diff --git a/flake.nix b/flake.nix
index 1e0f1394..5d91b64b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1006,6 +1006,13 @@
             ./hosts/prometheus
           ];
         };
+
+        mastodon = nixosSystem' {
+          modules = [
+            self.nixosModules.cluster-options
+            ./hosts/mastodon
+          ];
+        };
       };
 
       nixosModule = self.nixosModules.c3d2;
diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix
new file mode 100644
index 00000000..cbd0842e
--- /dev/null
+++ b/hosts/mastodon/default.nix
@@ -0,0 +1,51 @@
+{ zentralwerk, config, lib, pkgs, ... }:
+{
+  networking.hostName = "mastodon";
+  c3d2.hq.statistics.enable = true;
+  deployment = {
+    mem = 4096;
+    vcpu = 8;
+  };
+
+  system.stateVersion = "22.11";
+
+  services.postgresql.enable = true;
+
+  services.mastodon = {
+    enable = true;
+    localDomain = "c3d2.social";
+
+    smtp.host = "c3d2.social";
+    smtp.fromAddress = "mail@c3d2.social";
+    # smtp.authenticate = true;
+    # smtp.user = secrets.email.smtp-user;
+    # smtp.passwordFile = "${pkgs.runCommand "smtp-password" {} ''
+    #     echo "${secrets.email.smtp-password}" > $out
+    #   ''}";
+
+    extraConfig.WEB_DOMAIN = "c3d2.social";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."c3d2.social" = {
+      root = "${config.services.mastodon.package}/public/";
+      forceSSL = true;
+      enableACME = true;
+
+      locations."/system/".alias = "/var/lib/mastodon/public-system/";
+      locations."/".tryFiles = "$uri @proxy";
+
+      locations."@proxy".proxyPass = "http://unix:/run/mastodon-web/web.socket";
+      locations."@proxy".proxyWebsockets = true;
+
+      locations."/api/v1/streaming/".proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
+      locations."/api/v1/streaming/".proxyWebsockets = true;
+    };
+  };
+
+  users.groups.mastodon.members = [ config.services.nginx.user ];
+}