diff --git a/nixos/machines/pennyworth/default.nix b/nixos/machines/pennyworth/default.nix
index 3f0eab3..ac7c19c 100644
--- a/nixos/machines/pennyworth/default.nix
+++ b/nixos/machines/pennyworth/default.nix
@@ -17,6 +17,7 @@ in {
   imports = [
     ./hetznercloud.nix
     ../../roles/server.nix
+    ../../roles/datakami.nix
     ../../services/backup.nix
     ../../services/email.nix
   ];
@@ -110,5 +111,6 @@ in {
     weechat
     ripgrep
   ];
+  nix.settings.allowed-users = [ "@wheel" ];
 
 }
diff --git a/nixos/roles/datakami.nix b/nixos/roles/datakami.nix
new file mode 100644
index 0000000..71d3c4b
--- /dev/null
+++ b/nixos/roles/datakami.nix
@@ -0,0 +1,33 @@
+{ lib, ... }: {
+  systemd.services.nginx.serviceConfig = {
+    ProtectHome = "tmpfs";
+    UMask = lib.mkForce "0022";
+    BindReadOnlyPaths = [ "/home/dk-stage/out" ];
+  };
+  systemd.tmpfiles.rules = [
+    "d /home/dk-stage 755 dk-stage dk-stage"
+    "d /home/dk-stage/out 755 dk-stage dk-stage"
+  ];
+  users.users.dk-stage = {
+    home = "/home/dk-stage";
+    group = "dk-stage";
+    useDefaultShell = true;
+    isSystemUser = true;
+    openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [
+      ''command="rsync --server -logDtprcze.iLsfxCIvu --log-format=X --delete --partial . out/" ${dk-stage-deploy}''
+    ];
+    createHome = false; # sets wrong permissions
+  };
+  users.groups.dk-stage = { };
+  services.nginx.virtualHosts."dk-stage.yori.cc" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      root = "/home/dk-stage/out";
+      index = "index.html";
+      extraConfig = ''
+        error_page 404 /404.html;
+      '';
+    };
+  };
+}
diff --git a/nixos/sshkeys.nix b/nixos/sshkeys.nix
index 748c050..bd0f561 100644
--- a/nixos/sshkeys.nix
+++ b/nixos/sshkeys.nix
@@ -8,4 +8,5 @@
   lars = [
     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ=="
   ];
+  dk-stage-deploy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHevKDi9QRssz0gUWGMg/s6SLU9mAdwvZDTbrD7EXoII";
 }