diff --git a/machines/nunotaba/configuration.nix b/machines/nunotaba/configuration.nix
index 51775fa..f6c309d 100644
--- a/machines/nunotaba/configuration.nix
+++ b/machines/nunotaba/configuration.nix
@@ -12,6 +12,7 @@
     gpu.intel.enable = true;
     gui.enable = true;
     libvirt.enable = true;
+    media-proxy.enable = true;
     restic.enable = true;
     ssd.enable = true;
     wireguard.home = {
diff --git a/machines/sayuri/configuration.nix b/machines/sayuri/configuration.nix
index 42da341..17a57a9 100644
--- a/machines/sayuri/configuration.nix
+++ b/machines/sayuri/configuration.nix
@@ -12,6 +12,7 @@
     gpu.amd.enable = true;
     gui.enable = true;
     libvirt.enable = true;
+    media-proxy.enable = true;
     restic = {
       enable = true;
       extraPaths = [
diff --git a/modules/default.nix b/modules/default.nix
index d911241..3e35355 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -17,7 +17,9 @@
     ./grub.nix
     ./libvirt.nix
     ./locales.nix
+    ./media-proxy.nix
     ./network-manager.nix
+    ./nginx.nix
     ./office.nix
     ./prometheus/node_exporter.nix
     ./pubkeys.nix
diff --git a/modules/media-proxy.nix b/modules/media-proxy.nix
new file mode 100644
index 0000000..8283dd7
--- /dev/null
+++ b/modules/media-proxy.nix
@@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }:
+let
+  port = 8888;
+  services = {
+    "media" = <secrets/media-proxy-auth>;
+    "scan" = <secrets/media-proxy-auth>;
+    "torrent" = <secrets/torrent-proxy-auth>;
+  };
+in
+{
+  options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy";
+
+  config.services.nginx = lib.mkIf config.sbruder.media-proxy.enable {
+    enable = true;
+    secrets = builtins.attrValues services;
+    virtualHosts.media-proxy = {
+      serverName = "localhost";
+      listen = [
+        { inherit port; addr = "127.0.0.1"; }
+        { inherit port; addr = "[::1]"; }
+      ];
+      locations = {
+        "/".extraConfig = ''
+          rewrite ^/__assets/(.*)$ /media/__assets/$1;
+        '';
+      } // lib.mapAttrs'
+        (name: secret: {
+          name = "/${name}/";
+          value = {
+            proxyPass = "https://${name}.sbruder.de/";
+            proxyWebsockets = true;
+            extraConfig = ''
+              proxy_buffering off;
+              include /run/nginx/secrets/${lib.last (lib.splitString "/" (toString secret))};
+              charset utf-8;
+            '';
+          };
+        })
+        services;
+    };
+  };
+}
diff --git a/modules/nginx.nix b/modules/nginx.nix
new file mode 100644
index 0000000..383b113
--- /dev/null
+++ b/modules/nginx.nix
@@ -0,0 +1,40 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.nginx;
+in
+{
+  options.services.nginx.secrets = lib.mkOption {
+    type = with lib.types; listOf (either str path);
+    default = [ ];
+    description = "Secrets to be copied to `/run/nginx/secrets/`";
+  };
+
+  config.systemd = lib.mkIf (lib.length cfg.secrets != 0) {
+    services = {
+      nginx-secrets = {
+        description = "Secrets for nginx";
+        wantedBy = [ "nginx.service" ];
+        partOf = [ "nginx.service" ];
+        serviceConfig.Type = "oneshot";
+
+        script = ''
+          rm -rf /run/nginx/secrets
+          install -o ${cfg.user} -g ${cfg.group} -m 700 -d /run/nginx/secrets
+        '' + lib.concatStrings (map
+          (secret: ''
+            install -o ${cfg.user} -g ${cfg.group} -m 600 ${toString secret} /run/nginx/secrets
+          '')
+          cfg.secrets);
+      };
+      nginx.after = [ "nginx-secrets.service" ];
+    };
+    paths.nginx-secrets = {
+      wantedBy = [ "nginx-secrets.service" ];
+      partOf = [ "nginx-secrets.service" ];
+      pathConfig = {
+        PathModified = "/var/src/secrets";
+        Unit = "nginx-secrets.service";
+      };
+    };
+  };
+}