diff --git a/machines/yuzuru/configuration.nix b/machines/yuzuru/configuration.nix
index cf78039..fc458ec 100644
--- a/machines/yuzuru/configuration.nix
+++ b/machines/yuzuru/configuration.nix
@@ -9,6 +9,7 @@
     ./services/libreddit.nix
     ./services/nitter.nix
     ./services/sbruder.xyz
+    ./services/schabernack.nix
   ];
 
   sbruder = {
diff --git a/machines/yuzuru/services/schabernack.nix b/machines/yuzuru/services/schabernack.nix
new file mode 100644
index 0000000..58947fe
--- /dev/null
+++ b/machines/yuzuru/services/schabernack.nix
@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+let
+  domain = "schulischer-schabernack.de";
+in
+{
+  services.nginx = {
+    commonHttpConfig = ''
+      # privacy-aware log format
+      log_format schabernack '$remote_addr_schabernack - - [$time_local] "$request" $status $body_bytes_sent "-" "$http_user_agent"';
+
+      # anonymise ip address
+      map $remote_addr $remote_addr_schabernack {
+        ~(?P<ip>\d+\.\d+)\.     $ip.0.0;
+        ~(?P<ip>[^:]+:[^:]+):   $ip::;
+        default                 0.0.0.0;
+      }
+    '';
+
+    virtualHosts = {
+      ${domain} = {
+        forceSSL = true;
+        enableACME = true;
+
+        root = "/var/www/schabernack/production";
+
+        # only log page views, rss feed access, media file download and embed views
+        extraConfig = ''
+          location ~ index\.html|rss\.xml|\.(opus|m4a|ogg|mp3|\.podlove.json)$ {
+            access_log /var/log/nginx/schabernack.log schabernack;
+          }
+        '';
+      };
+      "www.${domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        globalRedirect = domain;
+
+        extraConfig = ''
+          access_log off;
+        '';
+      };
+      "staging.${domain}" = {
+        forceSSL = true;
+        enableACME = true;
+
+        root = "/var/www/schabernack/staging";
+
+        extraConfig = ''
+          access_log off;
+        '';
+      };
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/www/schabernack/production 0755 schabernack root -"
+    "d /var/www/schabernack/staging 0755 schabernack root -"
+  ];
+
+  users = {
+    users.schabernack = {
+      isSystemUser = true;
+      group = "schabernack";
+      shell = "/bin/sh";
+
+      openssh.authorizedKeys.keys = map
+        (key: "command=\"${pkgs.rrsync}/bin/rrsync -wo /var/www/schabernack/\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}")
+        config.sbruder.pubkeys.trustedKeys;
+    };
+    groups.schabernack = { };
+  };
+}