diff --git a/flake.nix b/flake.nix
index 4a2c9e5..eddaafa 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,6 +3,7 @@
 
   inputs = {
     agenix.url = "github:ryantm/agenix";
+    # alew-web.url = "git+ssh://gitea@code.kmein.de:22022/kfm/alew-web.git?ref=refs/heads/master";
     brockman.url = "github:kmein/brockman";
     coptic-dictionary.url = "github:kmein/coptic-dictionary";
     flake-utils.url = "github:numtide/flake-utils";
@@ -17,9 +18,9 @@
     nur.url = "github:nix-community/NUR";
     recht.url = "github:kmein/recht";
     retiolum.url = "git+https://git.thalheim.io/Mic92/retiolum";
-    stockholm.url = "github:krebs/stockholm";
     rust-overlay.url = "github:oxalica/rust-overlay";
     scripts.url = "github:kmein/scripts";
+    stockholm.url = "github:krebs/stockholm";
     stylix.url = "github:danth/stylix/release-24.05";
     telebots.url = "github:kmein/telebots";
     tinc-graph.url = "github:kmein/tinc-graph";
diff --git a/systems/ful/alew.nix b/systems/ful/alew.nix
new file mode 100644
index 0000000..1678f12
--- /dev/null
+++ b/systems/ful/alew.nix
@@ -0,0 +1,89 @@
+{ pkgs, config, inputs, ... }:
+let
+  postgrestPort = 3001;
+  alewPort = 3000;
+in
+{
+  systemd.services.postgrest = {
+    enable = true;
+    wantedBy = ["podman-alew.service"];
+    wants = ["postgresql.service"];
+    environment = {
+      PGRST_DB_ANON_ROLE = "alew_1";
+      PGRST_DB_SCHEMA = "alew_2022_05"; # alew_2023_09 for most recent (beta)
+      PGRST_DB_URI = "postgres://alew_1:alew_1@localhost:5432/alew";
+      PGRST_SERVER_PORT = toString postgrestPort;
+    };
+    script = "${pkgs.postgrest}/bin/postgrest";
+    serviceConfig = {
+      User = "postgres";
+      Group = "postgres";
+    };
+  };
+
+  services.nginx.virtualHosts."alew.kmein.de" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${toString alewPort}";
+    };
+  };
+
+  # deploy nuxt app using
+  # $ cd alew/web/
+  # $ rsync -rav --delete . ful:/var/lib/alew --exclude .git --exclude .nuxt --exclude node_modules
+  systemd.services.alew = {
+    enable = true;
+    wantedBy = ["multi-user.target"];
+    wants = ["postgrest.service"];
+    path = [
+      pkgs.yarn
+      pkgs.python3
+      pkgs.gcc
+      pkgs.bash
+      pkgs.coreutils
+      pkgs.gnumake
+    ];
+    environment = {
+      NODE_OPTIONS= "--openssl-legacy-provider";
+      POSTGREST_URL = "http://localhost:${toString postgrestPort}";
+      BETA = "0";
+      PORT = toString alewPort;
+    };
+    preStart = ''
+      rsync -rav --delete ${inputs.alew-web.outPath}/ .
+      yarn install
+      yarn build
+    '';
+    script = "yarn start";
+    serviceConfig = {
+      User = "alew";
+      Group = "alew";
+      WorkingDirectory = config.users.extraUsers.alew.home;
+    };
+  };
+
+  users.extraUsers.alew = {
+    isSystemUser = true;
+    createHome = true;
+    home = "/var/lib/alew";
+    group = "alew";
+  };
+
+  users.extraGroups.alew = {};
+
+  environment.systemPackages = [pkgs.podman];
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = ["alew"];
+    ensureUsers = [
+      {
+        name = "alew";
+        ensureDBOwnership = true;
+      }
+      { name = "alew_1"; } # readonly
+    ];
+    package = pkgs.postgresql_16;
+  };
+}
diff --git a/systems/ful/configuration.nix b/systems/ful/configuration.nix
index dbfcba1..bf1e6d2 100644
--- a/systems/ful/configuration.nix
+++ b/systems/ful/configuration.nix
@@ -13,6 +13,7 @@ in {
     ./panoptikon.nix
     ./hledger.nix
     ./brockman.nix
+    ./alew.nix
     ../../configs/monitoring.nix
     ../../configs/tor.nix
     ../../configs/save-space.nix