diff --git a/nix/home/programs/calibre-web/default.nix b/nix/home/programs/calibre-web/default.nix
new file mode 100644
index 0000000..7440c1a
--- /dev/null
+++ b/nix/home/programs/calibre-web/default.nix
@@ -0,0 +1,54 @@
+{ lib, ... }:
+{
+  services.calibre-web = {
+    enable = true;
+  };
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email;
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts."${lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/bookdomain}" = {
+      forceSSL = true;
+      enableACME = true;
+      # http2 can more performant for streaming: https://blog.cloudflare.com/introducing-http2/
+      http2 = true;
+
+      extraConfig = ''
+        # Provide the ssl cert and key for the vhost
+        #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
+        send_timeout 100m;
+
+        # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        # ssl_prefer_server_ciphers on;
+        #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
+        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+
+        # A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off.
+        gzip on;
+        gzip_vary on;
+        gzip_min_length 1000;
+        gzip_proxied any;
+        gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
+        gzip_disable "MSIE [1-6]\.";
+
+        # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
+        # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
+        client_max_body_size 100M;
+      '';
+
+      locations."/" = {
+        proxyPass = "http://localhost:8083";
+      };
+    };
+  };
+}
diff --git a/secrets b/secrets
index 395f408..67d14eb 160000
--- a/secrets
+++ b/secrets
@@ -1 +1 @@
-Subproject commit 395f408460938255835272055b19e1102af34e32
+Subproject commit 67d14eb7be475c2ed186ca15d785940d4a46cffe