diff --git a/configuration.nix b/configuration.nix
index 960006b..df9f72c 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -42,16 +42,6 @@
     htop
     tmux
     rsync
-
-    (writeShellScriptBin "mc-whitelist" ''
-      docker exec minecraft rcon-cli whitelist add "$1"
-    '')
-    (writeShellScriptBin "mc-cmd" ''
-      docker exec minecraft rcon-cli "$@"
-    '')
-    (writeShellScriptBin "mc-logs" ''
-      docker logs --tail "''${1:-100}" -f minecraft
-    '')
   ];
 
   users.users.root.openssh.authorizedKeys.keys = [
diff --git a/flake.nix b/flake.nix
index 1056b73..877b947 100644
--- a/flake.nix
+++ b/flake.nix
@@ -17,19 +17,25 @@
     let
       system = "x86_64-linux";
       pkgs = nixpkgs.legacyPackages.${system};
-      serverHost = "root@compsigh-minecraft";
-
       deploy = pkgs.writeShellScriptBin "nhs" ''
         nh os switch --hostname compsigh-minecraft --target-host root@compsigh-minecraft path:. "$@"
       '';
-      mcWhitelist = pkgs.writeShellScriptBin "mc-whitelist" ''
-        ssh ${serverHost} "docker exec minecraft rcon-cli whitelist add $1"
-      '';
-      mcCmd = pkgs.writeShellScriptBin "mc-cmd" ''
-        ssh ${serverHost} "docker exec minecraft rcon-cli $*"
-      '';
       mcLogs = pkgs.writeShellScriptBin "mc-logs" ''
-        ssh ${serverHost} "docker logs --tail ''${1:-100} -f minecraft"
+        ssh root@compsigh-minecraft "docker logs --tail ''${1:-100} -f minecraft"
+      '';
+      bootstrap = pkgs.writeShellScriptBin "mc-bootstrap" ''
+        set -euo pipefail
+        IP="''${1:?Usage: mc-bootstrap <server-ip>}"
+        echo "==> Installing NixOS (bootstrap config with port 22 open)..."
+        nix run github:nix-community/nixos-anywhere -- --flake path:.#compsigh-minecraft-bootstrap "root@$IP"
+        echo ""
+        echo "==> Removing old host key..."
+        ssh-keygen -R "$IP"
+        echo ""
+        echo "==> Fetching new server host key..."
+        echo "Run: ssh root@$IP cat /etc/ssh/ssh_host_ed25519_key.pub"
+        echo "Then update secrets/secrets.nix with the new key and run: agenix -r"
+        echo "Then run: nhs"
       '';
     in
     {
@@ -44,11 +50,25 @@
         ];
       };
 
+      # Bootstrap config: opens port 22 on public interface for initial setup
+      nixosConfigurations.compsigh-minecraft-bootstrap = nixpkgs.lib.nixosSystem {
+        inherit system;
+        specialArgs = { inherit inputs; };
+        modules = [
+          disko.nixosModules.disko
+          inputs.agenix.nixosModules.default
+          ./disk-config.nix
+          ./configuration.nix
+          {
+            networking.firewall.allowedTCPPorts = [ 22 ];
+          }
+        ];
+      };
+
       devShells.${system}.default = pkgs.mkShell {
         packages = [
           deploy
-          mcWhitelist
-          mcCmd
+          bootstrap
           mcLogs
           pkgs.nh
           inputs.agenix.packages.${system}.default
@@ -56,9 +76,8 @@
 
         shellHook = ''
           echo "compsigh minecraft server"
+          echo "  mc-bootstrap — first-time install (mc-bootstrap <ip>)"
           echo "  nhs          — deploy to server"
-          echo "  mc-whitelist — add a player (mc-whitelist PlayerName)"
-          echo "  mc-cmd       — run rcon command (mc-cmd whitelist list)"
           echo "  mc-logs      — tail server logs"
           echo "  agenix       — manage secrets"
         '';