diff --git a/flake.lock b/flake.lock
index 60bf3ce..7790ef9 100644
--- a/flake.lock
+++ b/flake.lock
@@ -43,6 +43,26 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717637172,
+        "narHash": "sha256-geTO9YL1V9zYGxupuZvKFWxh6II9sH2bjI1dmEVhVYQ=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "713aa3df481782719aed4d8c20ad31a9effe3564",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
         "systems": "systems_2"
@@ -193,6 +213,7 @@
       "inputs": {
         "agenix": "agenix",
         "bootspec-secureboot": "bootspec-secureboot",
+        "disko": "disko",
         "home-manager": "home-manager_2",
         "nix-darwin": "nix-darwin",
         "nix-index-database": "nix-index-database",
diff --git a/flake.nix b/flake.nix
index 925ae0c..6a4e4f5 100755
--- a/flake.nix
+++ b/flake.nix
@@ -38,6 +38,9 @@
 
     nix-index-database.url = "github:nix-community/nix-index-database";
     nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
+
+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs =
@@ -49,6 +52,7 @@
     , bootspec-secureboot
     , home-manager
     , nix-darwin
+    , disko
     , ...
     }:
     let
@@ -101,6 +105,20 @@
             ./hosts/koi/configuration.nix
           ];
         };
+
+        homura = mkNixosSystem {
+          system = "x86_64-linux";
+          modules = [
+            ./hosts/madohomu/homura.nix
+          ];
+        };
+
+        madoka = mkNixosSystem {
+          system = "x86_64-linux";
+          modules = [
+            ./hosts/madohomu/madoka.nix
+          ];
+        };
       };
 
       darwinConfigurations = {
diff --git a/hosts/madohomu/common.nix b/hosts/madohomu/common.nix
new file mode 100644
index 0000000..7c86e42
--- /dev/null
+++ b/hosts/madohomu/common.nix
@@ -0,0 +1,25 @@
+{ abs, modulesPath, ... }: 
+
+{
+  imports = [
+    (modulesPath + "/profiles/minimal.nix")
+    (modulesPath + "/profiles/qemu-guest.nix")
+    ./hardware-configuration.nix
+
+    ./services/sing-box.nix
+  ];
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+
+  age.identityPaths = [
+    "/etc/ssh/agenix_key"
+  ];
+
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    (abs "ssh/teidesu.pub")
+  ];
+  
+  system.stateVersion = "23.11";
+}
\ No newline at end of file
diff --git a/hosts/madohomu/hardware-configuration.nix b/hosts/madohomu/hardware-configuration.nix
new file mode 100644
index 0000000..224bcf9
--- /dev/null
+++ b/hosts/madohomu/hardware-configuration.nix
@@ -0,0 +1,14 @@
+{ ... }: 
+
+{
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+  
+  fileSystems."/boot" = { device = "/dev/disk/by-uuid/6514-E9BA"; fsType = "vfat"; };
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+}
\ No newline at end of file
diff --git a/hosts/madohomu/homura.nix b/hosts/madohomu/homura.nix
new file mode 100644
index 0000000..4635cf4
--- /dev/null
+++ b/hosts/madohomu/homura.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  imports = [
+    ./common.nix
+  ];
+  
+  networking.hostName = "homura";
+}
\ No newline at end of file
diff --git a/hosts/madohomu/madoka.nix b/hosts/madohomu/madoka.nix
new file mode 100644
index 0000000..bf94d64
--- /dev/null
+++ b/hosts/madohomu/madoka.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  imports = [
+    ./common.nix
+  ];
+  
+  networking.hostName = "madoka";
+}
\ No newline at end of file
diff --git a/hosts/madohomu/services/sing-box.nix b/hosts/madohomu/services/sing-box.nix
new file mode 100644
index 0000000..0cc814e
--- /dev/null
+++ b/hosts/madohomu/services/sing-box.nix
@@ -0,0 +1,60 @@
+{ config, abs, pkgs, ... }:
+
+let 
+  secrets = import (abs "lib/secrets.nix");
+in {
+  imports = [
+    (secrets.declare [
+      "madohomu-singbox-pk"
+      "madohomu-singbox-sid"
+      "madohomu-singbox-users"
+    ])
+  ];
+
+  services.sing-box = {
+    enable = true;
+    settings = {
+      log = { level = "info"; timestamp = true; };
+      inbounds = [
+        {
+          type = "vless";
+          tag = "vless-in";
+          listen = "::";
+          listen_port = 443;
+          sniff = true;
+          sniff_override_destination = true;
+          domain_strategy = "ipv4_only";
+          users = []; # populated later in the preStart script
+          tls = let server = "updates.cdn-apple.com"; in {
+            enabled = true;
+            server_name = server;
+            reality = {
+              enabled = true;
+              handshake = { inherit server; server_port = 443; };
+              private_key._secret = secrets.file config "madohomu-singbox-pk";
+              short_id = [ 
+                { _secret = secrets.file config "madohomu-singbox-sid"; }
+              ];
+            };
+          };
+        }
+      ];
+      outbounds = [
+        { type = "direct"; tag = "direct"; }
+        { type = "block"; tag = "block"; }
+      ];
+    };
+  };
+
+  systemd.services.sing-box.preStart = let 
+    file = "/etc/sing-box/config.json";
+  in ''
+    users=$(${pkgs.yaml2json}/bin/yaml2json < ${secrets.file config "madohomu-singbox-users"})
+    ${pkgs.jq}/bin/jq --arg users "$users" \
+      '.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \
+      ${file} > ${file}.tmp
+    mv ${file}.tmp ${file}
+  '';
+
+  networking.firewall.allowedTCPPorts = [ 443 ];
+}
\ No newline at end of file
diff --git a/secrets/UNSAFE.desu-arm-ip.age b/secrets/UNSAFE.desu-arm-ip.age
deleted file mode 100644
index e532d0b..0000000
Binary files a/secrets/UNSAFE.desu-arm-ip.age and /dev/null differ
diff --git a/secrets/UNSAFE.homura-ip.age b/secrets/UNSAFE.homura-ip.age
new file mode 100644
index 0000000..aa396ff
--- /dev/null
+++ b/secrets/UNSAFE.homura-ip.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 Q7pPYw FjTnZ0gV0J9KbujZDF+s4lsQTp15//4R6IgboLyFmzc
+7CKys4Yv1eCL0TznrCeVcXALHUzBLpKc2PAv48v+AJc
+--- wChyp6YsZPedRW/pQlUQlA5ElkTroiOpEsI5sGHydS4
+���Z�q����~�ȝ����1�u��$�4360ɟ�nd<o8|�
\ No newline at end of file
diff --git a/secrets/UNSAFE.madoka-ip.age b/secrets/UNSAFE.madoka-ip.age
new file mode 100644
index 0000000..165c06e
--- /dev/null
+++ b/secrets/UNSAFE.madoka-ip.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 Q7pPYw I5xBcBGDF6+AD9SSjOBjCTFAG3mph0SskFkCkwzyW0I
+q5OZRzz+VNsxSZJ6TIIU78PW3chT5xtVRMFl2w6Clhc
+--- UQyI75UTwq49YzizoPsi6GGrxMphl7vpqM/Kuvk45pk
+O"����N�-
+�ء>���<{��~��������l�Bm�c�j���
\ No newline at end of file
diff --git a/secrets/madohomu-singbox-pk.age b/secrets/madohomu-singbox-pk.age
new file mode 100644
index 0000000..062f658
--- /dev/null
+++ b/secrets/madohomu-singbox-pk.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 sj88Xw D1VPiSD1MLUjpvglASYOpT5b3O5qHxpM0FQa0ej3qiw
+I/3C2lhDGz0nC+zMX6/2tNya0L7Lbik7a04SbnU7NA4
+--- PDQY1baSqlotyQAI+pl+lRGrF4zr1CfvLrzHHp/CrAA
+3��:+!|��Of�*�h{�,�����	����<sb
���������6���Z��*�-w���Tw�{���1�
\ No newline at end of file
diff --git a/secrets/madohomu-singbox-pub.age b/secrets/madohomu-singbox-pub.age
new file mode 100644
index 0000000..e5e63a0
Binary files /dev/null and b/secrets/madohomu-singbox-pub.age differ
diff --git a/secrets/madohomu-singbox-sid.age b/secrets/madohomu-singbox-sid.age
new file mode 100644
index 0000000..7082d45
--- /dev/null
+++ b/secrets/madohomu-singbox-sid.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 sj88Xw hAtVKoM67sny48SaADCUDoVXYwxlkkXeKq3MFG176xk
+b8sb4Lvc7+kA6KPejzPnpwDiBXyMRwcSwimSNK9QbkA
+--- M3UGyBWpx9LmHxSlh6CzQWMKoqt/k2D7od58F82WJcA
+nSd�>�Ȗ��%�NK���+��`k�?��>&�GGQ����	=<J���K�
\ No newline at end of file
diff --git a/secrets/madohomu-singbox-users.age b/secrets/madohomu-singbox-users.age
new file mode 100644
index 0000000..823edb0
Binary files /dev/null and b/secrets/madohomu-singbox-users.age differ
diff --git a/switch b/switch
index 57532b6..4f93193 100755
--- a/switch
+++ b/switch
@@ -1,32 +1,43 @@
 #!/usr/bin/env bash
 
-args=""
+args=()
 cmd="switch"
-
-if [ "$1" == "debug" ]; then
-    args="--show-trace -v -L"
-    shift
-fi
-
-if [ "$1" == "build" ]; then
-    cmd="build"
-    shift
-fi
-
-if [ "$1" == "dry-activate" ]; then
-    cmd="dry-activate"
-    shift
-fi
-
-if [ "$1" == "boot" ]; then
-    cmd="boot"
-    shift
-fi
-
 flake="."
-if [ ! -z ${NIX_HOSTNAME+x} ]; then
-    flake=".#$NIX_HOSTNAME"
-fi
+remote=0
+
+while [ $# -ne 0 ]; do
+    cur=${1}; next=${2-};
+    case "$cur" in
+        --debug) args+=("--show-trace" "-v" "-L");;
+        --build) cmd="build";;
+        --dry-activate) cmd="dry-activate";;
+        --boot) cmd="boot";;
+        --remote) 
+            sshg=$(ssh -G $next)
+            # normalize hostname
+            ssh_host=$(echo "$sshg" | awk '$1 == "hostname" { print $2 }')
+            ssh_user=$(echo "$sshg" | awk '$1 == "user" { print $2 }')
+            norm_host="$ssh_user@$ssh_host"
+
+            args+=("--fast" "--target-host" "$norm_host" "--use-remote-sudo" "--use-substitutes")
+            remote=1
+            NIX_SSHOPTS="-i $HOME/.ssh/ssh.pub"
+            shift
+            ;;
+		.\#*) flake=$cur; shift;;
+        *) echo "Unknown argument: $cur"; exit 1;;
+	esac
+	shift;
+done
+
+args=${args[@]}
+
+function log_then_run {
+    echo "$ $@"
+    $@
+}
+
+echo $args
 
 function on_exit {
     git restore --staged secrets/unsafe.key
@@ -37,16 +48,16 @@ function on_exit {
 trap on_exit EXIT
 
 git add -f secrets/unsafe.key
-if [ "$(uname)" == "Darwin" ]; then
+if [ "$(uname)" == "Darwin" -a "$remote" == 0 ]; then
     if [ $(hostname) == "teidesu-osx" ]; then
         git add -f hosts/teidesu-osx/arc-setup.nix
     fi
 
     if command -v darwin-rebuild &> /dev/null; then
-        darwin-rebuild switch --flake $flake $args $@
+        log_then_run darwin-rebuild switch --flake $flake $args $@
     else
-        nix --extra-experimental-features nix-command --extra-experimental-features flakes run nix-darwin -- switch --flake $flake $args $@
+        log_then_run nix --extra-experimental-features nix-command --extra-experimental-features flakes run nix-darwin -- switch --flake $flake $args $@
     fi
 else
-    sudo nixos-rebuild $cmd --flake $flake $args $@
+    log_then_run sudo -E nixos-rebuild $cmd --flake $flake $args $@
 fi
\ No newline at end of file
diff --git a/users/teidesu/ssh.nix b/users/teidesu/ssh.nix
index 3c7360e..98323cb 100644
--- a/users/teidesu/ssh.nix
+++ b/users/teidesu/ssh.nix
@@ -15,13 +15,12 @@ in {
 
     extraOptionOverrides = {
       GlobalKnownHostsFile = "~/.ssh/base_known_hosts";
+      ControlPath = "~/.ssh/master-%C";
     };
 
     matchBlocks = {
-      desu-arm = {
-        hostname = secrets.readUnsafe "desu-arm-ip";
-        forwardAgent = true;
-      };
+      madoka.hostname = secrets.readUnsafe "madoka-ip";
+      homura.hostname = secrets.readUnsafe "homura-ip";
 
       koi = {
         hostname = "10.42.0.2";