diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix
index d73cdc1..2c65661 100644
--- a/hosts/nixos/porthos/services.nix
+++ b/hosts/nixos/porthos/services.nix
@@ -10,6 +10,9 @@ in
     adblock = {
       enable = true;
     };
+    aria = {
+      enable = true;
+    };
     # Backblaze B2 backup
     backup = {
       enable = true;
diff --git a/modules/nixos/services/aria/default.nix b/modules/nixos/services/aria/default.nix
new file mode 100644
index 0000000..a31b6f6
--- /dev/null
+++ b/modules/nixos/services/aria/default.nix
@@ -0,0 +1,70 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.my.services.aria;
+in
+{
+  options.my.services.aria = with lib; {
+    enable = mkEnableOption "";
+
+    rpcPort = mkOption {
+      type = types.port;
+      default = 6800;
+      example = 8080;
+      description = "RPC port";
+    };
+
+    downloadDir = mkOption {
+      type = types.str;
+      default = "/data/downloads";
+      example = "/var/lib/transmission/download";
+      description = "Download directory";
+    };
+
+    # FIXME: secrets file
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.aria2 = {
+      enable = true;
+
+      inherit (cfg) downloadDir;
+
+      rpcListenPort = cfg.rpcPort;
+    };
+
+    # Expose DHT ports, but not RPC ports
+    networking.firewall = {
+      allowedUDPPortRanges = config.services.aria2.listenPortRange;
+    };
+
+    # Set-up media group
+    users.groups.media = { };
+
+    systemd.services.aria2 = {
+      serviceConfig = {
+        Group = lib.mkForce "media"; # Use 'media' group
+      };
+    };
+
+    my.services.nginx.virtualHosts = [
+      {
+        subdomain = "aria-rpc";
+        port = cfg.rpcPort;
+        # Proxy websockets for RPC
+        extraConfig = {
+          locations."/".proxyWebsockets = true;
+        };
+      }
+      {
+        subdomain = "aria";
+        root = "${pkgs.ariang}/share/ariang";
+        # For paranoia, don't allow anybody to use the UI unauthenticated
+        sso = {
+          enable = true;
+        };
+      }
+    ];
+
+    # FIXME: fail2ban rules
+  };
+}
diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix
index b27570d..3e2b3c8 100644
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     ./adblock
+    ./aria
     ./backup
     ./blog
     ./calibre-web