diff --git a/configs/mcp.nix b/configs/mcp.nix
index 30d91ba..c4a55ff 100644
--- a/configs/mcp.nix
+++ b/configs/mcp.nix
@@ -22,6 +22,41 @@ in
 
   users.groups.mcp = {};
 
+  # MCP Master — multi-node orchestrator (v2).
+  # Runs on the master node only (rift). Coordinates deployments across
+  # agents, manages edge routing, and maintains cluster state.
+  # Uses ExecStartPre to skip startup if the binary is absent (safe on
+  # worker nodes that import this module but don't run the master).
+  systemd.services.mcp-master = {
+    description = "MCP Master";
+    after = [ "network-online.target" "mcp-agent.service" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    unitConfig = {
+      ConditionPathExists = "/srv/mcp-master/mcp-master";
+    };
+
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "/srv/mcp-master/mcp-master server --config /srv/mcp-master/mcp-master.toml";
+      Restart = "on-failure";
+      RestartSec = 5;
+
+      NoNewPrivileges = true;
+      ProtectSystem = "full";
+      ProtectHome = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      RestrictSUIDSGID = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      ReadWritePaths = [ "/srv/mcp-master" ];
+    };
+  };
+
   systemd.services.mcp-agent = {
     description = "MCP Agent";
     after = [ "network-online.target" ];