diff --git a/flake.nix b/flake.nix
index aff6af1..0c14456 100644
--- a/flake.nix
+++ b/flake.nix
@@ -183,6 +183,7 @@
         ./hosts/amy/configuration.nix
         ./roles/conduit.nix
         ./roles/coredns
+        ./roles/gts-sandbox.nix
         ./roles/iceshrimp.nix
         ./roles/keycloak.nix
         ./roles/mc-proxy.nix
diff --git a/roles/gts-sandbox.nix b/roles/gts-sandbox.nix
new file mode 100644
index 0000000..4c177b7
--- /dev/null
+++ b/roles/gts-sandbox.nix
@@ -0,0 +1,23 @@
+{
+  config
+, pkgs
+, ...
+}:
+
+{
+  age.secrets.gts-sandbox.file = ../secrets/gts-sandbox.age;
+
+  services.gotosocial = {
+    enable = true;
+    setupPostgresqlDB = true;
+    settings = {
+      host = "sandbox.isnt-a.top";
+      port = 3001;
+      trusted-proxies = ["100.64.0.0/10"];
+      bind-address = "0.0.0.0";
+      accounts-registration-open = true;
+      accounts-reason-required = true;
+    };
+    #environmentFile = config.age.secrets.gts-sandbox.path;
+  };
+}
diff --git a/secrets/gts-sandbox.age b/secrets/gts-sandbox.age
new file mode 100644
index 0000000..d89aa48
Binary files /dev/null and b/secrets/gts-sandbox.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 73b09ea..7df73b3 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,4 +10,5 @@ in
   "keycloakPostgres.age".publicKeys = users ++ systems;
   "zulip-redis.age".publicKeys = users ++ systems;
   "zulip-env.age".publicKeys = users ++ systems;
+  "gts-sandbox.age".publicKeys = users ++ systems;
 }