diff --git a/hosts/dalinar/default.nix b/hosts/dalinar/default.nix
index 4c8eef7..bab28bd 100644
--- a/hosts/dalinar/default.nix
+++ b/hosts/dalinar/default.nix
@@ -82,6 +82,14 @@
   sops.templates."searx-env".content = ''
     SEARX_SECRET_KEY=${config.sops.placeholder."searx/secret_key"}
   '';
+  sops.secrets."transmission_rpc/user" = { };
+  sops.secrets."transmission_rpc/password" = { };
+  sops.templates."transmission-secrets.json".content = ''
+  {
+    "rpc-username": "${config.sops.placeholder."transmission_rpc/user"}",
+    "rpc-password": "${config.sops.placeholder."transmission_rpc/password"}"
+  }
+  '';
 
 
   i18n.defaultLocale = "en_US.UTF-8";
@@ -301,6 +309,16 @@
           reverse_proxy ${config.containers.searx.localAddress}:${builtins.toString config.containers.searx.config.services.searx.settings.server.port}
         '';
       };
+      "https://lidarr.dalinar.home.johannes-rothe.de" = {
+        extraConfig = ''
+          reverse_proxy lidarr:${builtins.toString config.containers.lidarr.config.services.lidarr.settings.server.port}
+        '';
+      };
+      "https://transmission.dalinar.home.johannes-rothe.de" = {
+        extraConfig = ''
+          reverse_proxy lidarr:${builtins.toString config.containers.lidarr.config.services.transmission.settings.rpc-port}
+        '';
+      };
       "https://jellyfin.dalinar.home.johannes-rothe.de" = {
         extraConfig = ''
           reverse_proxy localhost:8096
@@ -324,6 +342,7 @@
     autoStart = true;
     ephemeral = true;
     privateNetwork = true;
+    # privateUsers = "pick";
     hostAddress = "192.168.100.2";
     localAddress = "192.168.100.3";
     bindMounts."/run/secrets/searx-env" = {
@@ -351,13 +370,46 @@
     enableTun = true;
     hostAddress = "192.168.100.4";
     localAddress = "192.168.100.5";
-    config = { ... }: {
+    bindMounts."/run/secrets/tranmission.json" = {
+      isReadOnly = true;
+      hostPath = config.sops.templates."transmission-secrets.json".path;
+    };
+    config = { pkgs, ... }: {
       system.stateVersion = "24.11";
       networking.useHostResolvConf = lib.mkForce false;
       # Required workaround for tailscale exit nodes, see https://nixos.wiki/wiki/Tailscale
       networking.firewall.checkReversePath = "loose";
+      networking.nftables.enable = true;
       services.resolved.enable = true;
+
+      # Tailscale is also used for local connectivity, since the exit node for
+      # some reason prevents local access
       services.tailscale.enable = true;
+
+      services.transmission = {
+        enable = true;
+        openRPCPort = true;
+        credentialsFile = "/run/secrets/tranmission.json";
+        settings = {
+          rpc-port = 9091;
+          rpc-bind-address = "0.0.0.0";
+          rpc-whitelist-enabled = false;
+          rpc-authentication-required = true;
+        };
+        webHome = pkgs.flood-for-transmission;
+      };
+      # https://github.com/NixOS/nixpkgs/issues/258793
+      systemd.services.transmission.serviceConfig = {
+        RootDirectoryStartOnly = lib.mkForce false;
+        RootDirectory = lib.mkForce "";
+        PrivateMounts = lib.mkForce false;
+        PrivateUsers = lib.mkForce false;
+      };
+
+      services.lidarr = {
+        enable = true;
+        openFirewall = true;
+      };
     };
   };
 
diff --git a/hosts/dalinar/secrets.yaml b/hosts/dalinar/secrets.yaml
index f89e692..34342ff 100644
--- a/hosts/dalinar/secrets.yaml
+++ b/hosts/dalinar/secrets.yaml
@@ -5,6 +5,9 @@ caddy:
     ionos_dns_api_key: ENC[AES256_GCM,data:boZTsuMbYRHk16VAjPu1pw6Z/dRw8PCCb0VT5KKwiofq6FydBhZ7pLEpHy/q8UfZB0AEUtKNXxrTa8R1WFFAGwad9JqC49DBNxnhxT7yDppu1x8fI0s7U5AYZHIDekTXw22N5EmUT1zzMoFPogHkLr+JPiSGVSM=,iv:pg/RlPFOanMVjaMAu4DSXC/cLgPA6quSs4e4Z50Iyf0=,tag:83md4Psn21z3HtBL0cQIyA==,type:str]
 searx:
     secret_key: ENC[AES256_GCM,data:N8rfDlmDGltQOc+dcdCP0ghGMbEcdZWmoeH2tQTphKGLKg==,iv:JMUcI3ln2rm09FSy6A382soh6oaSvOCCfq1LeeyoE9g=,tag:z5fqLlLVmRpgvMUM2NI0RA==,type:str]
+transmission_rpc:
+    user: ENC[AES256_GCM,data:w+gjEQ==,iv:Qyp2zvUBagrMMdUMN6ghIZuGxSMEvhh2/JPXtRtBJ7Q=,tag:6rOt4Goc7n0nrIycdbquhw==,type:str]
+    password: ENC[AES256_GCM,data:SUTKckSWqW94eshNkysVfA==,iv:WtuyR7Y9a7lyaZ9AbJyTiVVYVbJUsxHqtRU/5T1aO/E=,tag:eyveY9/aA1EQ2JXU2NrDYg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -29,8 +32,8 @@ sops:
             SVMwSGwwWVo1RzZnSjB6Z0MraTBHZ00KiHCJ8M3xQ8+YH5+aOy3th5fYTEavHqa0
             bbzATd2uRW8K+RSW3NFpN2AMtn9GCGt6Hsw0kezhiBN8qZ4tneKxJg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-24T21:54:24Z"
-    mac: ENC[AES256_GCM,data:ptQt4xit3quAJ+S+BQe2vzZz7JcfTxs5Z3kMwb6TuL7f0uX6Cr/h6HEJOu4ERIgN2hFzScDSdwW6/0XW4IepdUxTIVW5TPMpxf9QrlhBRJd8hd41jHywEubN2bvSe/a3Nm1og5v603X0/jlyqLzhOFBZCYjEKVEL7c0fWyneo+U=,iv:AkK3hPgHwCdyOmyRxzL8X5Vud38H6N+2J/XHV08klFQ=,tag:IdngdAUy7ylWIjkgMLeAJg==,type:str]
+    lastmodified: "2025-04-03T20:18:45Z"
+    mac: ENC[AES256_GCM,data:OM78015iecHNG3p5m0CCe+76dkKo7wBe+i7Crl/A58K0bomDKm8jys2yDXJU1udEaJBwhQTUadIaPFHPyMhegPrnfAMcInUQP6aD9SQVAOByi1T/BrFvT0hQClKzskSEeGwnUb+hJYSMkojhkzx5MvEnX9WDdVfAKgHbj4+QxCM=,iv:F8h2gv7F998Lh3FAXEzedsFNRDxD8bzdShTVVwLzKSU=,tag:x44SQkD4PnGhVaIx1XlBug==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4