diff --git a/lib/mkmachine.nix b/lib/mkmachine.nix
index 6c36191..b661add 100644
--- a/lib/mkmachine.nix
+++ b/lib/mkmachine.nix
@@ -55,6 +55,7 @@ import "${nixpkgs}/nixos/lib/eval-config.nix" {
           keycloak-keywind = prev.pkgs.callPackage ../packages/keycloak-keywind { };
           hydrasect = prev.pkgs.callPackage ../packages/hydrasect { };
           codeberg-pages-custom = prev.pkgs.callPackage ../packages/codeberg-pages-custom { };
+          readeck = prev.pkgs.callPackage ../packages/readeck { };
         })
 
         (
diff --git a/machines/gustave/default.nix b/machines/gustave/default.nix
index fa369e7..d795e1e 100644
--- a/machines/gustave/default.nix
+++ b/machines/gustave/default.nix
@@ -12,6 +12,7 @@
     ./nsd.nix
     ./borg.nix
     ./pages.nix
+    ./readeck.nix
   ];
 
   machine.meta = {
diff --git a/machines/gustave/readeck.nix b/machines/gustave/readeck.nix
new file mode 100644
index 0000000..cc6b7d2
--- /dev/null
+++ b/machines/gustave/readeck.nix
@@ -0,0 +1,18 @@
+{ config, ... }:
+{
+
+  age.secrets."readeck-config".file = ../../secrets/readeck-config.age;
+
+  services.nginx.virtualHosts."read.luj" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:8000";
+    };
+  };
+
+  services.readeck = {
+    enable = true;
+    configPath = config.age.secrets."readeck-config".path;
+  };
+}
diff --git a/modules/readeck/default.nix b/modules/readeck/default.nix
new file mode 100644
index 0000000..2a3fada
--- /dev/null
+++ b/modules/readeck/default.nix
@@ -0,0 +1,71 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.services.readeck;
+in
+{
+
+  meta.maintainers = [ lib.maintainers.julienmalka ];
+
+  options = {
+    services.readeck = {
+      enable = mkEnableOption "Readeck";
+
+      package = mkPackageOption pkgs "readeck" { };
+
+      configPath = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        description = "Path to file containing config.";
+      };
+
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.readeck = {
+      description = "Readeck";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "simple";
+        StateDirectory = "readeck";
+        LoadCredential = "config:${cfg.configPath}";
+        WorkingDirectory = "/var/lib/readeck";
+        DynamicUser = true;
+        ExecStart = "${lib.getExe cfg.package} serve -config \${CREDENTIALS_DIRECTORY}/config";
+        ProtectSystem = "full";
+        SystemCallArchitectures = "native";
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        DevicePolicy = "closed";
+        ProtectClock = true;
+        ProtectHostname = true;
+        ProtectProc = "invisible";
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        LockPersonality = true;
+        Restart = "on-failure";
+
+      };
+    };
+  };
+}
diff --git a/packages/readeck/default.nix b/packages/readeck/default.nix
new file mode 100644
index 0000000..8c0b3cd
--- /dev/null
+++ b/packages/readeck/default.nix
@@ -0,0 +1,80 @@
+{
+  fetchFromGitea,
+  fetchNpmDeps,
+  buildGoModule,
+  nodejs,
+  npmHooks,
+  lib,
+}:
+
+let
+  file-compose = buildGoModule rec {
+
+    pname = "file-compose";
+    version = "unstable-2023-10-21";
+
+    src = fetchFromGitea {
+      domain = "codeberg.org";
+      owner = "readeck";
+      repo = "file-compose";
+      rev = "afa938655d412556a0db74b202f9bcc1c40d8579";
+      hash = "sha256-rMANRqUQRQ8ahlxuH1sWjlGpNvbReBOXIkmBim/wU2o=";
+    };
+
+    vendorHash = "sha256-Qwixx3Evbf+53OFeS3Zr7QCkRMfgqc9hUA4eqEBaY0c=";
+  };
+in
+
+buildGoModule rec {
+
+  pname = "readeck";
+  version = "0.15.4";
+
+  src = fetchFromGitea {
+    domain = "codeberg.org";
+    owner = "readeck";
+    repo = "readeck";
+    rev = version;
+    hash = "sha256-GqpCIxwaS0OBKEgd3ByGDeg5ZkSZFusg7dFPOZpQYtI=";
+  };
+
+  nativeBuildInputs = [
+    nodejs
+    npmHooks.npmConfigHook
+  ];
+
+  npmRoot = "web";
+
+  NODE_PATH = "$npmDeps";
+
+  preBuild = ''
+    make web-build
+    ${file-compose}/bin/file-compose -format json docs/api/api.yaml docs/assets/api.json
+    go run ./tools/docs docs/src docs/assets
+  '';
+
+  tags = [
+    "netgo"
+    "osusergo"
+    "sqlite_omit_load_extension"
+    "sqlite_foreign_keys"
+    "sqlite_json1"
+    "sqlite_fts5"
+    "sqlite_secure_delete"
+  ];
+
+  overrideModAttrs = oldAttrs: {
+    # Do not add `npmConfigHook` to `goModules`
+    nativeBuildInputs = lib.remove npmHooks.npmConfigHook oldAttrs.nativeBuildInputs;
+    # Do not run `preBuild` when building `goModules`
+    preBuild = null;
+  };
+
+  npmDeps = fetchNpmDeps {
+    src = "${src}/web";
+    hash = "sha256-zqaiAChUdkzeoDjbGJ57tFsAiawU50G6KQEJgrcM3OA=";
+  };
+
+  vendorHash = "sha256-U1vMIig2/mncH07o1AZ2mUor5lq5WmNsfY/X2GbSGQA=";
+
+}
diff --git a/secrets/readeck-config.age b/secrets/readeck-config.age
new file mode 100644
index 0000000..7a5decc
Binary files /dev/null and b/secrets/readeck-config.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 32cacc9..f94bdc1 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -96,4 +96,9 @@ in
   ];
   "404-ssl-certificate-cert.age".publicKeys = all;
   "404-ssl-certificate-key.age".publicKeys = all;
+  "readeck-config.age".publicKeys = [
+    gallifrey
+    tower
+    gustave
+  ];
 }