diff --git a/modules/networking.nix b/modules/networking.nix
index e2bb0a8..03aa72a 100755
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -21,4 +21,11 @@
     address = "10.0.201.1";
     interface = "enp2s0";
   };
+
+  security.acme = {
+    acceptTerms = true;
+    certs = {
+      defaults.email = "admin@spoodythe.one";
+    };
+  };
 }
diff --git a/services/jellyfin.nix b/services/jellyfin.nix
new file mode 100644
index 0000000..9dd25ff
--- /dev/null
+++ b/services/jellyfin.nix
@@ -0,0 +1,52 @@
+{ pkgs, ... }:
+let
+  host = "127.0.0.1";
+  port = 8096;
+in
+{
+  # Enable VAAPI
+  nixpkgs.config.packageOverrides = pkgs: {
+    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  };
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      intel-vaapi-driver
+      vaapiVdpau
+      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
+      vpl-gpu-rt # QSV on 11th gen or newer
+    ];
+  };
+
+  # Enable Jellyfin
+  services.jellyfin = {
+    enable = true;
+    openFirewall = false;
+  };
+
+  # Route subdomain traffic to jellyfin
+  # services.caddy.virtualHosts."jf.spoodythe.one" = {
+  #   enable = true;
+  #   extraConfig = ''
+  #     reverse_proxy * ${host}:${toString port}
+  #   '';
+  # };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts."media.spoodythe.one" = {
+      addSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://${host}:${toString port}";
+      };
+    };
+  };
+
+}