diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix
index 8185637..b89fdc7 100644
--- a/hosts/poseidon/default.nix
+++ b/hosts/poseidon/default.nix
@@ -80,6 +80,7 @@ in
 
     lohr = {
       enable = true;
+      port = 8083;
     };
 
     miniflux = {
diff --git a/secrets/default.nix b/secrets/default.nix
index 2120a11..0f21d45 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -14,6 +14,7 @@ with lib;
     transmission-password = lib.fileContents ./transmission.secret;
     nextcloud-admin-pass = lib.fileContents ./nextcloud-admin-pass.secret;
     nextcloud-admin-user = lib.fileContents ./nextcloud-admin-user.secret;
+    lohr-shared-secret = lib.fileContents ./lohr-shared-secret.secret;
 
     wireguard = pkgs.callPackage ./wireguard.nix { };
   };
diff --git a/secrets/lohr-shared-secret.secret b/secrets/lohr-shared-secret.secret
new file mode 100644
index 0000000..a05809e
Binary files /dev/null and b/secrets/lohr-shared-secret.secret differ
diff --git a/services/lohr.nix b/services/lohr.nix
index fcc05c3..957babf 100644
--- a/services/lohr.nix
+++ b/services/lohr.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 
@@ -6,6 +6,12 @@ let
   cfg = config.my.services.lohr;
   my = config.my;
   domain = config.networking.domain;
+  secrets = config.my.secrets;
+  lohrPkg =
+    let
+      flake = builtins.getFlake "github:alarsyo/lohr?rev=bc32f8a565faa2055c1bbfa8c2353ce4738208b2";
+    in
+    flake.defaultPackage."x86_64-linux"; # FIXME: use correct system
 in
 {
   options.my.services.lohr = {
@@ -17,19 +23,51 @@ in
       example = "/var/lib/lohr";
       description = "Home for the lohr service, where data will be stored";
     };
+
+    port = mkOption {
+      type = types.port;
+      default = 8080;
+      example = 8080;
+      description = "Internal port for Lohr daemon";
+    };
   };
 
   config = mkIf cfg.enable {
+    systemd.services.lohr = {
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Environment = [
+          "ROCKET_PORT=${toString cfg.port}"
+          "ROCKET_LOG_LEVEL=normal"
+          "LOHR_HOME=${cfg.home}"
+          "'LOHR_SECRET=${secrets.lohr-shared-secret}'"
+        ];
+        ExecStart = "${lohrPkg}/bin/lohr";
+        StateDirectory = "lohr";
+        WorkingDirectory = "/var/lib/lohr";
+        User = "lohr";
+        Group = "lohr";
+      };
+      path = with pkgs; [
+        git
+      ];
+    };
+
+    users.users.lohr = {
+      isSystemUser = true;
+      home = cfg.home;
+      createHome = true;
+      group = "lohr";
+    };
+    users.groups.lohr = { };
+
     services.nginx.virtualHosts = {
       "lohr.${domain}" = {
         forceSSL = true;
         enableACME = true;
 
         locations."/" = {
-          proxyPass = let
-            laptopClientNum = my.secrets.wireguard.peers.laptop.clientNum;
-          in
-            "http://10.0.0.${toString laptopClientNum}:8000";
+          proxyPass = "http://127.0.0.1:${toString cfg.port}";
         };
       };
     };