diff --git a/hosts/hades/default.nix b/hosts/hades/default.nix
index c44a4a1..d573e98 100644
--- a/hosts/hades/default.nix
+++ b/hosts/hades/default.nix
@@ -99,6 +99,12 @@ in {
       port = 8084;
     };
 
+    pleroma = {
+      enable = true;
+      port = 8086;
+      secretConfigFile = config.age.secrets."pleroma/pleroma-config".path;
+    };
+
     restic-backup = {
       enable = true;
       repo = "b2:hades-backup-alarsyo";
diff --git a/hosts/hades/secrets.nix b/hosts/hades/secrets.nix
index 28b5d07..40373ec 100644
--- a/hosts/hades/secrets.nix
+++ b/hosts/hades/secrets.nix
@@ -28,6 +28,10 @@
         "paperless/admin-password" = {};
         "paperless/secret-key" = {};
 
+        "pleroma/pleroma-config" = {
+          owner = "pleroma";
+        };
+
         "restic-backup/hades-credentials" = {};
         "restic-backup/hades-password" = {};
 
diff --git a/modules/secrets/pleroma/pleroma-config.age b/modules/secrets/pleroma/pleroma-config.age
new file mode 100644
index 0000000..9b14639
Binary files /dev/null and b/modules/secrets/pleroma/pleroma-config.age differ
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index c5e3a36..112685e 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -24,6 +24,8 @@ in {
   "paperless/admin-password.age".publicKeys = [alarsyo hades];
   "paperless/secret-key.age".publicKeys = [alarsyo hades];
 
+  "pleroma/pleroma-config.age".publicKeys = [alarsyo hades];
+
   "restic-backup/boreal-password.age".publicKeys = [alarsyo boreal];
   "restic-backup/boreal-credentials.age".publicKeys = [alarsyo boreal];
   "restic-backup/hades-password.age".publicKeys = [alarsyo hades];
diff --git a/services/default.nix b/services/default.nix
index c129d03..44c7def 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -16,6 +16,7 @@
     ./paperless.nix
     ./photoprism.nix
     ./pipewire.nix
+    ./pleroma.nix
     ./postgresql-backup.nix
     ./postgresql.nix
     ./restic-backup.nix
diff --git a/services/pleroma.nix b/services/pleroma.nix
new file mode 100644
index 0000000..2593c81
--- /dev/null
+++ b/services/pleroma.nix
@@ -0,0 +1,112 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit
+    (lib)
+    mkEnableOption
+    mkIf
+    mkOption
+    ;
+
+  cfg = config.my.services.pleroma;
+  my = config.my;
+
+  domain = config.networking.domain;
+  hostname = config.networking.hostName;
+  fqdn = "${hostname}.${domain}";
+in {
+  options.my.services.pleroma = let
+    inherit (lib) types;
+  in {
+    enable = mkEnableOption "Pleroma";
+
+    port = mkOption {
+      type = types.port;
+      default = 8080;
+      example = 8080;
+      description = "Pleroma server port";
+    };
+
+    secretConfigFile = mkOption {
+      type = types.str;
+      default = "/var/lib/pleroma/secrets.exs";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.pleroma = {
+      path = [
+        pkgs.hexdump
+        pkgs.exiftool
+      ];
+    };
+
+    services.pleroma = {
+      enable = true;
+      secretConfigFile = cfg.secretConfigFile;
+
+      configs = [
+        ''
+          import Config
+
+          config :pleroma, Pleroma.Web.Endpoint,
+             url: [host: "social.${domain}", scheme: "https", port: 443],
+             http: [ip: {127, 0, 0, 1}, port: ${toString cfg.port}]
+
+          config :pleroma, :instance,
+            name: "social.alarsyo.net",
+            email: "contact+pleroma@alarsyo.net",
+            notify_email: "pleroma@alarsyo.net",
+            limit: 5000,
+            registrations_open: false
+
+          config :pleroma, :media_proxy,
+            enabled: false,
+            redirect_on_failure: true
+            #base_url: "https://cache.pleroma.social"
+
+          config :pleroma, Pleroma.Repo,
+            adapter: Ecto.Adapters.Postgres,
+            username: "pleroma",
+            database: "pleroma",
+            hostname: "localhost"
+
+          # Configure web push notifications
+          config :web_push_encryption, :vapid_details,
+            subject: "mailto:contact+pleroma@alarsyo.net"
+
+          config :pleroma, :database, rum_enabled: false
+          config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
+          config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
+
+          # Enable Strict-Transport-Security once SSL is working:
+          # config :pleroma, :http_security,
+          #   sts: true
+
+          config :pleroma, configurable_from_database: false
+
+          config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.AnonymizeFilename]
+        ''
+      ];
+    };
+
+    services.nginx.virtualHosts."social.${domain}" = {
+      forceSSL = true;
+      useACMEHost = fqdn;
+
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}/";
+        proxyWebsockets = true;
+        extraConfig = ''
+          etag on;
+          client_max_body_size 50m;
+        '';
+      };
+    };
+
+    security.acme.certs.${fqdn}.extraDomainNames = ["social.${domain}"];
+  };
+}