diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix
index 7ffd7b6..98328f3 100644
--- a/machines/massicot/default.nix
+++ b/machines/massicot/default.nix
@@ -18,6 +18,9 @@
       gts_env = {
         owner = "gotosocial";
       };
+      hedgedoc_env = {
+        owner = "hedgedoc";
+      };
       grafana_cloud_api = {
         owner = "prometheus";
         sopsFile = ../secrets.yaml;
diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml
index d2b0faa..5e5d0fe 100644
--- a/machines/massicot/secrets.yaml
+++ b/machines/massicot/secrets.yaml
@@ -1,5 +1,6 @@
 storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str]
 gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str]
+hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -24,8 +25,8 @@ sops:
             dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
             V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-15T13:06:05Z"
-    mac: ENC[AES256_GCM,data:ArxA3+i+W2hU0mpzjPqzBA1pQdZySwJ+LVAez2PWFMsrgT4QATi+KmlWWfuPBkOq/DYafAES8lTemDeuzuQl7bWZq06g3s35C8Q3D/TDUKFF3ALEL5grSxKTVzg4Npjc2q2OIOXrIp/j83Gn1lBuyBFg0YdGkJ+b/BmDGkTbyUg=,iv:8MB/+WklLsFTnlvxLyvCK8VUMNeXtaPTGXlp9hRGzOM=,tag:VbbnQfPewNGdrPqmZJSYlA==,type:str]
+    lastmodified: "2023-12-22T08:05:27Z"
+    mac: ENC[AES256_GCM,data:CiXU49arW+3w4/Lkh4l+6VjopyP7XNCU4AmuwZmnmQ7Vv4RCt84fC6lM6o4HiCc5jB07QY+2WZ5LvWz9zgSt636UpnCMgbG1w2Lxae38fW02RHJv90rn+cyyddB5kSucr5/P5NKBOZut54Cf4zVW9BaqajpQMxe4hEOn+xXpXz8=,iv:beWRlUvb6OUOK+mUXdvpvmM8S7xK0QIkIA2Bk9QA35c=,tag:KrBXqsAdBAhtwygdEHnUqQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix
index e0b00bd..e5ecdcc 100644
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@@ -11,6 +11,21 @@ in
     domain = "vaultwarden.xinyang.life";
   };
 
+  custom.hedgedoc = {
+    enable = true;
+    caddy = true;
+    domain = "docs.xinyang.life";
+    mediaPath = "/mnt/storage/hedgedoc";
+    oidc = {
+      enable = true;
+      baseURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc";
+      authorizationURL = "https://auth.xinyang.life/ui/oauth2";
+      tokenURL = "https://auth.xinyang.life/oauth2/token";
+      userProfileURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc/userinfo";
+    };
+    environmentFile = config.sops.secrets.hedgedoc_env.path;
+  };
+
   custom.prometheus = {
     enable = true;
     exporters.enable = true;
@@ -27,7 +42,7 @@ in
       fsType = "cifs";
       options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path}"];
     };
-  }) [ "forgejo" "gotosocial" "conduit" ] );
+  }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ] );
 
   system.activationScripts = {
     conduit-media-link.text = ''
@@ -144,7 +159,7 @@ in
           flush_interval -1
       }
     '';
-    virtualHosts."git.xinyang.life:443".extraConfig = ''
+    virtualHosts."https://git.xinyang.life:443".extraConfig = ''
       reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}
     '';
     
@@ -155,8 +170,8 @@ in
            abort
         }
     '';
-    virtualHosts."https://auth.xinyang.life:443".extraConfig = ''
-      reverse_proxy https://auth.xinyang.life:${toString kanidm_listen_port} {
+    virtualHosts."https://auth.xinyang.life".extraConfig = ''
+      reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
           header_up Host {upstream_hostport}
           header_down Access-Control-Allow-Origin "*"
           transport http {
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index e89ad69..f963802 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -4,5 +4,6 @@
     ./restic.nix
     ./vaultwarden.nix
     ./prometheus.nix
+    ./hedgedoc.nix
   ];
-}
\ No newline at end of file
+}
diff --git a/modules/nixos/hedgedoc.nix b/modules/nixos/hedgedoc.nix
new file mode 100644
index 0000000..934420d
--- /dev/null
+++ b/modules/nixos/hedgedoc.nix
@@ -0,0 +1,83 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.custom.hedgedoc;
+in
+{
+  options = {
+    custom.hedgedoc = {
+      enable = mkEnableOption "HedgeDoc Markdown Editor";
+      domain = mkOption {
+        type = types.str;
+        default = "docs.example.com";
+        description = "Domain name of the HedgeDoc server";
+      };
+      caddy = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Enable Caddy as reverse proxy";
+      };
+      mediaPath = mkOption {
+        type = types.path;
+        default = /var/lib/hedgedoc/uploads;
+        description = "Directory for storing medias";
+      };
+      oidc = {
+        enable = mkEnableOption "OIDC support for HedgeDoc";
+        baseURL = mkOption {
+          type = types.str;
+        };
+        authorizationURL = mkOption {
+          type = types.str;
+        };
+        tokenURL = mkOption {
+          type = types.str;
+        };
+        userProfileURL = mkOption {
+          type = types.str;
+        };
+      };
+      environmentFile = mkOption {
+        type = types.path;
+      };
+    };
+  };
+  config = {
+    services.hedgedoc = mkIf cfg.enable {
+      enable = true;
+      environmentFile = cfg.environmentFile;
+      settings = {
+        domain = cfg.domain;
+        protocolUseSSL = cfg.caddy;
+        uploadsPath = cfg.mediaPath;
+        path = "/run/hedgedoc/hedgedoc.sock";
+        email = false;
+        allowEmailRegister = false;
+        oauth2 = mkIf cfg.oidc.enable {
+          baseURL = cfg.oidc.baseURL;
+          authorizationURL = cfg.oidc.authorizationURL;
+          tokenURL = cfg.oidc.tokenURL;
+          userProfileURL = cfg.oidc.userProfileURL;
+          userProfileEmailAttr = "email";
+          userProfileUsernameAttr = "name";
+          userProfileDisplayNameAttr = "preferred_name";
+          scope = "openid email profile";
+          clientID = "$HEDGEDOC_CLIENT_ID";
+          clientSecret = "$HEDGEDOC_CLIENT_SECRET";
+        };
+        allowAnonymous = false;
+        defaultPermission = "private";
+      };
+    };
+    services.caddy = mkIf ( cfg.enable && cfg.enable ) {
+      enable = true;
+      virtualHosts."https://${cfg.domain}".extraConfig = ''
+        reverse_proxy unix/${config.services.hedgedoc.settings.path}
+      '';
+    };
+    users.users.caddy.extraGroups = mkIf ( cfg.enable && cfg.enable ) [ "hedgedoc" ];
+
+  };
+}