diff --git a/secrets b/secrets
index 9932067..d9d7540 160000
--- a/secrets
+++ b/secrets
@@ -1 +1 @@
-Subproject commit 99320671a569ce4fe29839cfd92a2de71e240dd7
+Subproject commit d9d7540399675cb1370664bac370312cc657deef
diff --git a/systems/makanek/configuration.nix b/systems/makanek/configuration.nix
index 767d809..1233802 100644
--- a/systems/makanek/configuration.nix
+++ b/systems/makanek/configuration.nix
@@ -16,6 +16,7 @@ in {
     ./names.nix
     ./nextcloud.nix
     ./radio-news.nix
+    ./onlyoffice.nix
     ./retiolum-map.nix
     ./tarot.nix
     ./tt-rss.nix
diff --git a/systems/makanek/onlyoffice.nix b/systems/makanek/onlyoffice.nix
new file mode 100644
index 0000000..3f5a594
--- /dev/null
+++ b/systems/makanek/onlyoffice.nix
@@ -0,0 +1,31 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  services.onlyoffice = {
+    enable = true;
+    port = 8111;
+    hostname = "onlyoffice.kmein.de";
+    jwtSecretFile = config.age.secrets.onlyoffice-key.path;
+  };
+
+  age.secrets.onlyoffice-key = {
+    file = ../../secrets/onlyoffice-jwt-key.age;
+    owner = "onlyoffice";
+  };
+
+  systemd.services.onlyoffice-docservice.serviceConfig.ExecStartPre = [
+    # otherwise this leads to nginx
+    # open() "/var/lib/onlyoffice/documentserver/App_Data/cache/files/data/conv_check_1138411943_docx/output.docx" failed (13: Permission denied)
+    # and mysterious 403 errors
+    (pkgs.writers.writeDash "make-reachable" ''
+      chmod a+x /var/lib/onlyoffice/documentserver/
+    '')
+  ];
+
+  services.nginx.virtualHosts.${config.services.onlyoffice.hostname} = {
+    enableACME = true;
+    forceSSL = true;
+  };
+}