diff --git a/common/binary-cache.nix b/common/binary-cache.nix
index 531c386..ab93121 100644
--- a/common/binary-cache.nix
+++ b/common/binary-cache.nix
@@ -1,17 +1,29 @@
 { config, lib, ... }:
 
+let
+
+in
 {
-  nix = {
-    settings = {
-      substituters = [
-        "https://cache.nixos.org/"
-        "https://nix-community.cachix.org"
-        "http://s0.koi-bebop.ts.net:5000"
-      ];
-      trusted-public-keys = [
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
-      ];
-    };
-  };
+  options.enableExtraSubstituters = lib.mkEnableOption "Enable extra substituters";
+
+  config = lib.mkMerge [
+    {
+      enableExtraSubstituters = lib.mkDefault true;
+    }
+    (lib.mkIf config.enableExtraSubstituters {
+      nix = {
+        settings = {
+          substituters = [
+            "https://cache.nixos.org/"
+            "https://nix-community.cachix.org"
+            "http://s0.koi-bebop.ts.net:5000"
+          ];
+          trusted-public-keys = [
+            "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+            "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
+          ];
+        };
+      };
+    })
+  ];
 }
diff --git a/machines/hotspot/default.nix b/machines/hotspot/default.nix
new file mode 100644
index 0000000..9bccb6a
--- /dev/null
+++ b/machines/hotspot/default.nix
@@ -0,0 +1,69 @@
+{ config, pkgs, lib, ... }:
+
+let
+  internal = "end0";
+  wireless = "wlan0";
+  internal-gateway-ip = "192.168.0.1";
+  internal-ip-lower = "192.168.0.10";
+  internal-ip-upper = "192.168.0.100";
+in
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  enableExtraSubstituters = false;
+
+  # networking.interfaces.${internal}.ipv4.addresses = [{
+  #   address = internal-gateway-ip;
+  #   prefixLength = 24;
+  # }];
+
+  # DHCP on all interfaces except for the internal interface
+  networking.useDHCP = true;
+  networking.interfaces.${internal}.useDHCP = true;
+  networking.interfaces.${wireless}.useDHCP = true;
+
+  # Enable NAT
+  networking.ip_forward = true;
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ internal ];
+    externalInterface = wireless;
+  };
+
+  networking.wireless = {
+    enable = true;
+    networks = {
+      "Pixel_6054".psk = "@PSK_Pixel_6054@";
+    };
+    interfaces = [ wireless ];
+    environmentFile = "/run/agenix/hostspot-passwords";
+  };
+  age.secrets.hostspot-passwords.file = ../../secrets/hostspot-passwords.age;
+
+  # dnsmasq for internal interface
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      server = [ "1.1.1.1" "8.8.8.8" ];
+      dhcp-range = "${internal-ip-lower},${internal-ip-upper},24h";
+      dhcp-option = [
+        "option:router,${internal-gateway-ip}"
+        "option:broadcast,10.0.0.255"
+        "option:ntp-server,0.0.0.0"
+      ];
+    };
+  };
+
+  networking.firewall.interfaces.${internal}.allowedTCPPorts = [
+    53 # dnsmasq
+  ];
+
+  # Make it appear we are not using phone tethering to the ISP
+  networking.firewall = {
+    extraCommands = ''
+      iptables -t mangle -A POSTROUTING -o ${wireless} -j TTL --ttl-set 65
+    '';
+  };
+}
diff --git a/machines/hotspot/hardware-configuration.nix b/machines/hotspot/hardware-configuration.nix
new file mode 100644
index 0000000..d4b6ea8
--- /dev/null
+++ b/machines/hotspot/hardware-configuration.nix
@@ -0,0 +1,27 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot = {
+    kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
+    initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
+    loader = {
+      grub.enable = false;
+      generic-extlinux-compatible.enable = true;
+    };
+  };
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}
diff --git a/machines/hotspot/properties.nix b/machines/hotspot/properties.nix
new file mode 100644
index 0000000..41d9905
--- /dev/null
+++ b/machines/hotspot/properties.nix
@@ -0,0 +1,13 @@
+{
+  hostNames = [
+    "hotspot"
+  ];
+
+  arch = "aarch64-linux";
+
+  systemRoles = [
+    "hotspot"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAION4IUAef687RIzWrP4HEZnpdSJswt06QmrdRMDPHHGY";
+}
diff --git a/secrets/hostspot-passwords.age b/secrets/hostspot-passwords.age
new file mode 100644
index 0000000..c9ab414
--- /dev/null
+++ b/secrets/hostspot-passwords.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cObvAg l/suU/M4AATK7lQuZv/qnjG/xqNGoVqhS7b3xirmNUM
+Ao2tP6BBSZdlL7jZJPmLyJQWfqdU89M9hCjkkuqtxlw
+-> ssh-ed25519 w3nu8g szQugiuFfzkzVndyIdP1agun4nmCsZzFG/6EEB2V1Gk
+5+DEUJ5tkVFUpm+w/tptUCByRpMxRigwfrVglTYc8XI
+--- pjviyhRustHHMipIpkKsQ4cpu+YA66JwvWXjceXopi4
+)˜Ö®Äý8³È6Y"@?Ý9”®@¡Ÿžè|ÂÄž+©Z*4ö2å“R<qef…êªG¹ïV+{©%CmÞd^™b
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index ec994cb..916d4b6 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -57,4 +57,7 @@ with roles;
 
   # Frigate (DVR)
   "frigate-credentials.age".publicKeys = frigate;
+
+  # Phone hotspot passwords
+  "hostspot-passwords.age".publicKeys = hotspot;
 }