diff --git a/hosts/caddy/default.nix b/hosts/caddy/default.nix
index bb831ff..6eed4a4 100644
--- a/hosts/caddy/default.nix
+++ b/hosts/caddy/default.nix
@@ -104,6 +104,12 @@ in
         host = p.hosts.actual;
       };
 
+      karakeep.proxy = {
+        enable = true;
+        domain = p.domains.public;
+        host = p.hosts.karakeep;
+      };
+
       searx = {
         enable = true;
         secretFile = config.age.secrets.searx-secret.path;
@@ -187,11 +193,6 @@ in
             host = "http://${p.hosts.docker}:4080";
             domain = p.domains.public;
           }
-          {
-            subdomain = "keep";
-            host = "http://${p.hosts.docker}:3000";
-            domain = p.domains.public;
-          }
           {
             subdomain = "maps";
             host = "http://${p.hosts.docker}:5000";
diff --git a/hosts/hosts.nix b/hosts/hosts.nix
index 9d21097..1b887f2 100644
--- a/hosts/hosts.nix
+++ b/hosts/hosts.nix
@@ -44,6 +44,7 @@
       "firefly-iii"
       "paperless"
       "actual"
+      "karakeep"
     ];
   };
 
@@ -74,14 +75,14 @@
     ];
   };
 
-  firefly-iii = {
-    module = ./firefly-iii;
-    tags = [
-      "lxc"
-      "bacco"
-      "firefly-iii"
-    ];
-  };
+  # firefly-iii = {
+  #   module = ./firefly-iii;
+  #   tags = [
+  #     "lxc"
+  #     "bacco"
+  #     "firefly-iii"
+  #   ];
+  # };
 
   forgejo = {
     module = ./forgejo;
@@ -119,6 +120,15 @@
     ];
   };
 
+  karakeep = {
+    module = ./karakeep;
+    tags = [
+      "lxc"
+      "bacco"
+      "karakeep"
+    ];
+  };
+
   metrics = {
     module = ./metrics;
     tags = [
diff --git a/hosts/karakeep/default.nix b/hosts/karakeep/default.nix
new file mode 100644
index 0000000..9f33dd9
--- /dev/null
+++ b/hosts/karakeep/default.nix
@@ -0,0 +1,49 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  p = import ../parameters.nix;
+in
+{
+
+  age.secrets.karakeep-env = {
+    file = ../../secrets/karakeep-env.age;
+    owner = "karakeep";
+    group = "karakeep";
+    mode = "0400";
+  };
+
+  my = {
+    utils = {
+      commons.enable = true;
+      lxc-standard.enable = true;
+    };
+
+    services.karakeep = {
+      enable = true;
+      port = 3000;
+      environmentFile = config.age.secrets.karakeep-env.path;
+      extraEnvironment = {
+        NEXTAUTH_URL = "https://keep.${p.domains.public}";
+        CRAWLER_FULL_PAGE_SCREENSHOT = "true";
+        OPENAI_BASE_URL = "https://litellm.ts.${p.domains.public}";
+        INFERENCE_IMAGE_MODEL = "GPT-4o Mini";
+        INFERENCE_TEXT_MODEL = "GPT-4.1 Mini";
+        EMBEDDING_TEXT_MODEL = "text-embedding-3-small";
+        DISABLE_PASSWORD_AUTH = "true";
+        OAUTH_PROVIDER_NAME = "Authentik";
+        OAUTH_WELLKNOWN_URL = "https://auth.${p.domains.public}/application/o/karakeep/.well-known/openid-configuration";
+      };
+    };
+
+    virtualisation.proxmox.enable = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 3000 ];
+
+  environment.systemPackages = with pkgs; [ ];
+
+  system.stateVersion = "25.11";
+}
diff --git a/hosts/parameters.nix b/hosts/parameters.nix
index 4c73a86..f189093 100644
--- a/hosts/parameters.nix
+++ b/hosts/parameters.nix
@@ -36,6 +36,7 @@ in
     librenms = "librenms.${private-domain}";
     collabora = "collabora.${private-domain}";
     actual = "actual-budget.${private-domain}";
+    karakeep = "karakeep.${private-domain}";
   };
   personal = {
     username = "pazpi";
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 4bab929..2e1c71a 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -9,6 +9,7 @@
     ./forgejo-runner.nix
     ./ilpost-addict.nix
     ./immich.nix
+    ./karakeep.nix
     ./media-mgr.nix
     ./n8n.nix
     ./nextcloud.nix
diff --git a/modules/services/karakeep.nix b/modules/services/karakeep.nix
new file mode 100644
index 0000000..fc6ec19
--- /dev/null
+++ b/modules/services/karakeep.nix
@@ -0,0 +1,94 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.my.services.karakeep;
+in
+{
+
+  options.my.services.karakeep = {
+    enable = lib.mkEnableOption "Karakeep (services.karakeep)";
+
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 3000;
+      description = ''
+        HTTP port for the web service. Used for Caddy reverse_proxy and
+        services.karakeep.extraEnvironment.PORT unless overridden there.
+      '';
+    };
+
+    environmentFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      description = ''
+        Optional environment file merged into Karakeep systemd units (e.g. agenix).
+      '';
+    };
+
+    extraEnvironment = lib.mkOption {
+      type = lib.types.attrsOf lib.types.str;
+      default = { };
+      description = ''
+        Merged into services.karakeep.extraEnvironment. PORT defaults to
+        my.services.karakeep.port but can be overridden here.
+      '';
+    };
+
+    proxy = {
+      enable = lib.mkEnableOption "Set the Caddy reverse proxy entry for this service";
+
+      domain = lib.mkOption {
+        default = "example.com";
+        type = lib.types.str;
+        description = ''
+          The domain where Caddy is reachable
+        '';
+      };
+
+      subdomain = lib.mkOption {
+        default = "keep";
+        type = lib.types.str;
+        description = ''
+          Subdomain for Karakeep
+        '';
+      };
+
+      host = lib.mkOption {
+        default = "localhost";
+        type = lib.types.str;
+        description = ''
+          Hostname where Karakeep is listening
+        '';
+      };
+
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+      services.karakeep = {
+        enable = true;
+        browser.enable = true;
+        meilisearch.enable = true;
+        environmentFile = cfg.environmentFile;
+        extraEnvironment = {
+          PORT = toString cfg.port;
+          DISABLE_NEW_RELEASE_CHECK = "true";
+        }
+        // cfg.extraEnvironment;
+      };
+    })
+
+    (lib.mkIf cfg.proxy.enable {
+      services.caddy = with cfg.proxy; {
+        virtualHosts."${subdomain}.${domain}".extraConfig = ''
+          reverse_proxy http://${host}:${toString cfg.port}
+          import cloudflare_${domain}
+        '';
+      };
+    })
+  ];
+}
diff --git a/secrets.nix b/secrets.nix
index 1868a3e..218ae41 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -25,6 +25,7 @@ let
     paperless-admin = [ machines.paperless ];
     paperless-oauth2-client-secret = [ machines.paperless ];
     actual-openid-client-secret = [ machines.actual-budget ];
+    karakeep-env = [ machines.karakeep ];
     zigbee2mqtt-password = [ machines.zigbee2mqtt ];
     mqtt-password = [ machines.zigbee2mqtt ];
     scaleway-password = [
diff --git a/secrets/karakeep-env.age b/secrets/karakeep-env.age
new file mode 100644
index 0000000..79ae8ba
Binary files /dev/null and b/secrets/karakeep-env.age differ
diff --git a/ssh-keys.nix b/ssh-keys.nix
index 9663480..1f5adff 100644
--- a/ssh-keys.nix
+++ b/ssh-keys.nix
@@ -30,6 +30,7 @@ rec {
     colmena = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOVg0/MhkyTsZBITT0nZvH0hWskPJ7lyC5Mw70duczq";
     collabora = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICSaXqZ+gqkbRJxsHRvCXw9U2Zip8YlPjbEIgPEzevO3";
     actual-budget = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICsvkaeZeTXtowXFcKmtx3ElzNXU4cW4Ti6pR2BBfPFk";
+    karakeep = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdfWilvVln+IVIDKmizUja/6reiFqKvV30z+Mc/gaJn";
   };
 
   # Machines able to provisioning other machines