diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix
index 7bae122..ef6ba9a 100644
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@@ -8,12 +8,13 @@
   ...
 }: let
   adguardhomedomain = "adguardhome.${config.secrets.secrets.global.domains.web}";
-  nextclouddomain = "nc.${config.secrets.secrets.global.domains.web}";
   giteadomain = "git.${config.secrets.secrets.global.domains.web}";
-  vaultwardendomain = "pw.${config.secrets.secrets.global.domains.web}";
-  paperlessdomain = "ppl.${config.secrets.secrets.global.domains.web}";
   immichdomain = "immich.${config.secrets.secrets.global.domains.web}";
+  nextclouddomain = "nc.${config.secrets.secrets.global.domains.web}";
   ollamadomain = "ollama.${config.secrets.secrets.global.domains.web}";
+  paperlessdomain = "ppl.${config.secrets.secrets.global.domains.web}";
+  ttrssdomain = "rss.${config.secrets.secrets.global.domains.web}";
+  vaultwardendomain = "pw.${config.secrets.secrets.global.domains.web}";
   ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv4;
 in {
   services.nginx = {
@@ -145,6 +146,22 @@ in {
       '';
     };
 
+    upstreams.tt-rss = {
+      servers."${ipOf "ttrss"}:80" = {};
+
+      extraConfig = ''
+        zone tt-rss 64k ;
+        keepalive 5 ;
+      '';
+    };
+    virtualHosts.${ttrssdomain} = {
+      forceSSL = true;
+      useACMEHost = "web";
+      locations."/".proxyPass = "http://tt-rss";
+      extraConfig = ''
+      '';
+    };
+
     upstreams.nextcloud = {
       servers."${ipOf "nextcloud"}:80" = {};
 
@@ -248,6 +265,7 @@ in {
     // mkContainer "vaultwarden" {}
     // mkContainer "ddclient" {}
     // mkContainer "ollama" {}
+    // mkContainer "ttrss" {}
     // mkContainer "nextcloud" {
       enablePanzer = true;
     }
diff --git a/hosts/elisabeth/secrets/ttrss/host.pub b/hosts/elisabeth/secrets/ttrss/host.pub
new file mode 100644
index 0000000..bb7bc1c
--- /dev/null
+++ b/hosts/elisabeth/secrets/ttrss/host.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAr7ezOf0v2GMMA1LgMbneaWv4S7vQzH6fq1qbSu/Xwa
diff --git a/modules/config/default.nix b/modules/config/default.nix
index e542515..2795723 100644
--- a/modules/config/default.nix
+++ b/modules/config/default.nix
@@ -14,7 +14,6 @@
     ./system.nix
     ./users.nix
     ./xdg.nix
-    ./usbguard.nix
 
     ../../users/root
 
diff --git a/modules/config/users.nix b/modules/config/users.nix
index e803184..a7f9d56 100644
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@@ -26,6 +26,7 @@
     redis-paperless = uidGid 216;
     microvm = uidGid 217;
     maddy = uidGid 218;
+    tt_rss = uidGid 219;
     paperless = uidGid 315;
     systemd-oom = uidGid 300;
     systemd-coredump = uidGid 301;
diff --git a/modules/services/ttrss.nix b/modules/services/ttrss.nix
new file mode 100644
index 0000000..ec93a78
--- /dev/null
+++ b/modules/services/ttrss.nix
@@ -0,0 +1,34 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  networking.firewall.allowedTCPPorts = [80];
+  services.tt-rss = {
+    enable = true;
+    logDestination = "syslog";
+    selfUrlPath = "https://rss.lel.lol";
+    virtualHost = "rss.lel.lol";
+    themePackages = [
+      pkgs.tt-rss-theme-feedly
+    ];
+    auth = {
+      autoLogin = false;
+      autoCreate = false;
+    };
+  };
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/postgresql/";
+      user = "postgres";
+      group = "postgres";
+      mode = "750";
+    }
+    {
+      inherit (config.services.tt-rss) user;
+      directory = config.services.tt-rss.root;
+      group = config.services.tt-rss.user;
+      mode = "0750";
+    }
+  ];
+}
diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age
index 7af5554..4278352 100644
Binary files a/secrets/secrets.nix.age and b/secrets/secrets.nix.age differ