diff --git a/home/jokke/default.nix b/home/jokke/default.nix
index 70e5d16..b8e5c5f 100644
--- a/home/jokke/default.nix
+++ b/home/jokke/default.nix
@@ -24,6 +24,9 @@
       darktable
       openscad
       shutter
+      hledger
+      hledger-ui
+      hledger-iadd
     ];
 
     gnome.profilePicture = ../assets/profile-pictures/jokke.png;
diff --git a/hosts/freun-dev/secrets.nix b/hosts/freun-dev/secrets.nix
index e0bb5e4..b53bc01 100644
--- a/hosts/freun-dev/secrets.nix
+++ b/hosts/freun-dev/secrets.nix
@@ -41,5 +41,9 @@
         file = ../../secrets/hastebin-tokens.age;
         owner = if (config.services.hastebin.enable) then config.users.users.hastebin.name else "root";
       };
+      hledger-basic-auth = {
+        file = ../../secrets/hledger-basic-auth.age;
+        owner = if (config.services.hledger-web.enable) then "nginx" else "root";
+      };
     };
 }
diff --git a/hosts/freun-dev/services.nix b/hosts/freun-dev/services.nix
index 606cc5e..d075c2a 100644
--- a/hosts/freun-dev/services.nix
+++ b/hosts/freun-dev/services.nix
@@ -375,5 +375,17 @@ in
       enable = true;
       subdomain = "irc";
     };
+
+    hledger-web = {
+      enable = true;
+      subdomain = "ledger";
+      stateDir = "${syncthingDataDir}/ledger";
+      basicAuthFile = secrets.hledger-basic-auth.path;
+      user = config.systemd.services.syncthing.serviceConfig.User;
+      group = config.systemd.services.syncthing.serviceConfig.Group;
+      journalFiles = [
+        "main.ldg"
+      ];
+    };
   };
 }
diff --git a/modules/services/default.nix b/modules/services/default.nix
index c99ab66..16ddd5d 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -24,5 +24,6 @@
     ./mosquitto.nix
     ./home-assistant.nix
     ./weechat.nix
+    ./hledger-web.nix
   ];
 }
diff --git a/modules/services/hledger-web.nix b/modules/services/hledger-web.nix
new file mode 100644
index 0000000..bdec1c0
--- /dev/null
+++ b/modules/services/hledger-web.nix
@@ -0,0 +1,43 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.hledger-web;
+  fqdn = "${cfg.subdomain}.${config.networking.domain}";
+in
+{
+  options.services.hledger-web = {
+    subdomain = lib.mkOption {
+      type = lib.types.str;
+    };
+    basicAuthFile = lib.mkOption {
+      type = lib.types.path;
+    };
+    user = lib.mkOption {
+      type = lib.types.str;
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services = {
+      hledger-web = {
+        allow = lib.mkDefault "edit";
+        baseUrl = "https://${fqdn}";
+      };
+
+      webserver = {
+        enable = lib.mkDefault true;
+        vHosts.${fqdn}.locations."/" = {
+          proxyPort = cfg.port;
+          basicAuthFile = cfg.basicAuthFile;
+        };
+      };
+    };
+
+    systemd.services.hledger-web.serviceConfig = {
+      User = lib.mkForce cfg.user;
+      Group = lib.mkForce cfg.group;
+    };
+  };
+}
diff --git a/modules/services/webserver.nix b/modules/services/webserver.nix
index e2848d7..5464539 100644
--- a/modules/services/webserver.nix
+++ b/modules/services/webserver.nix
@@ -13,6 +13,10 @@ let
           type = lib.types.nullOr lib.types.path;
           default = null;
         };
+        basicAuthFile = lib.mkOption {
+          type = lib.types.nullOr lib.types.path;
+          default = null;
+        };
         extraConfig = lib.mkOption {
           type = lib.types.str;
           default = "";
@@ -91,9 +95,10 @@ in
                 proxyPort,
                 extraConfig,
                 root,
+                basicAuthFile,
               }:
               lib.mergeAttrsList [
-                { inherit extraConfig root; }
+                { inherit extraConfig root basicAuthFile; }
                 (
                   if (lib.isInt proxyPort) then
                     {
diff --git a/secrets/hledger-basic-auth.age b/secrets/hledger-basic-auth.age
new file mode 100644
index 0000000..acbd164
--- /dev/null
+++ b/secrets/hledger-basic-auth.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA gReLtbgzdbsykLo/OWs/S0CWvvUJr0B/660n5NtQO3Q
+lxP6i2EA0ZvM9ShkM7012TLs47fP+sKzOAJehgvZEoU
+-> ssh-ed25519 DFiohQ OPP2MdPUYqMuViWTiNavSyXqxfxIRMx+tMKip094ohM
+lLxrJF672ZkbY3ynX7Wrx3srJvg1gfFeynZMeIYL4II
+-> ssh-ed25519 PT7ffg v0j5GfBvjmf4qNiyVr/foSp2Zw8sJOmjikWa68yoNnI
+WwhUOPXdrrs2ezKfYaUdT0EV/b7U3267E5bpy+RGyxU
+--- v/hWe76x98rBQgOhANw5wsaE3hlCaFKYSl+x8KjnRNQ
+:bl	
�~E�3���N�"]�`�ª��c#�;�vt�=�A��)��a�/<M웮�l#�~��U
�gf������R�;<��%�:!�$)!S��ȁ�
+�4�TDA,���0'x��	�g5_]&�p��d�e��d���ԛ�s�y�������������
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index b91c80c..6b292b7 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -37,4 +37,5 @@ in
   "gitlab-runner/default.age".publicKeys = users ++ [ freun-dev ];
   "gitlab-runner/docker.age".publicKeys = users ++ [ freun-dev ];
   "hetzner.age".publicKeys = users ++ [ apu ];
+  "hledger-basic-auth.age".publicKeys = users ++ [ freun-dev ];
 }