diff --git a/machines/lasting-integrity/default.nix b/machines/lasting-integrity/default.nix
index 4ef779d8..bca54851 100644
--- a/machines/lasting-integrity/default.nix
+++ b/machines/lasting-integrity/default.nix
@@ -44,6 +44,12 @@
             fast = true;
             location = "192.168.0.1";
           }
+          {
+            path = "zdata/big-apps/mastodon";
+            remotePath = "zdata/recv/lasting-integrity/big-apps/mastodon";
+            fast = true;
+            location = "192.168.0.1";
+          }
           {
             path = "zdata/big-apps/nextcloud";
             remotePath = "zdata/recv/lasting-integrity/big-apps/nextcloud";
@@ -62,6 +68,7 @@
       garmin-scraper.enable = true;
       grafana.enable = true;
       mail.enable = true;
+      mastodon.enable = true;
       matrix.enable = true;
       nginx.hosts = [
         {
diff --git a/machines/lasting-integrity/hardware.nix b/machines/lasting-integrity/hardware.nix
index 7afeaa2d..bb08297c 100644
--- a/machines/lasting-integrity/hardware.nix
+++ b/machines/lasting-integrity/hardware.nix
@@ -54,6 +54,10 @@
       device = "zdata/big-apps/influxdb2";
       fsType = "zfs";
     };
+    "/var/lib/mastodon/public-system" = {
+      device = "zdata/big-apps/mastodon";
+      fsType = "zfs";
+    };
     "/cache" = {
       device = "zroot/safe/cache";
       fsType = "zfs";
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 78ca58c6..9b0b7b65 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -9,6 +9,7 @@
     ./garmin-scraper
     ./grafana
     ./mail
+    ./mastodon
     ./matrix
     ./nextcloud
     ./nginx
diff --git a/modules/services/mastodon/default.nix b/modules/services/mastodon/default.nix
new file mode 100644
index 00000000..ab810917
--- /dev/null
+++ b/modules/services/mastodon/default.nix
@@ -0,0 +1,74 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options.chvp.services.mastodon.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.services.mastodon.enable {
+    chvp.services.nginx.hosts = [{
+      fqdn = "social.chvp.be";
+      options = {
+        root = "${pkgs.mastodon}/public/";
+        locations = {
+          "/system/".alias = "/var/lib/mastodon/public-system/";
+          "/".tryFiles = "$uri @proxy";
+          "@proxy" = {
+            proxyPass = "http://unix:/run/mastodon-web/web.socket";
+            proxyWebsockets = true;
+          };
+          "/api/v1/streaming" = {
+            proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    }];
+    users = {
+      users = {
+        mastodon.uid = 989;
+        nginx.extraGroups = [ "mastodon" ];
+      };
+      groups.mastodon.gid = 985;
+    };
+    services.mastodon = {
+      enable = true;
+      configureNginx = false;
+      localDomain = "social.chvp.be";
+      enableUnixSocket = true;
+
+      database.createLocally = true;
+      redis.createLocally = true;
+      smtp = {
+        fromAddress = "social@chvp.be";
+        createLocally = false;
+      };
+      extraConfig = {
+        SMTP_OPENSSL_VERIFY_MODE = "none";
+      };
+
+      otpSecretFile = config.age.secrets."passwords/services/mastodon/otp".path;
+      secretKeyBaseFile = config.age.secrets."passwords/services/mastodon/key".path;
+      vapidPublicKeyFile = config.age.secrets."passwords/services/mastodon/vapid-public".path;
+      vapidPrivateKeyFile = config.age.secrets."passwords/services/mastodon/vapid-private".path;
+    };
+
+    age.secrets."passwords/services/mastodon/vapid-public" = {
+      file = ../../../secrets/passwords/services/mastodon/vapid-public.age;
+      owner = "mastodon";
+    };
+    age.secrets."passwords/services/mastodon/vapid-private" = {
+      file = ../../../secrets/passwords/services/mastodon/vapid-private.age;
+      owner = "mastodon";
+    };
+    age.secrets."passwords/services/mastodon/key" = {
+      file = ../../../secrets/passwords/services/mastodon/key.age;
+      owner = "mastodon";
+    };
+    age.secrets."passwords/services/mastodon/otp" = {
+      file = ../../../secrets/passwords/services/mastodon/otp.age;
+      owner = "mastodon";
+    };
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index 449ebeeb..ecfd29c8 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -53,6 +53,11 @@ in
 
   "secrets/passwords/services/acme.age".publicKeys = servers ++ users;
 
+  "secrets/passwords/services/mastodon/otp.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/mastodon/key.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/mastodon/vapid-public.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/mastodon/vapid-private.age".publicKeys = [ lasting-integrity ] ++ users;
+
   "secrets/passwords/services/garmin2influx-env.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/passwords/services/grafana/smtp.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/passwords/services/grafana/admin-password.age".publicKeys = [ lasting-integrity ] ++ users;
diff --git a/secrets/passwords/services/mastodon/key.age b/secrets/passwords/services/mastodon/key.age
new file mode 100644
index 00000000..03890ab6
Binary files /dev/null and b/secrets/passwords/services/mastodon/key.age differ
diff --git a/secrets/passwords/services/mastodon/otp.age b/secrets/passwords/services/mastodon/otp.age
new file mode 100644
index 00000000..25a0abf2
--- /dev/null
+++ b/secrets/passwords/services/mastodon/otp.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ qUX3kbBrSvD0TpzPo1FSvj2Y0XgiRuB85hJWLnSLyCE
+xIS82BMrKIrdwyL9WmnUXu073kDrVd/R7VACiWBiiCw
+-> ssh-ed25519 s9rb8g TpqLGfeBjfK15OdnH7vWBCrwn0EbapG3joeIXi5hp18
+BuouswSPfGDMaXbpy/pC0pek66FBVBrQyFq32AxtStQ
+-> ssh-ed25519 yad4VQ 2Jq/gVbABw1+xgBOYYHMqMR4N2ZQwk9xbK3/Xar55CA
+IAbzT3BshmLho2psx08muvjc5ZU4DYpkmOkmHb7L+TI
+-> )+G8u*-grease 4 (', `F?]U 9~.V_L
+q7LbpDJis1PmlNyawx3MXxjXkrxUVBIUwoOuipvLi9TKDQ39KJxyOCIIZCIQwA
+--- iQNO5W76cfj2k8NdTPqCdJHestSwPCdHDf58p8FcihA
+Â„’éÔ$!m	‚çÍ“ÄP’SÂ1ÿ$ÄÐõ¼•¬qp×ûf]5)8+í$Ûn¢lçCjkËX‹ÿÁWU‚/åÉnHÕƒˆ$¦ÁÈÿ%YÑ@ÙûSX7×«´ž7ÉâÐð:h½ÐW¼2ã´{pÐôË=½ÿ •G9Í3Âk€?þÁVl>†ÌlúŸ'.¹¬¯ˆ†Î$0iâ5Æk
\ No newline at end of file
diff --git a/secrets/passwords/services/mastodon/vapid-private.age b/secrets/passwords/services/mastodon/vapid-private.age
new file mode 100644
index 00000000..83475c64
--- /dev/null
+++ b/secrets/passwords/services/mastodon/vapid-private.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ dHxud0szOg7zaxwddGG1nUxCEny5jxKyQdYT7q/LGB8
+AO+kc43zv9MBwAvrq3DSSeGGYoY8gSUaN3drhNN4OWQ
+-> ssh-ed25519 s9rb8g JTm3AwLa4IO+rpWKA3J7yxk0vc4TRgSjk6j07XbNlyE
+RDIeGxXne8byHbbil4zUOqKa4a96Woo5JT84Ui7KFdE
+-> ssh-ed25519 yad4VQ RkizLgPPmAcyLRfRNrZZ83i9k1R8tRrfyH7AuBVrEV0
+pIe3Jm7bpYEUosHQfKg7lRUZyt4Svp28yLz68XUoqlQ
+-> `v$(@<Ud-grease | n[SSES [f*n{KB.
+ZfJDK2yqb6EzTU8YMC8BNlfb5d+ARkfDgbCxLj9K4RE8LVP+AbxakGFi3yfqudsU
+hKIXkY5KLcROde1/0JxxC14da0GbuhQg
+--- JA0bFHlGA7JmzmHALLBuvne23JP8vtOjgNotc5jPhyA
+óhGˆº­®MÿOŸTK	ó•¥{ûy¾®.ÜÛÈ&BûÇ²OêËK£\äïC÷Uzï(^gÈ¸gñZ¬)ý3¿wÃ­%¢€Ï+È
\ No newline at end of file
diff --git a/secrets/passwords/services/mastodon/vapid-public.age b/secrets/passwords/services/mastodon/vapid-public.age
new file mode 100644
index 00000000..30c43329
--- /dev/null
+++ b/secrets/passwords/services/mastodon/vapid-public.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ CI+BwPK0Bi3U6nloqCCD2zHm18PE9R9nz/lwjymUxBs
+V8Ld8sfd8TkLnQCiCmVol92WJ66+zieQvHp6sqJXyNg
+-> ssh-ed25519 s9rb8g r5vaMLdo3BC/SABXlDe4Rpv+EloYcPUUvlstX7w2cRM
+sXGhO1qvNd7ekeLjYvkTgowcOoyfPrLybo5/mQhf5lw
+-> ssh-ed25519 yad4VQ PmFz7XS6/YHOsdtAPWK1t+FWH2uo6UEa6RdFBcDqHgE
+j9rItt2NBxV3C0+/d7Q/ikfhYqPgB0ebotg9grbrjiE
+-> A7t.]-grease
+VAC5XDxwmwsyufHKAMzR903+xqeBzw
+--- g7TlBRUIxwFAlbYfZQguaZhJoYl/2gPlUpEZfcOmI6I
+Ì–½5ÑÍ×,~êl’"Kqýé0!ñ„&ÚÍY>²îÓäE(]Å²Wé+²Ž¿bæÑý?-8|Ý%{¼cE’°ø™ÆúòIŸ˜)CÚÄçU¦‰öe+¬vÀZeÐ¤ó{¤Ñ1¼ŒõK=Dy¤†Nv¨ÊÀÄV:’j¹$5
\ No newline at end of file