diff --git a/system/hosts/mediaserver.nix b/system/hosts/mediaserver.nix
index 1d1f062..7cc832e 100644
--- a/system/hosts/mediaserver.nix
+++ b/system/hosts/mediaserver.nix
@@ -21,6 +21,7 @@ in
     ../nixos/mediaserver-setup.nix
     ../nixos/wireguard-netns.nix
     ../nixos/prowlarr.nix
+    ../nixos/sabnzbd.nix
   ];
 
   system.stateVersion = "22.11";
diff --git a/system/nixos/sabnzbd.nix b/system/nixos/sabnzbd.nix
new file mode 100644
index 0000000..09924a3
--- /dev/null
+++ b/system/nixos/sabnzbd.nix
@@ -0,0 +1,51 @@
+{ pkgs, lib, ... }:
+
+{
+  services.sabnzbd = {
+    enable = true;
+    user = "media_user";
+    group = "media_group";
+  };
+
+  systemd.services.sabnzbd = {
+    bindsTo = [ "wg.service" ];
+    after = lib.mkForce [ "wg.service" ];
+
+    serviceConfig = {
+      NetworkNamespacePath = "/var/run/netns/wg";
+    };
+  };
+
+  systemd.services.socat-sabnzbd = {
+    description = "socat exposes sabnzbd";
+    bindsTo = [ "wg.service" ];
+    after = [ "wg.service" ];
+
+    serviceConfig = {
+      Type = "simple";
+      RuntimeDirectory = "socat-sabnzbd";
+      DynamicUser = true;
+      UMask = "000";
+      NetworkNamespacePath = "/var/run/netns/wg";
+      ExecStart = "${pkgs.socat}/bin/socat -d -d UNIX-LISTEN:/run/socat-sabnzbd/sabnzbd.sock,unlink-early,fork TCP4:127.0.0.1:8080";
+      Restart = "on-failure";
+    };
+  };
+
+  services.nginx.virtualHosts."sabnzbd.internal.kempkens.network" = {
+    quic = true;
+    http3 = true;
+
+    onlySSL = true;
+    useACMEHost = "internal.kempkens.network";
+
+    extraConfig = ''
+      client_max_body_size 32m;
+    '';
+
+    locations."/" = {
+      recommendedProxySettings = true;
+      proxyPass = "http://unix:/run/socat-sabnzbd/sabnzbd.sock:/";
+    };
+  };
+}