diff --git a/flake.lock b/flake.lock
index baeec02..4fc2ba3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -505,6 +505,26 @@
         "type": "github"
       }
     },
+    "openwrt-imagebuilder": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1706611863,
+        "narHash": "sha256-BGAeiyC3KCBGG1pEUzoNnmYmEblEGbOulOwcOdCYR7k=",
+        "owner": "astro",
+        "repo": "nix-openwrt-imagebuilder",
+        "rev": "887cd2b6f7c44a7ed52642e0632ac2ddc4fe1461",
+        "type": "github"
+      },
+      "original": {
+        "owner": "astro",
+        "repo": "nix-openwrt-imagebuilder",
+        "type": "github"
+      }
+    },
     "pre-commit-hooks": {
       "inputs": {
         "flake-compat": "flake-compat_5",
@@ -548,6 +568,7 @@
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "nvim-kitty-navigator": "nvim-kitty-navigator",
+        "openwrt-imagebuilder": "openwrt-imagebuilder",
         "pre-commit-hooks": "pre-commit-hooks"
       }
     },
diff --git a/flake.nix b/flake.nix
index 9e747ed..ff5f16d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -77,6 +77,11 @@ rec {
       url = "github:hermitmaster/nvim-kitty-navigator";
       flake = false;
     };
+
+    openwrt-imagebuilder = {
+      url = "github:astro/nix-openwrt-imagebuilder";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs:
diff --git a/hosts/doctr.nix b/hosts/doctr.nix
new file mode 100644
index 0000000..104afad
--- /dev/null
+++ b/hosts/doctr.nix
@@ -0,0 +1,10 @@
+{ self, inputs, ... }: {
+  perSystem = { self', pkgs, lib, ... }: {
+    packages.doctr = self.lib.mkOpenwrtImage {
+      inherit pkgs;
+      hostname = "doctr";
+      timezone = "Europe/Berlin";
+      ipaddr = "192.168.1.1";
+    };
+  };
+}
diff --git a/hosts/penguin.nix b/hosts/penguin.nix
new file mode 100644
index 0000000..7055c80
--- /dev/null
+++ b/hosts/penguin.nix
@@ -0,0 +1,10 @@
+{ self, inputs, ... }: {
+  perSystem = { self', pkgs, lib, ... }: {
+    packages.penguin = self.lib.mkOpenwrtImage {
+      inherit pkgs;
+      hostname = "penguin";
+      timezone = "Europe/Berlin";
+      ipaddr = "192.168.0.1";
+    };
+  };
+}
diff --git a/lib/flake-module.nix b/lib/flake-module.nix
index 9eede9f..5edf175 100644
--- a/lib/flake-module.nix
+++ b/lib/flake-module.nix
@@ -1,8 +1,10 @@
-{ inputs, ... }:
+{ inputs, lib, ... }:
 
 let createUser' = import ./createUser.nix;
 in {
-  flake.lib = {
+  imports = [ ./openwrt.nix ];
+  options.flake.lib = lib.mkOption { type = with lib.types; lazyAttrsOf raw; };
+  config.flake.lib = {
     createSystem = hostName:
       { hardwareConfig, config }:
       ({ pkgs, lib, ... }: {
diff --git a/lib/openwrt.nix b/lib/openwrt.nix
new file mode 100644
index 0000000..823bebe
--- /dev/null
+++ b/lib/openwrt.nix
@@ -0,0 +1,57 @@
+{ inputs, ... }:
+let
+  getProfiles = pkgs:
+    inputs.openwrt-imagebuilder.lib.profiles {
+      inherit pkgs;
+      release = "snapshot";
+    };
+in {
+  flake.lib.mkOpenwrtImage = { pkgs, hostname, timezone, ipaddr }:
+    inputs.openwrt-imagebuilder.lib.build
+    ((getProfiles pkgs).identifyProfile "glinet_gl-mt6000" // {
+      packages = [
+        # TODO does this include everything that the web firmware builder includes?
+        "auc"
+        "bridger"
+        "dawn"
+        "luci-app-attendedsysupgrade"
+        "luci-app-dawn"
+        "luci-ssl"
+        "tailscale"
+      ];
+
+      files = pkgs.runCommand "image-files" { } ''
+        mkdir -p $out/etc/uci-defaults
+        cat > $out/etc/uci-defaults/99-custom <<EOF
+        hostname='${hostname}'
+        timezone='${timezone}'
+        ipaddr='${ipaddr}'
+
+        # Set system defaults
+        uci set system.@system[0].hostname="$hostname"
+        uci set system.@system[0].timezone="$timezone"
+        uci set network.lan.ipaddr="$ipaddr"
+        uci set uhttpd.main.redirect_https='1'
+        uci commit
+        /etc/init.d/system reload
+
+        # Set WiFi country code
+        iw reg set DE
+
+        # Enable hardware acceleration: Hardware Flow Offloading (HFO)
+        uci set firewall.@defaults[0].flow_offloading=1
+        uci set firewall.@defaults[0].flow_offloading_hw=1
+        uci commit
+        /etc/init.d/firewall restart
+
+        # Enable hardware acceleration: Wireless Ethernet Dispatch (WED)
+        echo 'options mt7915e wed_enable=Y' >>/etc/modules.conf
+
+        # Set up automatic upgrades
+        # TODO download upgrade script from GitHub gist
+        # wget [github gist url]
+        # cat "0 3 * * * /path/to/gist/script" >>/etc/crontabs/root
+        EOF
+      '';
+    });
+}