diff --git a/common/services/readeck.nix b/common/services/readeck.nix
new file mode 100644
index 0000000..be34c9e
--- /dev/null
+++ b/common/services/readeck.nix
@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) types mkEnableOption mkIf mkOption;
+
+  cfg = config.foehammer.services.readeck;
+in {
+  options.foehammer.services.readeck = {
+    enable = mkEnableOption "Enable readeck server";
+
+    port = mkOption {
+      type = lib.types.port;
+      default = 8224;
+      description = ''
+        What external port to serve over.
+      '';
+    };
+
+    envFile = mkOption {
+      type = types.nullOr types.path;
+    };
+
+    domain = mkOption {
+      type = types.str;
+      description = ''
+        Readeck's domain.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.readeck = {
+      enable = true;
+      environmentFile = cfg.envFile;
+      settings = {
+        server = {
+          port = cfg.port;
+          base_url = cfg.domain;
+        };
+        extractor = {
+          workers = 2;
+        };
+      };
+    };
+  };
+}
diff --git a/machines/lebesgue/config/configuration.nix b/machines/lebesgue/config/configuration.nix
index 0b8e21f..6f6e1d1 100644
--- a/machines/lebesgue/config/configuration.nix
+++ b/machines/lebesgue/config/configuration.nix
@@ -10,6 +10,12 @@
       hashedPasswordFile = config.sops.secrets.admin-password.path;
     };
 
+    services.readeck = {
+      enable = true;
+      domain = "https://bookmarks.foehammer.me";
+      envFile = config.sops.secrets.readeck-env.path;
+    };
+
     services.goatcounter = {
       enable = true;
     };
diff --git a/machines/lebesgue/config/routing.nix b/machines/lebesgue/config/routing.nix
index d33c36c..4e24b00 100644
--- a/machines/lebesgue/config/routing.nix
+++ b/machines/lebesgue/config/routing.nix
@@ -18,6 +18,12 @@
           reverse_proxy :${toString config.foehammer.services.goatcounter.port}
         '';
       };
+
+      "bookmarks.foehammer.me" = {
+        extraConfig = ''
+          reverse_proxy :${toString config.foehammer.services.readeck.port}
+        '';
+      };
     };
   };
 }
diff --git a/machines/lebesgue/config/secrets.nix b/machines/lebesgue/config/secrets.nix
index f8538b9..977a673 100644
--- a/machines/lebesgue/config/secrets.nix
+++ b/machines/lebesgue/config/secrets.nix
@@ -14,6 +14,8 @@
 
       vaultwarden-env = {};
 
+      readeck-env = {};
+
       restic-env = {owner = "restic";};
       restic-password = {owner = "restic";};
       restic-repository = {owner = "restic";};
diff --git a/machines/lebesgue/config/state.nix b/machines/lebesgue/config/state.nix
index 98db9fa..25b8eaa 100644
--- a/machines/lebesgue/config/state.nix
+++ b/machines/lebesgue/config/state.nix
@@ -9,6 +9,7 @@
       "/var/log"
       "/var/lib/nixos"
       "/var/lib/docker"
+      "/var/lib/private/readeck"
       "/var/lib/authelia-main"
       "/var/lib/caddy/.local/share/caddy"
       "/var/lib/vaultwarden"
diff --git a/machines/lebesgue/secrets/main.yaml b/machines/lebesgue/secrets/main.yaml
index e7208b5..55b0814 100644
--- a/machines/lebesgue/secrets/main.yaml
+++ b/machines/lebesgue/secrets/main.yaml
@@ -4,6 +4,7 @@ vaultwarden-env: ENC[AES256_GCM,data:A1iRHxFxgI5P8DtsXQa1KvEKKnF+qZY7LVuJba00CLj
 restic-password: ENC[AES256_GCM,data:Ympe5/hJxOzJp7IeJy5mZy0fMIrnV+3cWJo1uKwbHHDJ0G4TNivMNrHEdff6CjVnAbkVgjkR90z1FJOpExd+KQ==,iv:CRJaA3fTG8B/qBDkwctgma4DaGDjoyk4eX6/SynIcLE=,tag:pJW45ijV+wVTR+4IRnLcsw==,type:str]
 restic-repository: ENC[AES256_GCM,data:KkFaam8iltY9nz89sVxk4u0xZ46Sq+7UsOY/9wieASD5A2FRruou7BiudX9X4hRA2RMTctO8aqYkrg==,iv:mIZ9z7BJV9s+wSiVMnzYAWM1/zsa6C+RCK1UhSiJVxI=,tag:S7tedxcfd/UaQ5hMEYfBVQ==,type:str]
 restic-env: ENC[AES256_GCM,data:KW9ma36zmHJF3xBStpoStDRQqg34wlMJMVSYfbLSnWq26R6e6eGf3+kTVkobhn/bqL6ZYi8ctlyvDS8IOz8VveYogsqxZ7/LK62mA0d9I3xEZMG7eNQ8M1PdeZ9RqAUgFJU=,iv:RxwvZ2vNuwmUc3haK2Ub8vHk9UQhjepLCwsfIcSJg9s=,tag:Tvq2RDh8mJ3jGhmpL1uuCA==,type:str]
+readeck-env: ENC[AES256_GCM,data:0wy7B6iL25IBNpHAASa9GzN+Wc/IYPgd4LcSEggzZjBv5AC/JX35lcFOeWWXRrEAtzYw0C68Kk9O0rXhvbEDcvJyKyrTsBP498hgNb68jOqRwaZnlwJLcAA86HxSF4dUyv5Ua7zAPfXzJA4X,iv:MFar2GkvKjGnX6A3Jjy69MNEMF2uOPkrolp3/uQqzTQ=,tag:wNdOAlzsFfl2Dnt9mYVi+Q==,type:str]
 sops:
     age:
         - recipient: age1kjy9wym6cmz6wqmewws4ledsne47c0e4sr0ksmm66rff3u2f6u3qxvnyg9
@@ -15,8 +16,8 @@ sops:
             L2VhMXV4WityYUFDZytxVTJHOXZGVVkKgbKR56dsru6U7I4KpnxfxQsswFwJsTM7
             8dzAaFl30mdRwFIH9kzdY3XxyYsJ0Yr0x3xwJ8mI4rjgpI8S9ihJFw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-04T21:04:47Z"
-    mac: ENC[AES256_GCM,data:fGTVTDhqVNLQJaZyBFhBEauW/Cnb/V57aHOcaeODNeA9g1oZiC3IzUkpRVnEC+gPx4KLDrBwuCk7Au/TarVpFVK+nyqcwrDgr2RsWtVDP0UQH/+8G8PkASxnMnTp/oQnvEKGAbySfGelqEQkDhbMiR7GaP99lJcIoIQ/wG87peA=,iv:+NJnPQmh6VYzDu/UoGv1YHVGfMocKMdX5XxZG6FmS90=,tag:vnHzhvOQOw0U7BwNJKA0kw==,type:str]
+    lastmodified: "2025-12-14T23:03:53Z"
+    mac: ENC[AES256_GCM,data:cRQBdfI7eQ0rN5HFzYmopLxEiLJah5MX8Bvdj7nR8gjAlnlLdh/AkktzyDRjLeC+NuikHoJV3/IPlNKtbP1WyCiwyFOF/iHo96mUOnUAuaMO8LWTHCm6eHC6oZndwiS0vDyHiar7oBhcffHKCXwIffDkSgMgWwQXxB8q/VjqqQg=,iv:pl99HOK8+XVaffo+K9iHYhOBmGQ6PuVtrcwtgLkACy8=,tag:DZrWtaUXBf6yUvsa2G4nhQ==,type:str]
     pgp:
         - created_at: "2025-02-03T18:58:54Z"
           enc: |-
@@ -30,4 +31,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: A972C2063F4F2554
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0