diff --git a/.sops.yaml b/.sops.yaml
index c2c129b..2e6c625 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -5,6 +5,7 @@ keys:
   - &tower age1frwe9fpt9vh969aqnggvq8pfypp6hl98guwfmgttucp7gr55r42sqy2t65
   - &fw16 age19qj2aaryx869cvcqp77gs9x5hcv4dqjxunkmyre78upsxda6ss7s5vquz4
   - &floo age1hksdq2lc89thnpth49sw44f0pmkp950plrhhnttj4petvnfy04tsydz6fl
+  - &cube age1gqzdgnfl9d04pzg4dtwny3s4277jzpwqdck8wm7jenl30z00wslqrvy393
 
 creation_rules:
   # per-host secrets
@@ -23,8 +24,13 @@ creation_rules:
       - pgp: [*matej]
         age: [*floo]
 
+  - path_regex: ^secrets/cube\.yaml$
+    key_groups:
+      - pgp: [*matej]
+        age: [*cube]
+
   # shared secrets (all hosts)
   - path_regex: ^secrets/common\.yaml$
     key_groups:
       - pgp: [*matej]
-        age: [*tower, *fw16, *floo]
+        age: [*tower, *fw16, *floo, *cube]
diff --git a/flake/hosts.nix b/flake/hosts.nix
index aca1f2d..96fe161 100644
--- a/flake/hosts.nix
+++ b/flake/hosts.nix
@@ -73,6 +73,17 @@ in
       ];
     };
 
+    cube = mkHost "cube" {
+      system = "x86_64-linux";
+      user = "matej";
+      features = [
+        "openssh"
+        "localisation"
+        "shell"
+        "tailscale"
+      ];
+    };
+
     # nix run github:nix-community/nixos-anywhere -- --flake .#floo root@<ip>
     floo = mkHost "floo" {
       system = "x86_64-linux";
diff --git a/hosts/cube/configuration.nix b/hosts/cube/configuration.nix
new file mode 100644
index 0000000..98d9f67
--- /dev/null
+++ b/hosts/cube/configuration.nix
@@ -0,0 +1,41 @@
+{ inputs, ... }:
+{
+  imports = [ inputs.disko.nixosModules.disko ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/nvme0n1";
+    content = {
+      type = "gpt";
+      partitions = {
+        esp = {
+          size = "512M";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+          };
+        };
+        root = {
+          size = "100%";
+          content = {
+            type = "filesystem";
+            format = "ext4";
+            mountpoint = "/";
+          };
+        };
+      };
+    };
+  };
+
+  localisation = {
+    timeZone = "Europe/Ljubljana";
+    defaultLocale = "en_US.UTF-8";
+  };
+
+  system.stateVersion = "25.11";
+}
diff --git a/hosts/cube/hardware-configuration.nix b/hosts/cube/hardware-configuration.nix
new file mode 100644
index 0000000..edda651
--- /dev/null
+++ b/hosts/cube/hardware-configuration.nix
@@ -0,0 +1,31 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "nvme"
+    "usb_storage"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}