diff --git a/flake.nix b/flake.nix
index aaae56e..c385647 100644
--- a/flake.nix
+++ b/flake.nix
@@ -104,6 +104,7 @@
       palladium = {};
       porter = {};
       storage-2 = {};
+      tungsten = {};
       web-2 = {};
       zinc = {
         modules = [
@@ -134,6 +135,7 @@
       inherit (pkgs)
         clerie-backup
         clerie-keys
+        clerie-system-remote-install
         clerie-system-upgrade
         clerie-merge-nixfiles-update
         clerie-update-nixfiles
diff --git a/hosts/_iso/configuration.nix b/hosts/_iso/configuration.nix
index fadf700..d971c32 100644
--- a/hosts/_iso/configuration.nix
+++ b/hosts/_iso/configuration.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, modulesPath, ... }:
+{ pkgs, lib, modulesPath, config, ... }:
 
 {
   imports = [
@@ -18,6 +18,9 @@
     nixfiles-auto-install
   ];
 
+  # Allow user clerie to log in as root directly with ssh keys
+  users.users.root.openssh.authorizedKeys.keys = config.users.users.clerie.openssh.authorizedKeys.keys;
+
   services.openssh.settings = {
     PermitRootLogin = lib.mkForce "yes";
   };
diff --git a/hosts/tungsten/configuration.nix b/hosts/tungsten/configuration.nix
new file mode 100644
index 0000000..94564da
--- /dev/null
+++ b/hosts/tungsten/configuration.nix
@@ -0,0 +1,24 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+    ];
+
+  boot.kernelParams = [ "console=ttyS0,115200n8" ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/disk/by-id/ata-InnoDisk_Corp._DRPS-08GJ30AC1QS-A88_20120705AAB200000505";
+  boot.loader.grub.extraConfig = "
+    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
+    terminal_input serial
+    terminal_output serial
+  ";
+
+
+  networking.hostName = "tungsten";
+
+  system.stateVersion = "25.05";
+}
+
diff --git a/hosts/tungsten/hardware-configuration.nix b/hosts/tungsten/hardware-configuration.nix
new file mode 100644
index 0000000..ccf37e5
--- /dev/null
+++ b/hosts/tungsten/hardware-configuration.nix
@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "ohci_pci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/7ed9e29c-d771-49a1-ae8a-8894f347c648";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/95122f15-5621-457c-972c-c057ca416212";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/02a2afe4-ee00-4d3d-884a-e195b9814bfd";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/pkgs/clerie-system-remote-install/clerie-system-remote-install.sh b/pkgs/clerie-system-remote-install/clerie-system-remote-install.sh
new file mode 100755
index 0000000..293bf40
--- /dev/null
+++ b/pkgs/clerie-system-remote-install/clerie-system-remote-install.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -xeuo pipefail
+
+SYSTEM="$1"
+REMOTE_HOST="$2"
+REMOTE_ROOT="$3"
+
+nix copy "${SYSTEM}" --to "ssh://${REMOTE_HOST}?remote-store=${REMOTE_ROOT}"
+
+ssh "${REMOTE_HOST}" -- nix-env --store "${REMOTE_ROOT}" -p "${REMOTE_ROOT}/nix/var/nix/profiles/system" --set "${SYSTEM}"
+
+ssh "${REMOTE_HOST}" -- mkdir -p "${REMOTE_ROOT}/tmp"
+TMPSH="$(ssh "${REMOTE_HOST}" -- mktemp -p "${REMOTE_ROOT}/tmp")"
+
+# shellcheck disable=SC2087
+ssh "${REMOTE_HOST}" -- tee "${TMPSH}" <<EOF
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+nix-env --store "${REMOTE_ROOT}" -p "${REMOTE_ROOT}/nix/var/nix/profiles/system" --set "${SYSTEM}"
+mkdir -m 0775 -p "${REMOTE_ROOT}/etc"
+touch "${REMOTE_ROOT}/etc/NIXOS"
+
+ln -sfn /proc/mounts "${REMOTE_ROOT}/etc/mtab"
+
+NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "${REMOTE_ROOT}" -c "/run/current-system/bin/switch-to-configuration boot"
+EOF
+
+ssh "${REMOTE_HOST}" -- bash "${TMPSH}"
diff --git a/pkgs/clerie-system-remote-install/default.nix b/pkgs/clerie-system-remote-install/default.nix
new file mode 100644
index 0000000..142c2a3
--- /dev/null
+++ b/pkgs/clerie-system-remote-install/default.nix
@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "clerie-system-remote-install";
+  text = builtins.readFile ./clerie-system-remote-install.sh;
+}
diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix
index b6db58e..e478135 100644
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -1,6 +1,7 @@
 final: prev: {
   clerie-backup = final.callPackage ./clerie-backup {};
   clerie-keys = final.callPackage ./clerie-keys {};
+  clerie-system-remote-install = final.callPackage ./clerie-system-remote-install {};
   clerie-system-upgrade = final.callPackage ./clerie-system-upgrade/clerie-system-upgrade.nix {};
   clerie-merge-nixfiles-update = final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
   clerie-sops = final.callPackage ./clerie-sops/clerie-sops.nix {};