diff --git a/provision/hosts/torus/configuration.nix b/provision/hosts/torus/configuration.nix
index f85ebe42..bc4481e5 100644
--- a/provision/hosts/torus/configuration.nix
+++ b/provision/hosts/torus/configuration.nix
@@ -7,6 +7,7 @@
     ./syncthing.nix
     ./obsidian-vault.nix
     ./share.nix
+    ./tt-rss.nix
   ];
 
   nix = {
diff --git a/provision/hosts/torus/tt-rss.nix b/provision/hosts/torus/tt-rss.nix
new file mode 100644
index 00000000..d4f14a0c
--- /dev/null
+++ b/provision/hosts/torus/tt-rss.nix
@@ -0,0 +1,45 @@
+{ config, lib, pkgs, user, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_15;
+    ensureDatabases = ["tt_rss"];
+    ensureUsers = [
+      {
+        name = "tt_rss";
+        ensureDBOwnership = true;
+      }
+    ];
+    # type, database, user, [address], auth-method, [auth-options]
+    #authentication = ''
+    #  local all all trust
+    #'';
+  };
+  services.postgresqlBackup.enable = true;
+
+  systemd.services.tt-rss = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+
+  services.tt-rss = {
+    enable = true;
+    virtualHost = "rss1.tstarr.us";
+    selfUrlPath = "https://rss1.tstarr.us";
+    database = {
+      type = "pgsql";
+      createLocally = false;
+      name = "tt_rss";
+      user = "tt_rss";
+      password = null;
+    };
+    singleUserMode = true;
+  };
+
+  services.nginx = {
+    virtualHosts."rss1.tstarr.us" = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+}