diff --git a/hosts/iron/secrets/mail-users.nix b/hosts/iron/secrets/mail-users.nix
index 0046b88..bc181b7 100644
Binary files a/hosts/iron/secrets/mail-users.nix and b/hosts/iron/secrets/mail-users.nix differ
diff --git a/hosts/magnesium/persistence.nix b/hosts/magnesium/persistence.nix
index ed97650..5dbd5fc 100644
--- a/hosts/magnesium/persistence.nix
+++ b/hosts/magnesium/persistence.nix
@@ -32,6 +32,7 @@
       "/var/lib/acme"
       "/var/lib/hedgedoc"
       "/var/lib/nixos"
+      "/var/lib/private/mealie"
       "/var/lib/private/ntfy-sh"
       {
         directory = "/var/lib/trilium";
diff --git a/hosts/magnesium/ports.nix b/hosts/magnesium/ports.nix
index 52d3ddf..ee689c4 100644
--- a/hosts/magnesium/ports.nix
+++ b/hosts/magnesium/ports.nix
@@ -8,6 +8,7 @@
     coturn-tls = { tcp = [ 5349 5350 ]; udp = [ 5349 5350 ]; };
     forgejo-ssh.tcp = 2022;
     hedgedoc.tcp = 3000;
+    mealie.tcp = 9000;
     nginx-http.tcp = 80;
     nginx-https.tcp = 443;
     ntfy.tcp = 12474;
diff --git a/hosts/magnesium/secrets.yaml b/hosts/magnesium/secrets.yaml
index 317d48e..1187ccd 100644
--- a/hosts/magnesium/secrets.yaml
+++ b/hosts/magnesium/secrets.yaml
@@ -3,6 +3,7 @@ turn-static-auth-secret: ENC[AES256_GCM,data:rzhixUemFPwKj1BcVPZd7KtUO9OA6A2R4qE
 gitlab-runner_fablab-nea-hcloud-labsync: ENC[AES256_GCM,data:+znVO8cQxjDdhch7oUALZvt84iJmWnAx6lTM0+WGkGtaRWTCTPjgnst5waSJpw/Oysrd1PkXZKmLHyHuU7K/CHQij7sWH50G3ZcUum58klJc3dCPztlrLpDVHeSwyYiLpsqkQTfjqLPfrMkxuxBgTEVXlq2ZnFuyOGbFx9hubPxLeyQKakiW3qZWGjbFXYAps7Gl61AVdKJj3y1otX2JbCjG9x2i6FHZpl5ywwQCjKNM,iv:7v+I/oJtWDap6PNIJ4Qm3Si9dGs7a79SaMhnr/tbe1A=,tag:7jgoLtdWAEKMkWoXZ10owA==,type:str]
 forgejo-mail: ENC[AES256_GCM,data:eZv9dM0a06wFJaDUZjo=,iv:L32ab5k/AX8HqSACJA5w+WbzLlBijA5++Gcr2SrnYIU=,tag:ddyTXikWTMnxq86IijgyYg==,type:str]
 hedgedoc-session-secret: ENC[AES256_GCM,data:AYUiUF7R+5C3F5kNRL0R95e1l3Y59tIP388uY0IYCskBhR0H0XMVvyrX/gIM33Twwkc5it+fQtNPNXsbrAnoKQ==,iv:Q6pDEdFplp845/DCHutwni/g7Ch39pTCvfNs4Eh28CQ=,tag:aqVGs3iThmepT7iJusLOMA==,type:str]
+mealie: ENC[AES256_GCM,data:4LlxJjDstTPZCD7Xyb+0CRkeDafP9a9oMuYDnXznINe+LrfkJGKwQIwP0B3VpeMmZ0Rwe7Tvje0ZWySFGADireb2r7TjDyASAoXJDyNNJ8byRc5Zt77zL2dp/W4xVt8WpQvwsXosjDv3NN6we831wWUrfNtp0g34YLqSU3F/9i7AaU7nVKnQ9QtJRVg5O57nhs/ZXopKOBUdiKAmxcl0hNNdQdaQX6xkDCWrV4432IOckqyqEQyd9KeCURuWeTUgPmTmnt9Cj8KkaQ39fd0LAGRjOBsKo4C4,iv:o5BPW4Wcg4KcFkJHc/mdrO4Rh+1nifxulYkF+iM3LEw=,tag:KXwDr3VHxjeHkyo23SPJgA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -18,8 +19,8 @@ sops:
             elNwdVlJS2NCWUlXcEZvZWsvZ29FRnMK/qa6Qj1yQc91PWk9tMKSyFkMfYcHIKpQ
             jcPmGWbpi2NPL/F0Xz2X/zQQxWzs9uzlS1VH+y8JRe1EPMYJ78NXZw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-11T15:28:59Z"
-    mac: ENC[AES256_GCM,data:1RnyUrbEI2JKpicmA3QV+5ob+vByahMjc4+ZpLbcMyZv/KXn02VP+OQaLm9NgPfpZmSmRgbdPNQAP4f71z/EjcceyANAhnvql3zuYgSXNp5l/IYo5UFZdWgQa14XTGO518969CDLW1zJnlkBtbtLEVlMJiQ/EraV1eNtgCr5UEU=,iv:0fLjboGiejUI9LxHW80ed+/Lf+jlN5UH7tVqfBptq0w=,tag:4Tyrqy9XwQAm0etooVBNZg==,type:str]
+    lastmodified: "2025-04-14T23:06:22Z"
+    mac: ENC[AES256_GCM,data:FSJSzA9xGKH9FBMWHPJwgbltkeRoumgpeFeftsgUWrMcc2O+sldNa/Gl1Pnmz5AwXNT5zRGv/zcnrt3lQMY+1vPrg3+DRrv5fn2OtHIZxN0cz+okqEoE40w7WLUZSyj9IESjlJKOL/nOdXf7EkXL64ZWDAZ6YKYe7JwD5oCGMOM=,iv:xKFdHYTqLCWtJFWIiZjtzJZpG1RZWPdeE1i6PQqYNsk=,tag:DfzN2iDjavGA/uEjLKZotw==,type:str]
     pgp:
         - created_at: "2025-04-08T22:53:53Z"
           enc: |-
@@ -33,4 +34,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.4
diff --git a/hosts/magnesium/services/default.nix b/hosts/magnesium/services/default.nix
index b4fdf50..813f30c 100644
--- a/hosts/magnesium/services/default.nix
+++ b/hosts/magnesium/services/default.nix
@@ -4,6 +4,7 @@
     ./forgejo.nix
     ./gitlab-runner.nix
     ./hedgedoc.nix
+    ./mealie.nix
     ./ntfy.nix
     ./public-ip-tunnel.nix
     ./trilium.nix
diff --git a/hosts/magnesium/services/mealie.nix b/hosts/magnesium/services/mealie.nix
new file mode 100644
index 0000000..5448534
--- /dev/null
+++ b/hosts/magnesium/services/mealie.nix
@@ -0,0 +1,37 @@
+{ config, ... }:
+
+let
+  domain = "mealie.jalr.de";
+  cfg = config.services.mealie;
+in
+{
+  sops.secrets.mealie = {
+    sopsFile = ../secrets.yaml;
+  };
+
+  services.mealie = {
+    enable = true;
+    credentialsFile = config.sops.secrets.mealie.path;
+    port = config.networking.ports.mealie.tcp;
+    listenAddress = "127.0.0.1";
+    settings = {
+      BASE_URL = "https://${domain}";
+      ALLOW_SIGNUP = "false";
+      SMTP_HOST = "hha.jalr.de";
+      SMTP_PORT = 465;
+      SMTP_FROM_NAME = "mealie";
+      SMTP_AUTH_STRATEGY = "TLS";
+      SMTP_FROM_EMAIL = "no-reply@jalr.de";
+      SMTP_USER = "mealie@jalr.de";
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString cfg.port}";
+    };
+  };
+}