diff --git a/configuration.nix b/configuration.nix
index 515fa79..a72df29 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -69,6 +69,8 @@
 
     ./services/ntfy.nix
     ./services/ntfy-alerts.nix
+
+    ./services/mollysocket.nix
   ];
 
   services.kmscon.enable = true;
diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix
index ab42655..c380aba 100644
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -88,5 +88,11 @@
       file = ../secrets/firefox-syncserver-env.age;
       mode = "0400";
     };
+
+    # MollySocket env (MOLLY_VAPID_PRIVKEY + MOLLY_ALLOWED_UUIDS)
+    mollysocket-env = {
+      file = ../secrets/mollysocket-env.age;
+      mode = "0400";
+    };
   };
 }
diff --git a/secrets/mollysocket-env.age b/secrets/mollysocket-env.age
new file mode 100644
index 0000000..15bcdbd
Binary files /dev/null and b/secrets/mollysocket-env.age differ
diff --git a/service-configs.nix b/service-configs.nix
index ea35cf5..b6d0502 100644
--- a/service-configs.nix
+++ b/service-configs.nix
@@ -149,6 +149,10 @@ rec {
         port = 5000;
         proto = "tcp";
       };
+      mollysocket = {
+        port = 8020;
+        proto = "tcp";
+      };
     };
   };
 
@@ -219,6 +223,10 @@ rec {
     domain = "ntfy.${https.domain}";
   };
 
+  mollysocket = {
+    domain = "mollysocket.${https.domain}";
+  };
+
   livekit = {
     domain = "livekit.${https.domain}";
   };
diff --git a/services/mollysocket.nix b/services/mollysocket.nix
new file mode 100644
index 0000000..e35c01b
--- /dev/null
+++ b/services/mollysocket.nix
@@ -0,0 +1,36 @@
+{
+  config,
+  service_configs,
+  lib,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceMountWithZpool "mollysocket" service_configs.zpool_ssds [
+      "/var/lib/private/mollysocket"
+    ])
+    (lib.serviceFilePerms "mollysocket" [
+      "Z /var/lib/private/mollysocket 0700 root root"
+    ])
+  ];
+
+  services.mollysocket = {
+    enable = true;
+
+    settings = {
+      host = "127.0.0.1";
+      port = service_configs.ports.private.mollysocket.port;
+
+      # Explicitly allow our self-hosted ntfy instance.
+      # Local-network endpoints are denied by default for security.
+      allowed_endpoints = [ "https://${service_configs.ntfy.domain}" ];
+      # allowed_uuids set via MOLLY_ALLOWED_UUIDS in environmentFile
+    };
+
+    environmentFile = config.age.secrets.mollysocket-env.path;
+  };
+
+  services.caddy.virtualHosts."${service_configs.mollysocket.domain}".extraConfig = ''
+    reverse_proxy h2c://127.0.0.1:${builtins.toString service_configs.ports.private.mollysocket.port}
+  '';
+}