diff --git a/hosts/shadowshocks/default.nix b/hosts/shadowshocks/default.nix
index a12523e..8a1eaa1 100644
--- a/hosts/shadowshocks/default.nix
+++ b/hosts/shadowshocks/default.nix
@@ -18,6 +18,13 @@ in
   my = {
 
     networking = {
+
+      shadownsocks = {
+        enable = true;
+        port = shadowshocks-port;
+        passwordFile = config.age.secrets.shadowshocks-password.path;
+      };
+
       tailscale = {
         enable = true;
         magicDNSDomain = p.domains.tsDns;
@@ -34,14 +41,5 @@ in
     virtualisation.proxmox.enable = true;
   };
 
-  services.shadowsocks = {
-    enable = true;
-    passwordFile = config.age.secrets.shadowshocks-password.path;
-    port = shadowshocks-port;
-  };
-
-  # open shadownsocks port
-  networking.firewall.allowedTCPPorts = [ shadowshocks-port ];
-
   system.stateVersion = "24.11";
 }
diff --git a/modules/networking/default.nix b/modules/networking/default.nix
index 75687f9..4229e29 100644
--- a/modules/networking/default.nix
+++ b/modules/networking/default.nix
@@ -4,6 +4,7 @@
     ./caddy.nix
     ./ddclient.nix
     ./nas-samba-share.nix
+    ./shadowsocks.nix
     ./tailscale.nix
     ./technitium-dns-server.nix
   ];
diff --git a/modules/networking/shadowsocks.nix b/modules/networking/shadowsocks.nix
new file mode 100644
index 0000000..7d268e9
--- /dev/null
+++ b/modules/networking/shadowsocks.nix
@@ -0,0 +1,37 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.my.networking.shadowsocks;
+in
+{
+  options.my.networking.shadowsocks = {
+    enable = lib.mkEnableOption "Enable Shadowsocks relay";
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 8388;
+      description = "Port to listen on";
+    };
+    passwordFile = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/shadowsocks/password";
+      description = "File with the Shadowsocks relay access password";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    services.shadowsocks = lib.mkIf cfg.enable {
+      enable = true;
+      passwordFile = cfg.passwordFile;
+      port = cfg.port;
+    };
+
+    # open shadownsocks port
+    networking.firewall.allowedTCPPorts = [ cfg.port ];
+  };
+
+}
diff --git a/secrets/shadowshocks-password.age b/secrets/shadowshocks-password.age
index 8cecabd..e34bc16 100644
Binary files a/secrets/shadowshocks-password.age and b/secrets/shadowshocks-password.age differ