diff --git a/.sops.yaml b/.sops.yaml
index 29672f1..06ddb4c 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -7,6 +7,7 @@ keys:
   - &gitea age1mh39yv2j3ltl50tjnqqgjctxth3nxa74ggwn29dpvcv08qd0psnssajsmd
   - &gitea-runner age19jrte20w4e5u83m5s8m8c2ca6sha6e2l2k66g28jz4mpkfs0f3jq26rdp2
   - &heimdall age1z94c897pvq4tx0xwsj6wr8emnlpmk6u0xks75rydga6r33dlapjqyqqacc
+  - &meili age1thyemgvua2at9mha5hxuqezxcrxvljh9tpwwmdylu0mrspppvamsunpeh2
   - &mimir age192a3nepaclecjjkxssszueak6rxar49prceplvvxc5m4f3ww7g5qpfgdqj
   - &minio age1cjxe2e7zemvs0jacjawug6k2qnmcpvnka3e04mfzp939h7hppydqrlp6l5
   - &neo age1s95yw988he30l6wegfwquh4nh03jst2tvyu4ykng4g88h7s3a3rs5zh5fp
@@ -57,6 +58,12 @@ creation_rules:
         - *erwin
         - *erwin_horus
         - *mimir
+  - path_regex: machines/meili/[^/]+\.yaml$
+    key_groups:
+      - age:
+        - *erwin
+        - *erwin_horus
+        - *meili
   - path_regex: machines/minio/[^/]+\.yaml$
     key_groups:
       - age:
diff --git a/machines/default.nix b/machines/default.nix
index 898bbd1..ea54c31 100644
--- a/machines/default.nix
+++ b/machines/default.nix
@@ -49,7 +49,6 @@ inputs: {
   k3s-test = {
     config = import ./k3s-test/configuration.nix inputs;
     deploy = {
-      # host = "10.0.0.167";
       # host = "10.0.0.208";
       host = "k3s-test.barn-beaver.ts.net";
       targetUser = "erwin";
@@ -59,6 +58,15 @@ inputs: {
   loki = {
     config = import ./loki/configuration.nix inputs;
   };
+  meili = {
+    config = import ./meili/configuration.nix inputs;
+    deploy = {
+      # host = "10.0.0.214";
+      host = "meili.barn-beaver.ts.net";
+      targetUser = "erwin";
+      tags = [ "container" ];
+    };
+  };
   mimir = {
     config = import ./mimir/configuration.nix inputs;
   };
diff --git a/machines/meili/configuration.nix b/machines/meili/configuration.nix
new file mode 100644
index 0000000..710152c
--- /dev/null
+++ b/machines/meili/configuration.nix
@@ -0,0 +1,90 @@
+{ self, caddy-with-plugins, ... }:
+{ pkgs, modulesPath, ... }:
+{
+  imports = [
+    (modulesPath + "/virtualisation/lxc-container.nix")
+
+    ../../users/root
+    ../../users/erwin
+
+    ./geoserver
+  ];
+
+  eboskma = {
+    users.erwin = {
+      enable = true;
+      server = true;
+    };
+    nix-common = {
+      enable = true;
+      remote-builders = true;
+    };
+    caddy-proxy = {
+      enable = true;
+      package = caddy-with-plugins.packages.${pkgs.system}.caddy-with-cloudflare;
+      proxyHosts = [
+        {
+          externalHostname = "meili.datarift.nl";
+          proxyAddress = "localhost:8080";
+        }
+      ];
+    };
+    tailscale.enable = true;
+  };
+
+  boot.isContainer = true;
+
+  time.timeZone = "Europe/Amsterdam";
+
+  system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
+
+  networking = {
+    hostName = "meili";
+    useDHCP = false;
+    useHostResolvConf = false;
+    networkmanager.enable = false;
+    useNetworkd = true;
+    nftables.enable = false;
+
+    firewall = {
+      trustedInterfaces = [ "tailscale0" ];
+    };
+  };
+
+  systemd.network = {
+    enable = true;
+
+    wait-online.anyInterface = true;
+
+    networks = {
+      "40-eth0" = {
+        matchConfig = {
+          Name = "eth0";
+        };
+
+        networkConfig = {
+          Address = "10.0.0.214/24";
+          Gateway = "10.0.0.1";
+          DNS = "10.0.0.206";
+          DHCP = "no";
+        };
+      };
+    };
+  };
+
+  security = {
+    sudo-rs = {
+      enable = true;
+      execWheelOnly = true;
+      wheelNeedsPassword = false;
+    };
+    sudo.enable = false;
+  };
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets = {
+    caddy-env = { };
+  };
+
+  system.stateVersion = "24.11";
+}
diff --git a/machines/meili/geoserver/default.nix b/machines/meili/geoserver/default.nix
new file mode 100644
index 0000000..5641735
--- /dev/null
+++ b/machines/meili/geoserver/default.nix
@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+let
+  geoserver-war = pkgs.fetchzip {
+    url = "https://downloads.sourceforge.net/sourceforge/geoserver/GeoServer/2.25.1/geoserver-2.25.1-war.zip";
+    sha256 = "O9XDjx3csW9HZzSYROPUCyl3sYlrKLMpHztUKYIEabs=";
+    stripRoot = false;
+  };
+in
+{
+  services.tomcat = {
+    enable = true;
+    virtualHosts = [
+      {
+        name = "meili.datarift.nl";
+        webapps = [ "${geoserver-war}/geoserver.war" ];
+      }
+    ];
+    purifyOnStart = true;
+  };
+}
diff --git a/machines/meili/secrets.yaml b/machines/meili/secrets.yaml
new file mode 100644
index 0000000..3938e13
--- /dev/null
+++ b/machines/meili/secrets.yaml
@@ -0,0 +1,39 @@
+caddy-env: ENC[AES256_GCM,data:KFoPLa9L43IbhXTft5VNB/4MetDxJsFX7phSsx1bDbr5e3wJynI2mLbTNkQexb+MUtWqK5JB,iv:vAoBGavDDlYT5UlVFgd/FYmU0w00mla8/fVatGEIjPg=,tag:L1YTfvWTkdhBLVBL4YL0iw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzQ0dvR2x3R0VQc3NBY2pk
+            TExQOXlOU1FDNzFrVWJHcnlmZ2EvS1NpOVFNClBhVzhsOEdhc2FDZnRPN2RkcUZO
+            QU1sQ09scVdlY2NDcGg1SGJ1aG1rTmsKLS0tIGYvNW9EMEpKajE1Q2ZoYXd1QlAy
+            SGZGOXcvZUZhMkRjVDVtaG1aVjlvdTQKUJEntauITelHgLUIUXC7+LI6fias7GRM
+            avdmHwn7X/ReE/DivsLDNxvakSO3QJAQtrV2O0RPO+FPj6JFOu8CUQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDMWJMMU9qK2tNN1p2cnJw
+            OVBRVDY1TWdyMkE0KzhIRGkwa2pyQU9wWFVvClp2M0NPRjBQS3pab1FSekpYYUpa
+            SU9NejRFeG9sV2YrUXhJRGhWenUrZHMKLS0tIFMwTUNzYSt2SDc2N2F1SXhkdnBR
+            c2Zjb1NlQ1dOV1NWVEpBaWJkcVZnWk0KfvUBb7bpml7jBw15gA+TK/9dok8KFvt0
+            ouiiTExF41nYCKjfeBf99bKpUCykZxPSz8sReapyO6tZ8dDycXb2UA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1thyemgvua2at9mha5hxuqezxcrxvljh9tpwwmdylu0mrspppvamsunpeh2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArdkh5a281aFBnWWhpUVNS
+            bElPZXBuOWV1YWZFMVZzdmRkMWtsNFUrM1F3ClI1SEpsMWRnRFlXVEhnRjQ0T3VJ
+            WjIyMzVFbXlaeHNLbkVOZGlGbVk4dmsKLS0tIFIxOWY2clVjZ3BJb3dqQThTSExI
+            TW1rUEFLNVFYUFo2VFEwd3JxSXFsYzQKbxzHXaU2KVBVWbU4kgpjaETw2wm/6cx+
+            LL+d17IAkAv85Qh9ZoWwXluufrwwN1+12xsqQMSpwpWMyQgbNPCwRQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-04T07:47:43Z"
+    mac: ENC[AES256_GCM,data:tkvtSOGCMsAV48p/PGp/R+M7rME21TbEdIVTzTp7hv2bdHxgq0T8tdYAsdqdzkPvqjqvf61w7AzV8JsD8+T41lb2Wt16SHAsJVHGo+cePFztC1d2xf0EmimO41Py4m/ZxWnpPFnDyTXMw2mAspZeLBAjgB7+tjX4IFjCOk3HmkU=,iv:QnqXcAooViz7QH/6sM+IkyOASxMpe9yQ+WvGUB1lxdo=,tag:Ulph5M86R+N4hXxjm4c0BQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1