diff --git a/modules/nixos/bundles/server.nix b/modules/nixos/bundles/server.nix
index 2d34890..a4a7fbf 100644
--- a/modules/nixos/bundles/server.nix
+++ b/modules/nixos/bundles/server.nix
@@ -9,6 +9,7 @@
     "caddy"
     "copyparty"
     "couchdb"
+    "cryptpad"
     "homepage-dashboard"
     "immich"
     "jellyfin"
diff --git a/modules/nixos/features/cryptpad.nix b/modules/nixos/features/cryptpad.nix
new file mode 100644
index 0000000..8c031ff
--- /dev/null
+++ b/modules/nixos/features/cryptpad.nix
@@ -0,0 +1,49 @@
+let
+  httpPort = 5022;
+  websocketPort = 5024;
+  certloc = "/var/lib/acme/fi33.buzz";
+in
+{
+  services = {
+    cryptpad = {
+      enable = true;
+      settings = {
+        inherit httpPort;
+        inherit websocketPort;
+        httpUnsafeOrigin = "https://cryptpad.fi33.buzz";
+        httpSafeOrigin = "https://cryptpad-ui.fi33.buzz";
+        inactiveTime = 7;
+        archiveRetentionTime = 7;
+        accountRetentionTime = 7;
+      };
+    };
+
+    caddy.virtualHosts."cryptpad.fi33.buzz, cryptpad-ui.fi33.buzz".extraConfig = ''
+      header Strict-Transport-Security "includeSubDomains; preload"
+
+      handle /cryptpad_websocket* {
+        reverse_proxy localhost:${toString websocketPort} {
+          header_up Host {host}
+          header_up X-Real-IP {remote_host}
+        }
+      }
+
+      handle {
+        reverse_proxy localhost:${toString httpPort} {
+          header_up Host {host}
+          header_up X-Real-IP {remote_host}
+        }
+      }
+
+      @register {
+        host cryptpad.fi33.buzz
+        path /register*
+      }
+      respond @register 403
+
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
+        protocols tls1.3
+      }
+    '';
+  };
+}