diff --git a/flake.nix b/flake.nix
index 097bd7e..cdcb849 100644
--- a/flake.nix
+++ b/flake.nix
@@ -76,15 +76,28 @@
       nix.nixPath = [
         "nixpkgs=${inputs.nixpkgs}"
       ]; # <https://github.com/nix-community/nixd/blob/main/nixd/docs/configuration.md>
-      nixosConfigurations = lib.genAttrs hostDirNames (
-        host:
-        nixpkgs.lib.nixosSystem {
-          modules = [ ./hosts/${host} ];
-          specialArgs = {
-            inherit inputs outputs dotsPath;
+      nixosConfigurations =
+        (lib.genAttrs hostDirNames (
+          host:
+          nixpkgs.lib.nixosSystem {
+            modules = [ ./hosts/${host} ];
+            specialArgs = {
+              inherit inputs outputs dotsPath;
+            };
+          }
+        ))
+        // {
+          sd-image-aarch64 = nixpkgs.lib.nixosSystem {
+            system = "aarch64-linux";
+            modules = [
+              "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
+              ./images/sd-image-aarch64.nix
+            ];
+            specialArgs = {
+              inherit inputs outputs dotsPath;
+            };
           };
-        }
-      );
+        };
       homeConfigurations = {
         work = home-manager.lib.homeManagerConfiguration {
           inherit pkgs;
@@ -115,5 +128,7 @@
           inputs
           ;
       };
+
+      images.sd-image-aarch64 = self.nixosConfigurations.sd-image-aarch64.config.system.build.sdImage;
     };
 }
diff --git a/hosts/andromache/default.nix b/hosts/andromache/default.nix
index c7ec510..c35ceb1 100644
--- a/hosts/andromache/default.nix
+++ b/hosts/andromache/default.nix
@@ -76,6 +76,8 @@ in
     };
   };
 
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
   hardware = {
     cpu.intel.updateMicrocode = true;
     graphics.enable = true;
diff --git a/images/sd-image-aarch64.nix b/images/sd-image-aarch64.nix
new file mode 100644
index 0000000..0554c91
--- /dev/null
+++ b/images/sd-image-aarch64.nix
@@ -0,0 +1,54 @@
+# see <https://nixos.wiki/wiki/NixOS_on_ARM#Build_your_own_image_natively>
+# see <https://nixos.wiki/wiki/NixOS_on_ARM/Orange_Pi_Zero2_H616>
+# ```
+# nix build .#images.sd-image-aarch64
+# nix-shell -p zstd --run "zstdcat result/sd-image/*.img.zst | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync"
+# # add u-boot bootloader (e.g. for Orange Pi Zero2 H616)
+# sudo dd if=~/dl/u-boot-sunxi-with-spl.bin of=/dev/sdX bs=1024 seek=8
+# ```
+
+let
+  username = "h";
+in
+{
+  imports = [
+    ../modules/ssh/hardened-openssh.nix
+  ];
+
+  ssh.username = username;
+  ssh.authorizedHosts = [
+    "andromache"
+    "astyanax"
+  ];
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+
+  users.users = {
+    root.initialPassword = "nixos";
+    ${username} = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      initialPassword = "nixos";
+    };
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  services.openssh.enable = true;
+
+  # sdImage.postBuildCommands =
+  #   let
+  #     bootloaderPackage = pkgs.ubootOrangePiZero2;
+  #     bootloaderSubpath = "/u-boot-sunxi-with-spl.bin";
+  #   in
+  #   ''
+  #     dd if=${bootloaderPackage}${bootloaderSubpath} of=$img \
+  #       bs=8 seek=1024 \
+  #       conv=notrunc
+  #   '';
+
+  system.stateVersion = "26.05";
+}