diff --git a/modules/services/default.nix b/modules/services/default.nix
index 4fcf453..86badf5 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -30,6 +30,7 @@
     ./rss-bridge
     ./sabnzbd
     ./ssh-server
+    ./tandoor-recipes
     ./tlp
     ./transmission
     ./vikunja
diff --git a/modules/services/tandoor-recipes/default.nix b/modules/services/tandoor-recipes/default.nix
new file mode 100644
index 0000000..d78bef3
--- /dev/null
+++ b/modules/services/tandoor-recipes/default.nix
@@ -0,0 +1,79 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.services.tandoor-recipes;
+in
+{
+  options.my.services.tandoor-recipes = with lib; {
+    enable = mkEnableOption "Tandoor Recipes service";
+
+    port = mkOption {
+      type = types.port;
+      default = 4536;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+
+    secretKeyFile = mkOption {
+      type = types.str;
+      example = "/var/lib/tandoor-recipes/secret-key.env";
+      description = ''
+        Secret key as an 'EnvironmentFile' (see `systemd.exec(5)`)
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.tandoor-recipes = {
+      enable = true;
+
+      port = cfg.port;
+      extraConfig =
+        let
+          tandoorRecipesDomain = "recipes.${config.networking.domain}";
+        in
+        {
+          # Use PostgreSQL
+          DB_ENGINE = "django.db.backends.postgresql";
+          POSTGRES_HOST = "/run/postgresql";
+          POSTGRES_USER = "tandoor_recipes";
+          POSTGRES_DB = "tandoor_recipes";
+
+          # Security settings
+          ALLOWED_HOSTS = tandoorRecipesDomain;
+          CSRF_TRUSTED_ORIGINS = "https://${tandoorRecipesDomain}";
+
+          # Misc
+          TIMEZONE = config.time.timeZone;
+        };
+    };
+
+    systemd.services = {
+      tandoor-recipes = {
+        after = [ "postgresql.service" ];
+
+        serviceConfig = {
+          EnvironmentFile = cfg.secretKeyFile;
+        };
+      };
+    };
+
+    # Set-up database
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "tandoor_recipes" ];
+      ensureUsers = [
+        {
+          name = "tandoor_recipes";
+          ensurePermissions."DATABASE tandoor_recipes" = "ALL PRIVILEGES";
+        }
+      ];
+    };
+
+    my.services.nginx.virtualHosts = [
+      {
+        subdomain = "recipes";
+        inherit (cfg) port;
+      }
+    ];
+  };
+}