diff --git a/services/hedgedoc.nix b/services/hedgedoc.nix
new file mode 100644
index 0000000..d445f4a
--- /dev/null
+++ b/services/hedgedoc.nix
@@ -0,0 +1,91 @@
+{ config, ... }:
+
+let
+  fqdn = "hedgedoc.berlin.ccc.de";
+  cfg = config.services.hedgedoc.settings;
+in
+{
+  services = {
+    hedgedoc = {
+      enable = true;
+      settings = {
+        domain = fqdn;
+        #environmentFile = config.age.secrets.hedgedoc_settings.path;
+        protocolUseSSL = true;
+        path = "/run/hedgedoc/hedgedoc.sock";
+        db = {
+          dialect = "postgresql";
+          host = "/run/postgresql";
+          username = "hedgedoc";
+          database = "hedgedoc";
+        };
+        enableStatsApi = true;
+      };
+    };
+    nginx = {
+      enable = true;
+      resolver.addresses = [
+        "[2606:4700:4700::1111]"
+        "[2620:fe::fe]"
+        "1.1.1.1"
+        "9.9.9.9"
+      ];
+      statusPage = true; # http://127.0.0.1/nginx_status
+      sslProtocols = "TLSv1.3";
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedBrotliSettings = true;
+      upstreams.hedgedoc.servers."unix:${cfg.path}" = { };
+      virtualHosts."${fqdn}" = {
+        default = true;
+        quic = true;
+        kTLS = true;
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/" = {
+            proxyPass = "http://hedgedoc";
+            recommendedProxySettings = true;
+          };
+          "/socket.io/" = {
+            proxyPass = "http://hedgedoc";
+            proxyWebsockets = true;
+            recommendedProxySettings = true;
+          };
+          "/metrics" = {
+            proxyPass = "http://hedgedoc";
+            recommendedProxySettings = true;
+            #allow 195.160.173.255;
+            #allow 2001:678:760:cccb::ffff;
+            #deny all;
+          };
+          "/status" = {
+            proxyPass = "http://hedgedoc";
+            recommendedProxySettings = true;
+            #allow 195.160.173.255;
+            #allow 2001:678:760:cccb::ffff;
+            #deny all;
+          };
+        };
+      };
+    };
+    postgresql = {
+      enable = true;
+      package = pkgs.postgresql_18;
+      enableJIT = true;
+      initdbArgs = [
+        "--locale=C"
+        "--encoding=UTF8"
+      ];
+      ensureUsers = [{ name = cfg.db.username; ensureDBOwnership = true; }];
+      ensureDatabases = [ cfg.db.database ];
+    };
+    postgresqlBackup = {
+      enable = true;
+      startAt = "*-*-* 09:00:00";
+      compression = "zstd";
+    };
+  };
+}
+