diff --git a/config/derek.nix b/config/derek.nix
new file mode 100644
index 0000000..1e46728
--- /dev/null
+++ b/config/derek.nix
@@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  sops.secrets = lib.mkIf config.my.secureHost {
+    derek-password.neededForUsers = true;
+  };
+  services = {
+    tailscale.enable = true;
+    sunshine = {
+      enable = true;
+      autoStart = true;
+      capSysAdmin = true;
+      openFirewall = true;
+
+    };
+  };
+  users.users.bearded_dragonn = {
+    isNormalUser = true;
+    createHome = true;
+    hashedPasswordFile = config.sops.secrets.derek-password.path;
+    packages = builtins.attrValues {
+      inherit (pkgs)
+        davinci-resolve
+        shotcut
+        pitivi
+        bottles
+        vscode
+        nextcloud-client
+        firefox
+        warp
+        ;
+      inherit (pkgs.kdePackages)
+        kdenlive
+        ;
+    };
+    extraGroups = [
+      "audio"
+      "video"
+      "input"
+      "games"
+    ];
+  };
+}
diff --git a/hosts/workstation/configuration.nix b/hosts/workstation/configuration.nix
index 8161009..f0d9b96 100644
--- a/hosts/workstation/configuration.nix
+++ b/hosts/workstation/configuration.nix
@@ -22,6 +22,7 @@ in
     ../../config/base.nix
     ../../config/stylix.nix
     ../../environments/gnome.nix
+    ../../config/derek.nix
   ];
   my = import ./toggles.nix { inherit inputs; } // {
     nix.cores = 8;
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index c20003d..fea533d 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -1,4 +1,5 @@
 jawz-password: ENC[AES256_GCM,data:j5qya2z9bDESQopcBpLBktyBvIuplbq3Ql4TovdAF1BIJHcf4CAjFuCStW0axFEOST6bgJwhcZZvK4rWUyoS47eaFDp2lkiQnQ==,iv:GNEA8v0NR+PGe4yvlm4V6tTJD5NmlswRPH7JnQJUyLk=,tag:dpxDK88cAJSk+XdFF2mDww==,type:str]
+derek-password: ENC[AES256_GCM,data:gMX5fWnfYYUOArD6YJeyTgSHqE2KFKvTU2zNqr4YkEZx443zGYajRcuE4QRx1HXY71r/sipWpIURntBQrCksDy4rEtpKuHMeQdTfZWp5dSZU7oHcLr9MEr86kgMArFpaIELdNNprbS7Tqw==,iv:6kWIXFMNiH3Z2tAPVtylWYF+v8qeKVzk37fIpBQ486E=,tag:Akik/1gUm1R4zcGdSLWKag==,type:str]
 smtp-password: ENC[AES256_GCM,data:Reb6wDlZivAn5DVI2swNfQ==,iv:ZT4QvFXYmgFl1Ut07Yic1qnA8JvapSTfKw2DPCoQMEU=,tag:A5jIqUrmUwROS/LKbsahsQ==,type:str]
 nextcloud-adminpass: ENC[AES256_GCM,data:g0bnifEbMykPBVwMF14EhT/RWGsnEzJ6sXXmxSJ6kIVDeRr8XVRbFzusxlxAOOlseVwPT6e4Ad8=,iv:Gy0LwUNCw8gnqlwk91qguSEeufIJDtaqNNLX1vZp7vA=,tag:y8H42B1rue0X7/4nG/Whsw==,type:str]
 firefly-iii-keyfile: ENC[AES256_GCM,data:HTifd3/5apa9f0RiOh33aRRoVkRskgo/2FV9S01wQSEmKFLg2M9gNNFm6gv2/WCQvNc1,iv:4yLIQQkfqhLixQtAOsbQePNlKOrU2p6Dqw9aLPDoJrM=,tag:uSbAMCy4FWRMU+QhExAE2w==,type:str]
@@ -51,7 +52,7 @@ sops:
             RmRyZldlMjUwMEdUUEpDS2JSa2tDTTAKp/pT+0cNnCuKVL+Z0fEMiw1PL9PB/nSM
             QWVTo0Mt8Y6X0Xt0EAi9G5AYxADZ/mmEWPxB7RFgVAiMKtor5Gy1zw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-26T08:13:55Z"
-    mac: ENC[AES256_GCM,data:hZoOrRraR1qg/w6dEseP1sbJxxLBtWIw+hTV6TUQHlA9vCfrLEDlAlMZBNoTx1ijHz0Q22sV39j3ON+PBqfRRqxWr7nynYDZ7zk9rtVlW4xPTqIBusU+lHTFC7MSMfPn7bhTQ0h3QPHtTF778WIbgNYjEIXda4rlmrnc0bLdFA8=,iv:2a1M8KUtEj0rMuJsyu3WyEYdzeKw+VkDDZFsyU00XuM=,tag:vXw2+za466Olq05HJPOYdQ==,type:str]
+    lastmodified: "2026-01-16T15:38:39Z"
+    mac: ENC[AES256_GCM,data:4xaoGvLq1UIdozNqQ7v+pORVPDCk+FZRsCRvZ3C5AZOwSaM+UfDYZcI32AI0K80yFyhVIrrjqylykvXghbpQGAju3mv7+7Tbn5p2gqXrB/m1FuyVe/ftw7SSn8FTGL14cdHuPPkQTvV/u7z1IfX4YAOEGqtWiEfOe4YoWT3xc3A=,iv:dygbKjQ0ljgBPyk2aEIa/Mpbs/At+UzuhYy8Sndx/nk=,tag:jYbROlRxeDxqF1YqrBGL8A==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0