diff --git a/configuration.nix b/configuration.nix
index 0d1c8ba..d290fb4 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -80,6 +80,12 @@
     matrix.enable = true;
     # The whole *arr software suite
     pirate.enable = true;
+    # Torrent client and webui
+    transmission = {
+      enable = true;
+      username = "Ambroisie";
+      password = pkgs.lib.removeSuffix "\n" (builtins.readFile ./secrets/transmission/password.txt);
+    };
   };
 
   programs.gnupg.agent = {
diff --git a/secrets/transmission/password.txt b/secrets/transmission/password.txt
new file mode 100644
index 0000000..b1b7c2a
Binary files /dev/null and b/secrets/transmission/password.txt differ
diff --git a/services/default.nix b/services/default.nix
index 879afae..7edb7a7 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -8,5 +8,6 @@
     ./media.nix
     ./nginx.nix
     ./pirate.nix
+    ./transmission.nix
   ];
 }
diff --git a/services/media.nix b/services/media.nix
index 4f733fd..2b5da27 100644
--- a/services/media.nix
+++ b/services/media.nix
@@ -3,7 +3,7 @@
 { config, lib, ... }:
 let
   needed = with config.my.services;
-    jellyfin.enable || pirate.enable;
+    jellyfin.enable || pirate.enable || transmission.enable;
 in
 {
   config.users.groups.media = lib.mkIf needed { };
diff --git a/services/transmission.nix b/services/transmission.nix
new file mode 100644
index 0000000..1e4871b
--- /dev/null
+++ b/services/transmission.nix
@@ -0,0 +1,72 @@
+# Small seedbox setup.
+#
+# Inspired by [1]
+#
+# [1]: https://github.com/delroth/infra.delroth.net/blob/master/roles/seedbox.nix
+{ config, lib, ... }:
+let
+  cfg = config.my.services.transmission;
+
+  domain = config.networking.domain;
+  webuiDomain = "transmission.${domain}";
+
+  transmissionRpcPort = 9091;
+  transmissionPeerPort = 30251;
+
+  downloadBase = "/data/downloads/"; # NOTE: to be excluded from backups
+in
+{
+  options.my.services.transmission = with lib; {
+    enable = mkEnableOption "Transmission torrent client";
+    username = mkOption {
+      type = types.str;
+      default = "Ambroisie";
+      example = "username";
+      description = "Name of the transmission RPC user";
+    };
+    password = mkOption {
+      type = types.str;
+      example = "password";
+      description = "Password of the transmission RPC user";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.transmission = {
+      enable = true;
+      group = "media";
+
+      settings = {
+        download-dir = "${downloadBase}/complete";
+        incomplete-dir = "${downloadBase}/incomplete";
+
+        peer-port = transmissionPeerPort;
+
+        rpc-enabled = true;
+        rpc-port = transmissionRpcPort;
+        rpc-authentication-required = true;
+
+        rpc-username = cfg.username;
+        rpc-password = cfg.password; # Insecure, but I don't care.
+
+        # Proxied behind Nginx.
+        rpc-whitelist-enabled = true;
+        rpc-whitelist = "127.0.0.1";
+      };
+    };
+
+    # Default transmission webui, I prefer combustion but its development
+    # seems to have stalled
+    services.nginx.virtualHosts."${webuiDomain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      locations."/".proxyPass = "http://localhost:${toString transmissionRpcPort}";
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = [ transmissionPeerPort ];
+      allowedUDPPorts = [ transmissionPeerPort ];
+    };
+  };
+}