diff --git a/machines/gerd.nix b/machines/gerd.nix
index 3fcc0f2..527471c 100644
--- a/machines/gerd.nix
+++ b/machines/gerd.nix
@@ -14,6 +14,7 @@ in {
     # ./gerd/services/authelia.nix
     ./gerd/services/forgejo.nix
     ./gerd/services/teeworlds.nix
+    ./gerd/services/murmur.nix
   ];
 
   networking.hostName = "gerd";
diff --git a/machines/gerd/services/murmur.nix b/machines/gerd/services/murmur.nix
new file mode 100644
index 0000000..f621c93
--- /dev/null
+++ b/machines/gerd/services/murmur.nix
@@ -0,0 +1,44 @@
+{ config, pkgs, ... }:
+
+{
+  services.murmur = let
+    certLocation = config.security.acme.certs."mumble.fricloud.dk".directory;
+  in {
+    enable = true;
+    openFirewall = true;
+
+    sslCert = certLocation + "/fullchain.pem";
+    sslKey = certLocation + "/key.pem";
+    
+    environmentFile = config.age.secrets.murmur-env.path;
+    password = "$MURMUR_PASSWORD";
+    welcometext = "Welcome to Friclouds Mumble server!";
+  };
+
+  services.nginx.virtualHosts."mumble.fricloud.dk" = {
+    forceSSL = true;
+    enableACME = true;
+    root = pkgs.writeTextDir "index.html" ''
+      <html>
+        <head>
+          <title>Mumble server</title>
+        </head>
+        <body>
+          <p>This server runs a mumble server, enjoy!</p>
+        </body>
+      </html>
+    '';
+  };
+
+  # need to change group to murmur for cert + add nginx to murmur group to do HTTP ACME
+  security.acme.certs."mumble.fricloud.dk".group = config.users.groups.murmur.name;
+  users.users.nginx.extraGroups = [ config.users.groups.murmur.name ];
+
+  age.secrets = {
+    murmur-env.owner = config.users.users.murmur.name;
+  };
+
+  environment.persistence.root.directories = [
+    "/var/lib/murmur"
+  ];
+}
diff --git a/secrets/default.nix b/secrets/default.nix
index 3060baa..aeb0e10 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -1,5 +1,6 @@
 {
   age.secrets = {
+    # authelia
     authelia-jwt.file = ./authelia/jwt.age;
     authelia-storage.file = ./authelia/storage.age;
     authelia-session.file = ./authelia/session.age;
@@ -7,6 +8,10 @@
     authelia-oidc-issuer-privatekey-crt.file = ./authelia/oidc-issuer-privatekey-crt.age;
     authelia-lldap-bind-user-pass.file = ./authelia/lldap-bind-user-pass.age;
 
+    # lldap
     lldap-user-pass.file = ./lldap/user-pass.age;
+
+    # mumble
+    murmur-env.file = ./murmur/env.age;
   };
 }
diff --git a/secrets/murmur/env.age b/secrets/murmur/env.age
new file mode 100644
index 0000000..ab3550d
Binary files /dev/null and b/secrets/murmur/env.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 5439a8e..3635933 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,6 +10,7 @@ let
   defaultAccess = users ++ systems;
 in
 {
+  # authelia
   "authelia/jwt.age".publicKeys = defaultAccess;
   "authelia/storage.age".publicKeys = defaultAccess;
   "authelia/session.age".publicKeys = defaultAccess;
@@ -17,5 +18,9 @@ in
   "authelia/oidc-issuer-privatekey-crt.age".publicKeys = defaultAccess;
   "authelia/lldap-bind-user-pass.age".publicKeys = defaultAccess;
 
+  # lldap
   "lldap/user-pass.age".publicKeys = defaultAccess;
+
+  # mumble
+  "murmur/env.age".publicKeys = defaultAccess;
 }