diff --git a/modules/default.nix b/modules/default.nix
index 39c58e8..5926734 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -4,4 +4,5 @@
   homer = import ./services/homer.nix;
   matrix-hookshot = import ./services/matrix-hookshot.nix;
   nextcloud = import ./services/nextcloud.nix;
+  yarr = import ./services/yarr.nix;
 }
diff --git a/modules/services/yarr.nix b/modules/services/yarr.nix
new file mode 100644
index 0000000..a2c02e3
--- /dev/null
+++ b/modules/services/yarr.nix
@@ -0,0 +1,111 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib)
+    types mkIf mkOption mkEnableOption mkPackageOption optionalString;
+
+  cfg = config.services.yarr;
+in {
+  options.services.yarr = {
+    enable = mkEnableOption "Yet another rss reader";
+
+    package = mkPackageOption pkgs "yarr" { };
+
+    environmentFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      description = "Environment file for specifying secrets.";
+    };
+
+    address = mkOption {
+      type = types.str;
+      default = "localhost";
+      description = "Address to run server on.";
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 7070;
+      description = "Port to run server on.";
+    };
+
+    baseUrl = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Base path of the service url.";
+    };
+
+    authFilePath = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      description =
+        "Path to a file containing username:password. `null` means no authentication required to use the service.";
+    };
+
+    databasePath = mkOption {
+      type = types.str;
+      default = "storage.db";
+      description = "Path to the sqlite3 database file.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.yarr = {
+      description = "Yet another rss reader";
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      environment.XDG_CONFIG_HOME = "/var/lib/yarr/.config";
+
+      serviceConfig = {
+        Type = "simple";
+        Restart = "on-failure";
+
+        StateDirectory = "yarr";
+        StateDirectoryMode = "0700";
+        WorkingDirectory = "/var/lib/yarr";
+        EnvironmentFile = cfg.environmentFile;
+
+        LoadCredential =
+          mkIf (cfg.authFilePath != null) "authfile:${cfg.authFilePath}";
+
+        DynamicUser = true;
+        DevicePolicy = "closed";
+        LockPersonality = "yes";
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = "AF_INET AF_INET6";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        UMask = "0077";
+
+        ExecStart = ''
+          ${lib.getExe cfg.package} \
+            -addr "${cfg.address}:${toString cfg.port}" \
+            ${optionalString (cfg.baseUrl != null) "-base ${cfg.baseUrl}"} \
+            ${
+              optionalString (cfg.authFilePath != null)
+              "-auth-file /run/credentials/yarr.service/authfile"
+            } \
+            -db "${cfg.databasePath}"
+        '';
+      };
+    };
+  };
+}