diff --git a/secrets b/secrets
index 0e94e9e..9efd6ac 160000
--- a/secrets
+++ b/secrets
@@ -1 +1 @@
-Subproject commit 0e94e9e2ef8c6a4b208a1442b84453328ff9f9a7
+Subproject commit 9efd6ac7e107cae1f304e64748b041e6dfd20812
diff --git a/secrets.txt b/secrets.txt
index 8af8734..e0eba1e 100644
--- a/secrets.txt
+++ b/secrets.txt
@@ -24,6 +24,7 @@ secrets/kabsa-specus-privateKey.age
 secrets/kabsa-syncthing-cert.age
 secrets/kabsa-syncthing-key.age
 secrets/kfm-password.age
+secrets/ledger-basicAuth.age
 secrets/makanek-retiolum-privateKey-ed25519.age
 secrets/makanek-retiolum-privateKey-rsa.age
 secrets/makanek-specus-privateKey.age
diff --git a/systems/ful/configuration.nix b/systems/ful/configuration.nix
index 297563e..aa18d38 100644
--- a/systems/ful/configuration.nix
+++ b/systems/ful/configuration.nix
@@ -11,6 +11,7 @@ in {
     ./matomo.nix
     ./radio.nix
     ./panoptikon.nix
+    ./ledger.nix
     ../../configs/monitoring.nix
     ../../configs/tor.nix
     ../../configs/save-space.nix
diff --git a/systems/ful/ledger.nix b/systems/ful/ledger.nix
new file mode 100644
index 0000000..33e4b9c
--- /dev/null
+++ b/systems/ful/ledger.nix
@@ -0,0 +1,54 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  services.hledger-web = {
+    enable = true;
+    capabilities = {
+      add = true;
+      view = true;
+      manage = false;
+    };
+    serveApi = false; # serve only the JSON API
+    baseUrl = "https://ledger.kmein.de";
+    journalFiles = [
+      "privat.journal"
+    ];
+  };
+
+  systemd.services.hledger-backup = {
+    enable = true;
+    startAt = "hourly";
+    wants = ["network-online.target"];
+    wantedBy = ["multi-user.target"];
+    script = ''
+      ${pkgs.git}/bin/git config user.name "hledger-web"
+      ${pkgs.git}/bin/git config user.email "hledger-web@${config.networking.hostName}"
+      ${pkgs.git}/bin/git commit -am $(date -Ih)
+      ${pkgs.git}/bin/git pull --rebase
+      ${pkgs.git}/bin/git push
+    '';
+    serviceConfig = {
+      User = "hledger";
+      Group = "hledger";
+      WorkingDirectory = config.services.hledger-web.stateDir;
+    };
+  };
+
+  age.secrets = {
+    ledger-basicAuth = {
+      file = ../../secrets/ledger-basicAuth.age;
+      owner = "nginx";
+      group = "nginx";
+      mode = "400";
+    };
+  };
+
+  services.nginx.virtualHosts."ledger.kmein.de" = {
+    enableACME = true;
+    basicAuthFile = config.age.secrets.ledger-basicAuth.path;
+    forceSSL = true;
+    locations."/".proxyPass = "http://127.0.0.1:${toString config.services.hledger-web.port}";
+  };
+}