diff --git a/configuration/common/default.nix b/configuration/common/default.nix
index c3d09df..95f1727 100644
--- a/configuration/common/default.nix
+++ b/configuration/common/default.nix
@@ -16,7 +16,7 @@
     keyMap = "de-latin1";
   };
 
-  security.sudo.wheelNeedsPassword = false;
+  security.sudo.wheelNeedsPassword = lib.mkDefault false;
 
   users.groups.guests = {};
 
diff --git a/flake.lock b/flake.lock
index 2fcc384..0bf0e37 100644
--- a/flake.lock
+++ b/flake.lock
@@ -135,6 +135,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-krypton": {
+      "locked": {
+        "lastModified": 1686960236,
+        "narHash": "sha256-AYCC9rXNLpUWzD9hm+askOfpliLEC9kwAo7ITJc4HIw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "04af42f3b31dba0ef742d254456dc4c14eedac86",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-schule": {
       "locked": {
         "lastModified": 1679437018,
@@ -158,6 +174,7 @@
         "fernglas": "fernglas",
         "nixos-exporter": "nixos-exporter",
         "nixpkgs": "nixpkgs",
+        "nixpkgs-krypton": "nixpkgs-krypton",
         "nixpkgs-schule": "nixpkgs-schule",
         "solid-xmpp-alarm": "solid-xmpp-alarm"
       }
diff --git a/flake.nix b/flake.nix
index e37e075..da34f32 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,7 @@
 {
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-krypton.url = "github:NixOS/nixpkgs/nixos-unstable";
     nixpkgs-schule.url = "github:NixOS/nixpkgs/nixos-unstable";
     agenix = {
       url = "github:ryantm/agenix";
@@ -50,6 +51,7 @@
       gatekeeper = { name = "gatekeeper"; };
       hydra-1 = { name = "hydra-1"; };
       hydra-2 = { name = "hydra-2"; };
+      krypton = { name = "krypton"; };
       mail-2 = { name = "mail-2"; };
       minecraft-2 = { name = "minecraft-2"; };
       monitoring-3 = { name = "monitoring-3"; };
diff --git a/hosts/krypton/configuration.nix b/hosts/krypton/configuration.nix
new file mode 100644
index 0000000..83174b2
--- /dev/null
+++ b/hosts/krypton/configuration.nix
@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+    ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.initrd.luks = {
+    devices.lvm = {
+      device = "/dev/disk/by-uuid/f7059f75-764d-4cd1-9da7-7c64b05bff38";
+      bypassWorkqueues = true;
+    };
+  };
+
+  networking.hostName = "krypton";
+
+  security.sudo.wheelNeedsPassword = true;
+
+  system.stateVersion = "23.05";
+}
+
diff --git a/hosts/krypton/hardware-configuration.nix b/hosts/krypton/hardware-configuration.nix
new file mode 100644
index 0000000..193d77d
--- /dev/null
+++ b/hosts/krypton/hardware-configuration.nix
@@ -0,0 +1,47 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/1c49e548-d618-4915-a4ee-5039837c6a4a";
+      fsType = "ext4";
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/229d0940-1ce8-4e8c-987b-d7998cf4bc97";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/1A46-5CDD";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/9b325780-17b2-4c0f-a3df-58f9963e1db0"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wwp0s20f0u3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}