diff --git a/flake.lock b/flake.lock
index 9e61219..65b8f04 100644
--- a/flake.lock
+++ b/flake.lock
@@ -175,11 +175,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1744174375,
-        "narHash": "sha256-oxI9TLgnQbQ/WL0tIwVSIooLbXq4PW1QUhf5aQmXFgk=",
+        "lastModified": 1744777043,
+        "narHash": "sha256-O6jgTxz9BKUiaJl03JsVHvSjtCOC8gHfDvC2UCfcLMc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ef3a956f697525883b77192cbe208233ea0f8f79",
+        "rev": "7a6f7f4c1c69eee05641beaa40e7f85da8e69fb0",
         "type": "github"
       },
       "original": {
diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix
index 425756c..b3812b4 100644
--- a/hosts/nixos/porthos/secrets/secrets.nix
+++ b/hosts/nixos/porthos/secrets/secrets.nix
@@ -81,6 +81,7 @@ in
   "pyload/credentials.age".publicKeys = all;
 
   "servarr/autobrr/session-secret.age".publicKeys = all;
+  "servarr/cross-seed/configuration.json.age".publicKeys = all;
 
   "sso/auth-key.age" = {
     owner = "nginx-sso";
diff --git a/hosts/nixos/porthos/secrets/servarr/cross-seed/configuration.json.age b/hosts/nixos/porthos/secrets/servarr/cross-seed/configuration.json.age
new file mode 100644
index 0000000..e9af03f
Binary files /dev/null and b/hosts/nixos/porthos/secrets/servarr/cross-seed/configuration.json.age differ
diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix
index 561da27..96f15d3 100644
--- a/hosts/nixos/porthos/services.nix
+++ b/hosts/nixos/porthos/services.nix
@@ -148,6 +148,9 @@ in
       autobrr = {
         sessionSecretFile = secrets."servarr/autobrr/session-secret".path;
       };
+      cross-seed = {
+        secretSettingsFile = secrets."servarr/cross-seed/configuration.json".path;
+      };
       # ... But not Lidarr because I don't care for music that much
       lidarr = {
         enable = false;
diff --git a/modules/nixos/services/servarr/autobrr.nix b/modules/nixos/services/servarr/autobrr.nix
index 398e878..c3370cb 100644
--- a/modules/nixos/services/servarr/autobrr.nix
+++ b/modules/nixos/services/servarr/autobrr.nix
@@ -40,6 +40,7 @@ in
     my.services.nginx.virtualHosts = {
       autobrr = {
         inherit (cfg) port;
+        websocketsLocations = [ "/api" ];
       };
     };
 
diff --git a/modules/nixos/services/servarr/cross-seed.nix b/modules/nixos/services/servarr/cross-seed.nix
new file mode 100644
index 0000000..74f216a
--- /dev/null
+++ b/modules/nixos/services/servarr/cross-seed.nix
@@ -0,0 +1,96 @@
+# Automatic cross-seeding for video media
+{ config, lib, ... }:
+let
+  cfg = config.my.services.servarr.cross-seed;
+in
+{
+  options.my.services.servarr.cross-seed = with lib; {
+    enable = mkEnableOption "cross-seed daemon" // {
+      default = config.my.services.servarr.enableAll;
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 2468;
+      example = 8080;
+      description = "Internal port for daemon";
+    };
+
+    linkDirectory = mkOption {
+      type = types.str;
+      default = "/data/downloads/complete/links";
+      example = "/var/lib/cross-seed/links";
+      description = "Link directory";
+    };
+
+    secretSettingsFile = mkOption {
+      type = types.str;
+      example = "/run/secrets/cross-seed-secrets.json";
+      description = ''
+        File containing secret settings.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.cross-seed = {
+      enable = true;
+      group = "media";
+
+      # Rely on recommended defaults for tracker snatches etc...
+      useGenConfigDefaults = true;
+
+      settings = {
+        inherit (cfg) port;
+        host = "127.0.0.1";
+
+        # Inject torrents to client directly
+        action = "inject";
+        # Query the client for torrents to match
+        useClientTorrents = true;
+        # Use hardlinks
+        linkType = "hardlink";
+        # Use configured link directory
+        linkDirs = [ cfg.linkDirectory ];
+        # Match as many torrents as possible
+        matchMode = "partial";
+        # Cross-seed full season if at least 50% of episodes are already downloaded
+        seasonFromEpisodes = 0.5;
+      };
+
+      settingsFile = cfg.secretSettingsFile;
+    };
+
+    systemd.services.cross-seed = {
+      serviceConfig = {
+        # Loose umask to make cross-seed links readable by `media`
+        UMask = "0002";
+      };
+    };
+
+    # Set-up media group
+    users.groups.media = { };
+
+    my.services.nginx.virtualHosts = {
+      cross-seed = {
+        inherit (cfg) port;
+      };
+    };
+
+    services.fail2ban.jails = {
+      cross-seed = ''
+        enabled = true
+        filter = cross-seed
+        action = iptables-allports
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/cross-seed.conf".text = ''
+        [Definition]
+        failregex = ^.*Unauthorized API access attempt to .* from <HOST>$
+        journalmatch = _SYSTEMD_UNIT=cross-seed.service
+      '';
+    };
+  };
+}
diff --git a/modules/nixos/services/servarr/default.nix b/modules/nixos/services/servarr/default.nix
index 409fcdc..dca57cf 100644
--- a/modules/nixos/services/servarr/default.nix
+++ b/modules/nixos/services/servarr/default.nix
@@ -7,6 +7,7 @@
   imports = [
     ./autobrr.nix
     ./bazarr.nix
+    ./cross-seed.nix
     ./jackett.nix
     ./nzbhydra.nix
     ./prowlarr.nix
diff --git a/modules/nixos/services/transmission/default.nix b/modules/nixos/services/transmission/default.nix
index ac8b24d..16d51e3 100644
--- a/modules/nixos/services/transmission/default.nix
+++ b/modules/nixos/services/transmission/default.nix
@@ -65,6 +65,8 @@ in
         # Proxied behind Nginx.
         rpc-whitelist-enabled = true;
         rpc-whitelist = "127.0.0.1";
+
+        umask = "002"; # To go with `downloadDirPermissions`
       };
     };