diff --git a/.forgejo/workflows/eval-nodes.yaml b/.forgejo/workflows/eval-nodes.yaml
index 53d7bbe..358cf8c 100644
--- a/.forgejo/workflows/eval-nodes.yaml
+++ b/.forgejo/workflows/eval-nodes.yaml
@@ -100,6 +100,28 @@ jobs:
         STORE_USER: admin
       name: Build and cache hypervisor03
       run: nix-shell -A eval-nodes --run cache-node
+  netaccess01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: netaccess01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache netaccess01
+      run: nix-shell -A eval-nodes --run cache-node
+  netcore01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: netcore01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache netcore01
+      run: nix-shell -A eval-nodes --run cache-node
   netcore02:
     runs-on: nix
     steps:
diff --git a/machines/netconf/netaccess01.nix b/machines/netconf/netaccess01.nix
new file mode 100644
index 0000000..1a7176e
--- /dev/null
+++ b/machines/netconf/netaccess01.nix
@@ -0,0 +1,47 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+let
+  #TODO: meta
+  vlansPlan = {
+    "uplink-cri".id = 223;
+
+    "admin-core" = {
+      id = 3000;
+      l3-interface = "irb.0";
+    };
+    "admin-ap".id = 3001;
+    "users".id-list = [
+      {
+        begin = 3045;
+        end = 4094;
+      }
+    ];
+
+    "ap-staging".id = 2000;
+    "hypervisor".id = 2001;
+  };
+in
+{
+  vlans = vlansPlan;
+  dgn-hardware.model = "EX2300-48P";
+  dgn-interfaces = {
+    # "ge-0/0/0" = AP-staging;
+    # "ge-0/0/1" = AP-staging;
+    # "ge-0/0/2" = AP-staging;
+    # "ge-0/0/3" = AP-staging;
+    # "ge-0/0/4" = AP-staging;
+    # "ge-0/0/5" = AP-staging;
+
+    # netcore02
+    "xe-0/1/0".ethernet-switching = {
+      interface-mode = "trunk";
+      vlans = [ "all" ];
+    };
+
+    # management
+    "me0".inet.addresses = [ "192.168.42.6/24" ];
+    "irb".inet6.addresses = [ "fd26:baf9:d250:8000::2001/64" ];
+  };
+}
diff --git a/machines/netconf/netcore01.nix b/machines/netconf/netcore01.nix
new file mode 100644
index 0000000..75e2776
--- /dev/null
+++ b/machines/netconf/netcore01.nix
@@ -0,0 +1,55 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+let
+  #TODO: meta
+  vlansPlan = {
+    "uplink-cri".id = 223;
+
+    "admin-core" = {
+      id = 3000;
+      l3-interface = "irb.0";
+    };
+    "admin-ap".id = 3001;
+    "users".id-list = [
+      {
+        begin = 3045;
+        end = 4094;
+      }
+    ];
+
+    "ap-staging".id = 2000;
+    "hypervisor".id = 2001;
+  };
+in
+{
+  vlans = vlansPlan;
+  dgn-hardware.model = "EX2300-48P";
+  dgn-interfaces =
+    let
+      hypervisor.ethernet-switching = {
+        interface-mode = "access";
+        vlans = [ "hypervisor" ];
+      };
+    in
+    {
+      "xe-0/2/0".ethernet-switching = {
+        interface-mode = "trunk";
+        vlans = [ "all" ];
+      };
+
+      "ge-0/0/0" = hypervisor;
+      "ge-0/0/1" = hypervisor;
+      "ge-0/0/2" = hypervisor;
+      "ge-0/0/3" = hypervisor;
+      "ge-0/0/4" = hypervisor;
+      "ge-0/0/5" = hypervisor;
+      "ge-0/0/6" = hypervisor;
+      "ge-0/0/7" = hypervisor;
+
+      # management
+      "me0".inet.addresses = [ "192.168.2.2/24" ];
+      "irb".inet6.addresses = [ "fd26:baf9:d250:8000::100f/64" ];
+    };
+}
diff --git a/machines/netconf/netcore02.nix b/machines/netconf/netcore02.nix
index 43a11bc..b304fee 100644
--- a/machines/netconf/netcore02.nix
+++ b/machines/netconf/netcore02.nix
@@ -20,6 +20,7 @@ let
     ];
 
     "ap-staging".id = 2000;
+    "hypervisor".id = 2001;
   };
   #TODO: additionnal module (always the same for APs)
   AP-staging = {
@@ -95,9 +96,9 @@ in
     };
     # netcore01 (Potos)
     "xe-0/1/2".ethernet-switching = {
-      interface-mode = "access";
+      interface-mode = "trunk";
       vlans = [
-        "ap-staging"
+        "all"
       ];
     };
     # uplink
diff --git a/meta/nodes/netconf.nix b/meta/nodes/netconf.nix
index 162bd8d..722074d 100644
--- a/meta/nodes/netconf.nix
+++ b/meta/nodes/netconf.nix
@@ -2,6 +2,31 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
+  netcore01 = {
+    site = "pot01";
+
+    hashedPassword = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0";
+
+    stateVersion = null;
+
+    adminGroups = [ "fai" ];
+
+    deployment = {
+      targetHost = "fd26:baf9:d250:8000::100f";
+      sshOptions = [
+        "-J"
+        "root@vault01.hyp01.infra.dgnum.eu"
+        "-p"
+        "830"
+      ];
+    };
+
+    nixpkgs = {
+      version = "24.05"; # FIXME: meaningless
+      system = "netconf";
+    };
+  };
+
   netcore02 = {
     site = "hyp01";
 
@@ -16,6 +41,33 @@
       sshOptions = [
         "-J"
         "root@vault01.hyp01.infra.dgnum.eu"
+        "-p"
+        "830"
+      ];
+    };
+
+    nixpkgs = {
+      version = "24.05"; # FIXME: meaningless
+      system = "netconf";
+    };
+  };
+
+  netaccess01 = {
+    site = "hyp02";
+
+    hashedPassword = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0";
+
+    stateVersion = null;
+
+    adminGroups = [ "fai" ];
+
+    deployment = {
+      targetHost = "fd26:baf9:d250:8000::2001";
+      sshOptions = [
+        "-J"
+        "root@vault01.hyp01.infra.dgnum.eu"
+        "-p"
+        "830"
       ];
     };
 
@@ -24,26 +76,4 @@
       system = "netconf";
     };
   };
-  #  netaccess01 = {
-  #    site = "hyp02";
-  #
-  #    hashedPassword = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0";
-  #
-  #    stateVersion = null;
-  #
-  #    adminGroups = [ "fai" ];
-  #
-  #    deployment = {
-  #      targetHost = "fd26:baf9:d250:8000::2001";
-  #      sshOptions = [
-  #        "-J"
-  #        "root@vault01.hyp01.infra.dgnum.eu"
-  #      ];
-  #    };
-  #
-  #    nixpkgs = {
-  #      version = "24.05"; # FIXME: meaningless
-  #      system = "netconf";
-  #    };
-  #  };
 }
diff --git a/scripts/netconf-apply.sh b/scripts/netconf-apply.sh
new file mode 100755
index 0000000..c402a62
--- /dev/null
+++ b/scripts/netconf-apply.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+set -Eeuo pipefail
+
+ssh_command=${SSH_COMMAND-ssh}
+
+target_host=$1
+shift
+
+if [ -z "$target_host" ] ; then
+    echo Usage: netconf-apply target-host
+    exit 1
+fi
+
+if toplevel="$(nix-build $(colmena eval -E "{ nodes, ... }: nodes.${target_host}.config.netconf.rpc" --instantiate))"; then
+  $ssh_command $(colmena eval -E "{nodes, ...}:
+    with nodes.${target_host}.config.deployment;
+      \"\${targetUser}@\${targetHost} \${builtins.concatStringsSep \" \" sshOptions}\"" | sed 's/"//g') \
+    -s netconf < $toplevel
+else
+    echo Build failed
+fi