diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d25da52
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+*~
+\#*\#
+id_ed25519
+id_ed25519.pub
+signing-key.pub
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..a5cceec
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,40 @@
+# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+#
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# You should have received a copy of the GNU General Public License
+# along with this file.  If not, see <http://www.gnu.org/licenses/>.
+
+DESTDIR ?= .
+
+.PHONY: all help install update $(DESTDIR)/mumble-vm.img
+
+IMAGE_SOURCE = \
+	mumble-vm-system.scm \
+	id_ed25519.pub \
+	Makefile \
+	signing-key.pub
+
+all: help
+
+help:
+	@printf "Available commands:\n\
+		make help    # prints this help\n\
+		make install # install image to $(DESTDIR)/ \n\
+		make deploy  # update existing vm with guix deploy through SSH\n\
+	"
+
+$(DESTDIR)/mumble-vm.img: $(IMAGE_SOURCE)
+	sudo install \
+		`guix system image \
+			--image-type=mbr-raw \
+			--image-size=6G mumble-vm-system.scm` \
+		$@
+
+install: $(DESTDIR)/mumble-vm.img
+
+deploy:
+	guix deploy -L . mumble-vm-machine.scm
diff --git a/mumble-vm-machine.scm b/mumble-vm-machine.scm
new file mode 100644
index 0000000..f2d8174
--- /dev/null
+++ b/mumble-vm-machine.scm
@@ -0,0 +1,38 @@
+;;; Copyright © Guix documentation authors
+;;; Copyright © 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+;;;
+;;; This file is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; This file is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with this file.  If not, see <http://www.gnu.org/licenses/>.
+
+(use-modules (gnu)
+             (gnu machine)
+             (gnu machine ssh))
+(list
+ (machine
+  (operating-system
+   (@ (mumble-vm-system) mumble-vm-operating-system))
+  (environment managed-host-environment-type)
+  (configuration
+   (machine-ssh-configuration
+    (authorize? #t)
+    (build-locally? #f)
+    (host-key
+     (string-append
+      "ssh-ed25519"
+      " "
+      "AAAABBBBCCCCDDDDEEEEFFFFF1111222233334444555566667777888899990000ABC"))
+    (host-name "audio.experimental.a-lec.org")
+    (identity "./id_ed25519")
+    (port 222)
+    (system "x86_64-linux")
+    (user "root")))))
diff --git a/mumble-vm-system.scm b/mumble-vm-system.scm
new file mode 100644
index 0000000..26648b4
--- /dev/null
+++ b/mumble-vm-system.scm
@@ -0,0 +1,93 @@
+;; Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+;;
+;; This file is free software; you can redistribute it and/or modify it
+;; under the terms of the GNU General Public License as published by
+;; the Free Software Foundation; either version 3 of the License, or (at
+;; your option) any later version.
+;;
+;; You should have received a copy of the GNU General Public License
+;; along with this file.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (mumble-vm-system)
+  #:use-module (gnu)
+  #:use-module (gnu packages admin)
+  #:use-module (gnu packages dns)
+  #:use-module (gnu packages linux)
+  #:use-module (gnu packages ssh)
+  #:use-module (gnu services admin)
+  #:use-module (gnu services ssh)
+  #:export (mumble-vm-operating-system))
+
+(define-public %nginx-deploy-hook
+  (program-file
+   "nginx-deploy-hook"
+   #~(let
+         ((nginx-pid (call-with-input-file "/var/run/nginx/pid" read))
+          (mumble-server-pid
+           (call-with-input-file
+               "/var/run/mumble-server/mumble-server.pid" read)))
+       ((lambda _
+          (kill nginx-pid SIGHUP)
+          (kill mumble-server-pid SIGUSR1))))))
+
+(define mumble-vm-operating-system
+  (operating-system
+   (bootloader (bootloader-configuration
+                (bootloader grub-minimal-bootloader)
+                (targets '("/dev/vda"))))
+   ;; TODO: Does Mumble have some data? Is BTRFS safer than using ext4
+   ;; without doing many fsck?
+   (file-systems (cons (file-system
+                        (device (file-system-label "Guix_image"))
+                        (mount-point "/")
+                        (type "ext4")) %base-file-systems))
+   (host-name "mumble-vm")
+   (timezone "Europe/Paris")
+   (packages
+    (append
+     (list htop
+           iftop
+           `(,isc-bind "utils")
+           net-tools
+           nmon
+           openssh-sans-x)
+     %base-packages))
+   (services
+    (append
+     (list
+      ;; Networking
+      (service
+       static-networking-service-type
+       (list
+        (static-networking
+         (addresses (list (network-address
+                           (device "eth0")
+                           (value "192.168.10.37/24"))))
+         (routes (list (network-route
+                        (destination "default")
+                        (gateway "192.168.10.1"))))
+         (name-servers '("192.168.10.1")))))
+      ;; OpenSSH
+      (service openssh-service-type
+               (openssh-configuration
+                (openssh openssh-sans-x)
+                (use-pam? #f)
+                (port-number 222)
+                (permit-root-login #t)
+                (password-authentication? #f)
+                (challenge-response-authentication? #f)
+                (authorized-keys
+                 `(("root" , (local-file "id_ed25519.pub"))
+                   ("gnutoo" ,(local-file "id_ed25519.pub"))))))
+      ;; Unattended Upgrades
+      (service unattended-upgrade-service-type))
+     (modify-services
+      %base-services
+      (guix-service-type config => (guix-configuration
+                                    (authorized-keys
+                                     (append
+                                      (list
+                                       (local-file
+                                        "signing-key.pub"))
+                                      %default-authorized-guix-keys)))))))))
+mumble-vm-operating-system
diff --git a/mumble-vm.xml b/mumble-vm.xml
new file mode 100644
index 0000000..9876123
--- /dev/null
+++ b/mumble-vm.xml
@@ -0,0 +1,90 @@
+<domain type="kvm">
+  <name>mumble-vm</name>
+  <memory unit="KiB">4194304</memory>
+  <currentMemory unit="KiB">4194304</currentMemory>
+  <resource>
+    <partition>/machine</partition>
+  </resource>
+  <os>
+    <type arch="x86_64" machine="pc-i440fx-5.1">hvm</type>
+    <boot dev="hd"/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <vmport state="off"/>
+  </features>
+  <cpu mode="host-passthrough" check="none" migratable="on"/>
+  <clock offset="utc">
+    <timer name="rtc" tickpolicy="catchup"/>
+    <timer name="pit" tickpolicy="delay"/>
+    <timer name="hpet" present="no"/>
+  </clock>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <pm>
+    <suspend-to-mem enabled="no"/>
+    <suspend-to-disk enabled="no"/>
+  </pm>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <disk type="file" device="disk">
+      <driver name="qemu" type="raw"/>
+      <source file="/var/lib/libvirt/images/distros/mumble-vm.img"/>
+      <target dev="vda" bus="virtio"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x05" function="0x0"/>
+    </disk>
+    <controller type="usb" index="0" model="ich9-ehci1">
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x7"/>
+    </controller>
+    <controller type="usb" index="0" model="ich9-uhci1">
+      <master startport="0"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x0" multifunction="on"/>
+    </controller>
+    <controller type="usb" index="0" model="ich9-uhci2">
+      <master startport="2"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x1"/>
+    </controller>
+    <controller type="usb" index="0" model="ich9-uhci3">
+      <master startport="4"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x2"/>
+    </controller>
+    <controller type="pci" index="0" model="pci-root"/>
+    <interface type="bridge">
+      <source bridge="lan0"/>
+      <model type="virtio"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0"/>
+    </interface>
+    <serial type="pty">
+      <target type="isa-serial" port="0">
+        <model name="isa-serial"/>
+      </target>
+    </serial>
+    <console type="pty">
+      <target type="serial" port="0"/>
+    </console>
+    <input type="keyboard" bus="ps2"/>
+    <input type="mouse" bus="ps2"/>
+    <graphics type="spice" autoport="yes" listen="127.0.0.1">
+      <listen type="address" address="127.0.0.1"/>
+      <gl enable="no"/>
+    </graphics>
+    <audio id="1" type="spice"/>
+    <video>
+      <model type="virtio" heads="1" primary="yes">
+        <acceleration accel3d="no"/>
+      </model>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0"/>
+    </video>
+    <memballoon model="virtio">
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x06" function="0x0"/>
+    </memballoon>
+    <rng model="virtio">
+      <backend model="random">/dev/urandom</backend>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x08" function="0x0"/>
+    </rng>
+  </devices>
+  <seclabel type="dynamic" model="dac" relabel="yes"/>
+</domain>
+