diff --git a/hosts/tsuki/configuration.nix b/hosts/tsuki/configuration.nix
index 7385963..f53dafb 100644
--- a/hosts/tsuki/configuration.nix
+++ b/hosts/tsuki/configuration.nix
@@ -8,6 +8,7 @@
     ./services/gitea
     ./services/grafana
     ./services/headscale.nix
+    ./services/hedgedoc.nix
     ./services/hydra.nix
     # ./services/jitsi.nix
     ./services/jupyter.nix
diff --git a/hosts/tsuki/services/hedgedoc.nix b/hosts/tsuki/services/hedgedoc.nix
new file mode 100644
index 0000000..a6c0771
--- /dev/null
+++ b/hosts/tsuki/services/hedgedoc.nix
@@ -0,0 +1,51 @@
+{ pkgs, lib, config, options, ... }:
+{
+  config = {
+    # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
+    sops.secrets."hedgedoc/env" = {
+      restartUnits = [ "hedgedoc.service" ];
+    };
+
+    services.hedgedoc = {
+      enable = true;
+      workDir = "${config.machineVars.dataDrives.default}/var/hedgedoc";
+      environmentFile = config.sops.secrets."hedgedoc/env".path;
+      settings = {
+        domain = "docs.nani.wtf";
+        dbURL = "postgres://hedgedoc:@localhost/hedgedoc";
+        email = false;
+        allowAnonymous = false;
+        allowAnonymousEdits = true;
+        protocolUseSSL = true;
+
+        oauth2 = let 
+          authServerUrl = config.services.kanidm.serverSettings.origin;
+        in {
+          baseURL = "${authServerUrl}/oauth2";
+          tokenURL = "${authServerUrl}/oauth2/token";
+          authorizationURL = "${authServerUrl}/ui/oauth2";
+          userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
+
+          clientID = "hedgedoc";
+
+          scope = "openid email profile";
+          userProfileUsernameAttr = "name";
+          userProfileEmailAttr = "email";
+          userProfileDisplayNameAttr = "displayname";
+
+          providerName = "KaniDM";
+        };
+      };
+    };
+
+    services.postgresql = {
+      ensureDatabases = [ "hedgedoc" ];
+      ensureUsers = [{
+        name = "hedgedoc";
+        ensurePermissions = {
+          "DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";
+        };
+      }];
+    };
+  };
+}
diff --git a/hosts/tsuki/services/nginx/default.nix b/hosts/tsuki/services/nginx/default.nix
index 865adec..05f980b 100644
--- a/hosts/tsuki/services/nginx/default.nix
+++ b/hosts/tsuki/services/nginx/default.nix
@@ -107,7 +107,8 @@
       (proxy ["py"] "http://localhost:${s ports.jupyterhub}" {
         locations."/".proxyWebsockets = true;
       })
-      (proxy ["dyn"] "http://localhost:${s ports.minecraft.dynmap}" {})
+      (proxy ["docs"] "http://localhost:${s config.services.hedgedoc.settings.port}" {})
+      (proxy ["map"] "http://localhost:${s ports.minecraft.dynmap}" {})
       (proxy ["osu"] "http://localhost:${s ports.osuchan}" {})
       (proxy ["auth"] "https://localhost:8300" {
         extraConfig = ''
diff --git a/secrets/default.yaml b/secrets/default.yaml
index 8b13789..ba026c3 100644
--- a/secrets/default.yaml
+++ b/secrets/default.yaml
@@ -1 +1,44 @@
+headscale:
+    oauth_secret: ""
+hedgedoc:
+    env: ENC[AES256_GCM,data:4i2I7S5hKp3mjROMwa3WQinbgmxXhKzSaWspzF12TIDm9g3Bgie0jfSxbDuPjJYq1mZ8oQ2Jzdi2N+Q4blOk9fZO3VREoU0qFrfqm8RqBw3a7hpisXzu9okYnzrW2JiVxNGWwZbuiCG1SzdMOMHq/ZqLEJdu7Pxm9cY9xBSZthap1DCFyr7dmjHt3AnEQemsDpxSaWKD2Dfs1gyA23rLAFBd,iv:lfB6uaXULUNme7cGyN+bKuXPsbgpjMrxrRy2L96HltY=,tag:uu37bZ4g/PA2mgzs3ioLCQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1c92j4w0gqh32hwssl5m2mfrggssxax9pge8qxwytv9lmrnfttcvqdrgsst
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzZE1zUHdoM1JDOEJZOUYw
+            WjhkUkkwcmExOGVScGZXZ0FEWTRJdFZpUGxRCjNVYW9SNnZRYnNZK1c0R1dPQnVn
+            UWRUVllYbGlBU2lhZWs0dTcvOVJWSkUKLS0tIEl6M3ZoVHFZWGNWa3UyZW1CTnRm
+            UE1YWkplaFBhV01CU0FDYTQ3NlkwVkUKMJyCfyh/vcj/VU7shtFF4YRRVaWdcMNh
+            rp9lZmRZpc9mARXYAj9RlkI/uuSzxshtqb5AGXKmSV0hncazxu75kg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-03-07T12:35:57Z"
+    mac: ENC[AES256_GCM,data:jKRXsFeyqRVkU4yGpVm4iOrXZV5mnWC7c63ifKmWJR/eMH1M5I7nKrrn7RA9DjZcwBnWyO5HcYk/NjjMP5HZbSmUMEafKBs3GpZDFziGG4eQSgZdca4MSNXwAqtQqYwtjsixww637uwSycwdf+9cphSBGhsdFOctaIsOuuheZEc=,iv:KDhnBg9+mZWyaKsiijITAkyvyx8eFsflBB0+jbY6aZQ=,tag:qJxf5RUb/5hzXI8pjGgLFw==,type:str]
+    pgp:
+        - created_at: "2023-03-07T12:32:53Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
 
+            hQIMA0av/duuklWYARAAgK4M/JO/WnZviV8Ghm3RSSbTYJfeqpwVdBOg5dRwkXIn
+            weE3ROWeI5xhiNhW+HQirXAhAXKvnhU9mahHSqvrGCrbPJUZMLiIaa+X7f3Bufva
+            wbcHwLJQ6C6+JKmFbg+J4x6o1lQX3RsN+MbELxZ0WMs4giJ9rjlRfMxMjlcxXVpr
+            ga0Lfe6qUh0g9rUGFL11pitEHBVHDFTF3WBINCS8GYvbBfCIEMHtCDYsY6tw40V4
+            qz15+YOWQyMR16hNQB8ooLmtKTB9BEZclSqPyNWwyoS+fi4NsAGWAxEcg3nGxdF0
+            jkJWOK3rINaZCQhz4tk7+j1n2h1EyJjCQv2hfyMB2EbeVFswznPfU/EWI6WoHWT3
+            oLZNHqyfswKHTQ81m4FoH5wU0nR2bOBipD3RaUTPsdEj1Ek/eXDYH7xZDzNDqQBe
+            YlXiE3WmweMzC6AP3GTQ9Etl4Ktx8mvushEtOYJsParsohH0P5MeIRMPxQc6Vu7i
+            FlKvjptCrvQk0AXTLyqpAypp8ENAGKHbs3/3eJIZ/fZBXOhDYUGV2kBpCwDDGALo
+            Xy42geSMmPI3NoonghlVSkrVZx4Srkcb+RlJg2kKdmwOa2qMYMGo7W6XD48nHOot
+            sC4srxJH1IHBrPQ5AKDOG9iJxSzSTA7aKKxkJD4CKfjlftQBQrNSLZBhdYedYfTS
+            XAHFlx1zkYmxfESTcOh48HpwNuMV3koxbLUsfrzag4b7R43XjrxPxxAeh9jKzZrK
+            B2qBvjGv9TMoKaAnXj48HwW1/R9v54vTQ3bwkuMvxhf5f3NWv5qBZdsdxU1l
+            =VxGX
+            -----END PGP MESSAGE-----
+          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3