diff --git a/.forgejo/workflows/eval-nodes.yaml b/.forgejo/workflows/eval-nodes.yaml
index 3923765..a01b75e 100644
--- a/.forgejo/workflows/eval-nodes.yaml
+++ b/.forgejo/workflows/eval-nodes.yaml
@@ -54,6 +54,39 @@ jobs:
         STORE_USER: admin
       name: Build and cache geo02
       run: nix-shell -A eval-nodes --run cache-node
+  hypervisor01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: hypervisor01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache hypervisor01
+      run: nix-shell -A eval-nodes --run cache-node
+  hypervisor02:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: hypervisor02
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache hypervisor02
+      run: nix-shell -A eval-nodes --run cache-node
+  hypervisor03:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: hypervisor03
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache hypervisor03
+      run: nix-shell -A eval-nodes --run cache-node
   netcore02:
     runs-on: nix
     steps:
diff --git a/keys/default.nix b/keys/default.nix
index a9314ba..f542c0e 100644
--- a/keys/default.nix
+++ b/keys/default.nix
@@ -21,6 +21,15 @@ rec {
     compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
     geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
     geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
+    hypervisor01 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr"
+    ];
+    hypervisor02 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S"
+    ];
+    hypervisor03 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI"
+    ];
     rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
     storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
     vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
diff --git a/machines/nixos/hypervisor01/_configuration.nix b/machines/nixos/hypervisor01/_configuration.nix
new file mode 100644
index 0000000..68b2c0f
--- /dev/null
+++ b/machines/nixos/hypervisor01/_configuration.nix
@@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: 2024 Elias Coppens <elias@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [ ];
+
+  enabledServices = [ ];
+
+  extraConfig = {
+    services.netbird.enable = true;
+  };
+
+  root = ./.;
+}
diff --git a/machines/nixos/hypervisor01/_hardware-configuration.nix b/machines/nixos/hypervisor01/_hardware-configuration.nix
new file mode 100644
index 0000000..b4b31db
--- /dev/null
+++ b/machines/nixos/hypervisor01/_hardware-configuration.nix
@@ -0,0 +1,76 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ehci_pci"
+        "ahci"
+        "mpt3sas"
+        "usbhid"
+        "sd_mod"
+      ];
+      kernelModules = [ ];
+    };
+
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "rootfs";
+      fsType = "zfs";
+    };
+
+    "/nix" = {
+      device = "rootfs/nix";
+      fsType = "zfs";
+    };
+
+    "/var" = {
+      device = "rootfs/var";
+      fsType = "zfs";
+    };
+
+    "/boot1" = {
+      device = "/dev/disk/by-label/BOOT1";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+
+    "/boot2" = {
+      device = "/dev/disk/by-label/BOOT2";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/759f1573-7593-400e-b310-c384fc6124c3"; }
+    { device = "/dev/disk/by-uuid/73f94cd3-3f0f-4a32-9e5b-abd6c2a9b219"; }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+  networking.interfaces.eno4.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/machines/nixos/hypervisor01/secrets/secrets.nix b/machines/nixos/hypervisor01/secrets/secrets.nix
new file mode 100644
index 0000000..3943938
--- /dev/null
+++ b/machines/nixos/hypervisor01/secrets/secrets.nix
@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <context@dgnum.eu>
+#
+# SPDX-License-Identifer: EUPL-1.2
+
+(import ../../../../keys).mkSecrets [ "hypervisor01" ] [
+
+]
diff --git a/machines/nixos/hypervisor02/_configuration.nix b/machines/nixos/hypervisor02/_configuration.nix
new file mode 100644
index 0000000..68b2c0f
--- /dev/null
+++ b/machines/nixos/hypervisor02/_configuration.nix
@@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: 2024 Elias Coppens <elias@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [ ];
+
+  enabledServices = [ ];
+
+  extraConfig = {
+    services.netbird.enable = true;
+  };
+
+  root = ./.;
+}
diff --git a/machines/nixos/hypervisor02/_hardware-configuration.nix b/machines/nixos/hypervisor02/_hardware-configuration.nix
new file mode 100644
index 0000000..f421ac1
--- /dev/null
+++ b/machines/nixos/hypervisor02/_hardware-configuration.nix
@@ -0,0 +1,78 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ehci_pci"
+        "ahci"
+        "mpt3sas"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+        "sr_mod"
+      ];
+      kernelModules = [ ];
+    };
+
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "rootfs";
+      fsType = "zfs";
+    };
+
+    "/boot1" = {
+      device = "/dev/disk/by-label/BOOT1";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+
+    "/boot2" = {
+      device = "/dev/disk/by-label/BOOT2";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+
+    "/nix" = {
+      device = "rootfs/nix";
+      fsType = "zfs";
+    };
+
+    "/var" = {
+      device = "rootfs/var";
+      fsType = "zfs";
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/46e20dc0-01bc-4f26-904a-1d23cb96bdb6"; }
+    { device = "/dev/disk/by-uuid/a8938e0f-3a00-45e7-bc6f-4bd9e2b1db6c"; }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+  networking.interfaces.eno4.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/machines/nixos/hypervisor02/secrets/secrets.nix b/machines/nixos/hypervisor02/secrets/secrets.nix
new file mode 100644
index 0000000..90c0541
--- /dev/null
+++ b/machines/nixos/hypervisor02/secrets/secrets.nix
@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <context@dgnum.eu>
+#
+# SPDX-License-Identifer: EUPL-1.2
+
+(import ../../../../keys).mkSecrets [ "hypervisor02" ] [
+
+]
diff --git a/machines/nixos/hypervisor03/_configuration.nix b/machines/nixos/hypervisor03/_configuration.nix
new file mode 100644
index 0000000..68b2c0f
--- /dev/null
+++ b/machines/nixos/hypervisor03/_configuration.nix
@@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: 2024 Elias Coppens <elias@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [ ];
+
+  enabledServices = [ ];
+
+  extraConfig = {
+    services.netbird.enable = true;
+  };
+
+  root = ./.;
+}
diff --git a/machines/nixos/hypervisor03/_hardware-configuration.nix b/machines/nixos/hypervisor03/_hardware-configuration.nix
new file mode 100644
index 0000000..cd3f113
--- /dev/null
+++ b/machines/nixos/hypervisor03/_hardware-configuration.nix
@@ -0,0 +1,78 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ehci_pci"
+        "ahci"
+        "mpt3sas"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+        "sr_mod"
+      ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "rootfs";
+      fsType = "zfs";
+    };
+
+    "/nix" = {
+      device = "rootfs/nix";
+      fsType = "zfs";
+    };
+
+    "/var" = {
+      device = "rootfs/var";
+      fsType = "zfs";
+    };
+
+    "/boot1" = {
+      device = "/dev/disk/by-uuid/80E2-979C";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+
+    # TODO: put me in automounts + autosync between both boot partitions.
+    "/boot2" = {
+      device = "/dev/disk/by-uuid/8722-1B4F";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/dfe3aa01-ed46-4996-8ae3-a913ebffba76"; }
+    { device = "/dev/disk/by-uuid/5531258d-3538-4744-be1b-e08e26ad377f"; }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+  networking.interfaces.eno4.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/machines/nixos/hypervisor03/secrets/secrets.nix b/machines/nixos/hypervisor03/secrets/secrets.nix
new file mode 100644
index 0000000..a66cb2b
--- /dev/null
+++ b/machines/nixos/hypervisor03/secrets/secrets.nix
@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <context@dgnum.eu>
+#
+# SPDX-License-Identifer: EUPL-1.2
+
+(import ../../../../keys).mkSecrets [ "hypervisor03" ] [
+
+]
diff --git a/meta/network.nix b/meta/network.nix
index 1c50637..26f0541 100644
--- a/meta/network.nix
+++ b/meta/network.nix
@@ -82,6 +82,63 @@
     netbirdIp = "100.80.233.249";
   };
 
+  hypervisor01 = {
+    interfaces = {
+      eno4 = {
+        ipv4 = [
+          {
+            address = "10.0.254.11";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "10.0.254.1" ];
+        enableDefaultDNS = true;
+      };
+    };
+
+    hostId = "4dbbd76a";
+    netbirdIp = "100.80.242.115";
+  };
+
+  hypervisor02 = {
+    interfaces = {
+      eno4 = {
+        ipv4 = [
+          {
+            address = "10.0.254.12";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "10.0.254.1" ];
+        enableDefaultDNS = true;
+      };
+    };
+
+    hostId = "d0b48483";
+    netbirdIp = "100.80.37.202";
+  };
+
+  hypervisor03 = {
+    interfaces = {
+      eno4 = {
+        ipv4 = [
+          {
+            address = "10.0.254.13";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "10.0.254.1" ];
+        enableDefaultDNS = true;
+      };
+    };
+
+    hostId = "1c407ea8";
+    netbirdIp = "100.80.58.178";
+  };
+
   rescue01 = {
     interfaces = {
       ens18 = {
diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix
index 34e5f62..fb7d0f1 100644
--- a/meta/nodes/nixos.nix
+++ b/meta/nodes/nixos.nix
@@ -91,6 +91,63 @@
     };
   };
 
+  hypervisor01 = {
+    site = "pot01";
+
+    hashedPassword = "$y$j9T$Yw.M.epJj/sakb4Gq/9WV0$P85aQPo/FmFM1.ap413UL3vlGk3mavHwmaALKKDd4n.";
+
+    stateVersion = "24.11";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+
+    adminGroups = [ "hypervisors" ];
+
+    deployment = {
+      targetHost = "hypervisor01.dgnum";
+    };
+  };
+
+  hypervisor02 = {
+    site = "pot01";
+
+    hashedPassword = "$y$j9T$Zu98DVlKq7KP5GmIHOwBy1$Bd7W6LstWDm8zjbZ9JSPLnhMFPmZgmU4e7t7u6EhavA";
+
+    stateVersion = "24.11";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+
+    adminGroups = [ "hypervisors" ];
+
+    deployment = {
+      targetHost = "hypervisor02.dgnum";
+    };
+  };
+
+  hypervisor03 = {
+    site = "pot01";
+
+    hashedPassword = "$y$j9T$plTv9.UwmkTODagd4docj0$3zd35wPSsamygiYngwfDGICapKbx5UbzyLBhAwOUSfC";
+
+    stateVersion = "24.11";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+
+    adminGroups = [ "hypervisors" ];
+
+    deployment = {
+      targetHost = "hypervisor03.dgnum";
+    };
+  };
+
   rescue01 = {
     site = "luj01";
 
diff --git a/meta/organization.nix b/meta/organization.nix
index 0b75855..f9a9d58 100644
--- a/meta/organization.nix
+++ b/meta/organization.nix
@@ -91,6 +91,13 @@
       "ecoppens"
     ];
 
+    hypervisors = [
+      "catvayor"
+      "ecoppens"
+      "mdebray"
+      "raito"
+      "thubrecht"
+    ];
   };
 
   external = {