diff --git a/flake.lock b/flake.lock
index 12f67ae..8cfaca7 100644
--- a/flake.lock
+++ b/flake.lock
@@ -122,6 +122,21 @@
         "type": "github"
       }
     },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1716173274,
+        "narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
+        "owner": "nixos",
+        "repo": "nixos-hardware",
+        "rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1716408587,
@@ -161,6 +176,7 @@
         "home-manager": "home-manager",
         "home-manager-unstable": "home-manager-unstable",
         "impermanence": "impermanence",
+        "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable"
       }
diff --git a/flake.nix b/flake.nix
index fef69e1..727fa34 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,6 +3,8 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
 
+    nixos-hardware.url = "github:nixos/nixos-hardware";
+
     flake-utils.url = "github:numtide/flake-utils";
 
     agenix.url = "github:ryantm/agenix";
@@ -19,7 +21,7 @@
 
   description = "Hillion Nix flake";
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, flake-utils, agenix, home-manager, home-manager-unstable, impermanence, ... }@inputs: {
+  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, impermanence, ... }@inputs: {
     nixosConfigurations =
       let
         fqdns = builtins.attrNames (builtins.readDir ./hosts);
diff --git a/hosts/sodium.pop.ts.hillion.co.uk/default.nix b/hosts/sodium.pop.ts.hillion.co.uk/default.nix
new file mode 100644
index 0000000..73386f7
--- /dev/null
+++ b/hosts/sodium.pop.ts.hillion.co.uk/default.nix
@@ -0,0 +1,64 @@
+{ config, pkgs, lib, nixos-hardware, ... }:
+
+{
+  imports = [
+    "${nixos-hardware}/raspberry-pi/5/default.nix"
+    ./hardware-configuration.nix
+  ];
+
+  config = {
+    system.stateVersion = "24.05";
+
+    networking.hostName = "sodium";
+    networking.domain = "pop.ts.hillion.co.uk";
+
+    boot.loader.systemd-boot.enable = true;
+    boot.loader.efi.canTouchEfiVariables = true;
+
+    custom.defaults = true;
+
+    ## Enable btrfs compression
+    fileSystems."/data".options = [ "compress=zstd" ];
+    fileSystems."/nix".options = [ "compress=zstd" ];
+
+    ## Impermanence
+    custom.impermanence.enable = true;
+
+    ## Custom Services
+    custom.locations.autoServe = true;
+
+    # Networking
+    networking = {
+      useDHCP = false;
+      interfaces = {
+        end0 = {
+          name = "eth0";
+          useDHCP = true;
+        };
+      };
+    };
+    networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
+
+    networking.firewall = {
+      trustedInterfaces = [ "tailscale0" ];
+      allowedTCPPorts = lib.mkForce [
+      ];
+      allowedUDPPorts = lib.mkForce [ ];
+      interfaces = {
+        eth0 = {
+          allowedTCPPorts = lib.mkForce [
+          ];
+          allowedUDPPorts = lib.mkForce [
+          ];
+        };
+      };
+    };
+
+    ## Tailscale
+    age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/sodium.pop.ts.hillion.co.uk.age;
+    services.tailscale = {
+      enable = true;
+      authKeyFile = config.age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".path;
+    };
+  };
+}
diff --git a/hosts/sodium.pop.ts.hillion.co.uk/hardware-configuration.nix b/hosts/sodium.pop.ts.hillion.co.uk/hardware-configuration.nix
new file mode 100644
index 0000000..40b1764
--- /dev/null
+++ b/hosts/sodium.pop.ts.hillion.co.uk/hardware-configuration.nix
@@ -0,0 +1,56 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "usbhid" "usb_storage" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = [ "mode=0755" ];
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/417B-1063";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/nix" =
+    {
+      device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
+  fileSystems."/data" =
+    {
+      device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
+      fsType = "btrfs";
+      options = [ "subvol=data" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enu1u4.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}
diff --git a/hosts/sodium.pop.ts.hillion.co.uk/system b/hosts/sodium.pop.ts.hillion.co.uk/system
new file mode 100644
index 0000000..ab65297
--- /dev/null
+++ b/hosts/sodium.pop.ts.hillion.co.uk/system
@@ -0,0 +1 @@
+aarch64-linux
\ No newline at end of file
diff --git a/modules/dns.nix b/modules/dns.nix
index 83d2a6f..eab81f4 100644
--- a/modules/dns.nix
+++ b/modules/dns.nix
@@ -47,7 +47,10 @@ in
                 };
                 jakehillion-terminals = { gendry = "100.70.100.77"; };
                 lt = { be = "100.105.166.79"; };
-                pop = { li = "100.106.87.35"; };
+                pop = {
+                  li = "100.106.87.35";
+                  sodium = "100.82.135.64";
+                };
                 storage = {
                   theon = "100.104.142.22";
                   tywin = "100.115.31.91";
@@ -71,7 +74,10 @@ in
                 };
                 jakehillion-terminals = { gendry = "fd7a:115c:a1e0:ab12:4843:cd96:6246:644d"; };
                 lt = { be = "fd7a:115c:a1e0::9001:a64f"; };
-                pop = { li = "fd7a:115c:a1e0::e701:5723"; };
+                pop = {
+                  li = "fd7a:115c:a1e0::e701:5723";
+                  sodium = "fd7a:115c:a1e0::c701:8740";
+                };
                 storage = {
                   theon = "fd7a:115c:a1e0::4aa8:8e16";
                   tywin = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";
diff --git a/modules/ssh/default.nix b/modules/ssh/default.nix
index 672370e..867ba9c 100644
--- a/modules/ssh/default.nix
+++ b/modules/ssh/default.nix
@@ -46,6 +46,7 @@ in
       "li.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u";
       "microserver.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw";
       "router.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu";
+      "sodium.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL8+wlWyo1N58xrQ7HPdFC6Jeut4UYiW6Q3rpILzCaw0";
       "theon.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN59psLVu3/sQORA4x3p8H3ei8MCQlcwX5T+k3kBeBMf";
       "tywin.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k";
     };
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e1bc100..46e3b69 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -20,7 +20,10 @@ let
               router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu root@router";
             };
             lt = { be = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm root@be"; };
-            pop = { li = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u root@li"; };
+            pop = {
+              li = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u root@li";
+              sodium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL8+wlWyo1N58xrQ7HPdFC6Jeut4UYiW6Q3rpILzCaw0 root@sodium";
+            };
             terminals = { jakehillion = { gendry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry"; }; };
             storage = {
               tywin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k root@tywin";
@@ -50,6 +53,7 @@ in
   "tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.microserver ];
   "tailscale/li.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.li ];
   "tailscale/router.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.router ];
+  "tailscale/sodium.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.sodium ];
   "tailscale/theon.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.theon ];
   "tailscale/tywin.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
 
diff --git a/secrets/tailscale/sodium.pop.ts.hillion.co.uk.age b/secrets/tailscale/sodium.pop.ts.hillion.co.uk.age
new file mode 100644
index 0000000..f1f2264
Binary files /dev/null and b/secrets/tailscale/sodium.pop.ts.hillion.co.uk.age differ