diff --git a/hive.nix b/hive.nix
index fd93914..b8e6a25 100644
--- a/hive.nix
+++ b/hive.nix
@@ -134,4 +134,21 @@ in
       ./profiles/gitlab.nix
     ];
   };
+
+  pendragon = { name, nodes, ... }: {
+    deployment.tags = [ "discourse" ];
+    deployment.targetHost = "pendragon.federez.net";
+    federez.monitoring.apiKey = "370a181d-6b00-4c3d-af27-ca65e6e4c1b0";
+    networking.hostName = name;
+
+    glucagon.networking = {
+      nibble = 233;
+      wan-mac = "BC:24:11:C2:AA:47";
+    };
+
+    imports = [
+      ./profiles/vm.nix
+      ./profiles/discourse.nix
+    ];
+  };
 }
diff --git a/profiles/discourse.nix b/profiles/discourse.nix
new file mode 100644
index 0000000..2bf016d
--- /dev/null
+++ b/profiles/discourse.nix
@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }: {
+  age.secrets.discourse-key-base = {
+    file = ../secrets/discourse-key-base.age;
+    owner = "discourse";
+    group = "discourse";
+  };
+
+  services.postgresql.package = pkgs.postgresql_13;
+
+  services.discourse = {
+    enable = true;
+    hostname = "forum.federez.net";
+    secretKeyBaseFile = config.age.secrets.discourse-key-base.path;
+    # TODO(jeltz): mail
+    admin.skipCreate = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
diff --git a/secrets/discourse-key-base.age b/secrets/discourse-key-base.age
new file mode 100644
index 0000000..424fbee
Binary files /dev/null and b/secrets/discourse-key-base.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 6ca386c..ea4fc61 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -5,6 +5,7 @@ let
   lagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8fiqJw9RvVVQghG0OVKsXAkBcWox4JsozfxToLAiIK root@lagon";
   klingon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/P58bPqi8yTl12jpP8oFcYG7S8j1WpfgqwZz+EuQqy root@kligon";
   aragon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUDEhYDtCLI4ypIXhimPjleiGUI3lOTv5LntzNEPM1p root@aragon";
+  pendragon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrJwgqLnGuUpUFacXLphiu8vUthVD4mA4a3Uytl5eSD root@pendragon";
   # Add yourself.
   raito = readKeyFile ../pubkeys/raito.keys;
   bensmrs = readKeyFile ../pubkeys/bensmrs.keys;
@@ -17,7 +18,8 @@ let
   vaultwarden-admins = active-admins;
   keycloak-admins = active-admins;
   ldap-bind-admins = active-admins;
-  servers = [ estragon wagon lagon klingon aragon ];
+  discourse-admins = active-admins;
+  servers = [ estragon wagon lagon klingon aragon pendragon ];
 in
   {
     "matrix-shared-secret.age".publicKeys = [ estragon ] ++ matrix-admins;
@@ -25,4 +27,5 @@ in
     "vaultwarden-secrets.age".publicKeys = [ wagon ] ++ vaultwarden-admins;
     "keycloak-password-file.age".publicKeys = [ lagon ] ++ keycloak-admins;
     "ldap-bind-password.age".publicKeys = servers ++ ldap-bind-admins;
+    "discourse-key-base.age".publicKeys = [ pendragon ] ++ discourse-admins;
   }