diff --git a/flake.lock b/flake.lock
index 68355ea..2189b3d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -234,11 +234,11 @@
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1722808247,
-        "narHash": "sha256-86DGPkJh8dXSS/M5F6a0M7roGdn3QSTGY0X5fUyZk/M=",
+        "lastModified": 1723834524,
+        "narHash": "sha256-MmOQDY6EjyzyX0HLFjOV3EgUqtHrcXRdjhc6eIE/wyc=",
         "ref": "refs/heads/main",
-        "rev": "1cc4e1ea861931fccbfd7d7ca8e364ca277138d6",
-        "revCount": 57,
+        "rev": "6ca21756c9f3653a0f1e60c5cb7abc8ea5ab0d46",
+        "revCount": 58,
         "type": "git",
         "url": "file:./nix-secrets"
       },
diff --git a/hosts/Dimaga/default.nix b/hosts/Dimaga/default.nix
index d28944e..1474bcf 100644
--- a/hosts/Dimaga/default.nix
+++ b/hosts/Dimaga/default.nix
@@ -11,6 +11,7 @@ let
 
   subdomains = [
     config.secrets.services.airsonic.url
+    config.secrets.services.cockpit.url
     config.secrets.services.forgejo.url
     config.secrets.services.gremlin-lab.url
     config.secrets.services.jellyfin.url
@@ -141,6 +142,11 @@ in
         domain = config.secrets.networking.primaryDomain;
         url = config.secrets.services.airsonic.url;
       };
+      cockpit = {
+        enable = true;
+        domain = config.secrets.networking.primaryDomain;
+        url = config.secrets.services.cockpit.url;
+      };
       jellyfin = {
         enable = true;
         autostart = false;
diff --git a/modules/services/cockpit.nix b/modules/services/cockpit.nix
new file mode 100644
index 0000000..847f24c
--- /dev/null
+++ b/modules/services/cockpit.nix
@@ -0,0 +1,61 @@
+{ config, lib, ... }:
+let
+  cfg = config.aux.system.services.cockpit;
+in
+{
+  options = {
+    aux.system.services.cockpit = {
+      enable = lib.mkEnableOption "Enables Cockpit monitoring.";
+      domain = lib.mkOption {
+        default = "";
+        type = lib.types.str;
+        description = "The root domain that Cockpit will be hosted on.";
+        example = "example.com";
+      };
+      url = lib.mkOption {
+        default = "";
+        type = lib.types.str;
+        description = "The complete URL where Cockpit is hosted.";
+        example = "https://cockpit.example.com";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    services = {
+      nginx.virtualHosts."${cfg.url}" = {
+        useACMEHost = cfg.domain;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:9090";
+          extraConfig = ''
+            # Taken from https://garrett.github.io/cockpit-project.github.io/external/wiki/Proxying-Cockpit-over-NGINX
+            # Required to proxy the connection to Cockpit
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Required for web sockets to function
+            proxy_http_version 1.1;
+            proxy_buffering off;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+          '';
+        };
+      };
+
+      cockpit = {
+        enable = true;
+        port = 9090;
+        settings = {
+          WebService = {
+            Origins = "https://${cfg.url} wss://${cfg.url}";
+            ProtocolHeader = "X-Forwarded-Proto";
+          };
+        };
+      };
+    };
+    systemd.services.nginx.wants = [ config.systemd.services.cockpit.name ];
+
+  };
+}
diff --git a/nix-secrets b/nix-secrets
index 1cc4e1e..6ca2175 160000
--- a/nix-secrets
+++ b/nix-secrets
@@ -1 +1 @@
-Subproject commit 1cc4e1ea861931fccbfd7d7ca8e364ca277138d6
+Subproject commit 6ca21756c9f3653a0f1e60c5cb7abc8ea5ab0d46