:582:c3a:42ff:fe5d:b20c
       hydra: fd23:42:c3d2:582:e03c:d7ff:fe8e:fe16
@@ -635,6 +637,7 @@ hosts-inet6:
       stats: 2a00:8180:2c00:282:2:0:0:3
       radius: 2a00:8180:2c00:282:2:0:0:4
       zeit: 2a00:8180:2c00:282:2:0:0:5
+      netboot: 2a00:8180:2c00:282:2:0:0:3
       dnscache: 2a00:8180:2c00:282:f096:dbff:fee8:427d
       minetest: 2a00:8180:2c00:282:c3a:42ff:fe5d:b20c
       hydra: 2a00:8180:2c00:282:e03c:d7ff:fe8e:fe16
diff --git a/salt-pillar/lxc-containers/server1.sls b/salt-pillar/lxc-containers/server1.sls
index 9b66ed4..050204a 100644
--- a/salt-pillar/lxc-containers/server1.sls
+++ b/salt-pillar/lxc-containers/server1.sls
@@ -599,6 +599,14 @@ containers:
         gw6: serv-gw
         hwaddr: 0A:14:48:01:15:00
 
+  netboot:
+    interfaces:
+      serv:
+        type: veth
+        gw: serv-gw
+        gw6: serv-gw
+        hwaddr: 0A:14:48:01:15:01
+
   mgmt-gw:
     interfaces:
       core: