diff --git a/configuration.nix b/configuration.nix
index d3f5ad96f..d472c2d75 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -17,6 +17,7 @@
       ./services-conf/pleroma-configuration.nix
       ./services-conf/postfix-configuration.nix
       ./services-conf/postgres-configuration.nix
+      ./services-conf/transmission-configuration.nix
       ./user-configuration.nix
     ];
 
diff --git a/services-conf/nginx-configuration.nix b/services-conf/nginx-configuration.nix
index 7fe3076ef..a5d9c81a2 100644
--- a/services-conf/nginx-configuration.nix
+++ b/services-conf/nginx-configuration.nix
@@ -88,6 +88,18 @@
     };
   };
 
+  # transmission
+  services.nginx.virtualHosts."bt.uninsane.org" = {
+    # basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      # created with htpasswd -c bt.htpasswd <user>
+      basicAuthFile = "/etc/nixos/services-conf/bt.htpasswd";
+      proxyPass = "http://127.0.0.1:9091";
+    };
+  };
+
   services.nginx.virtualHosts."matrix.uninsane.org" = {
     addSSL = true;
     enableACME = true;
diff --git a/services-conf/transmission-configuration.nix b/services-conf/transmission-configuration.nix
new file mode 100644
index 000000000..896452e34
--- /dev/null
+++ b/services-conf/transmission-configuration.nix
@@ -0,0 +1,11 @@
+{ config, pkgs, lib, ... }:
+
+{
+  # services.transmission.enable = true;
+  services.transmission.settings = {
+    rpc-bind-address = "0.0.0.0";
+    rpc-host-whitelist = "bt.uninsane.org";
+    # rpc-whitelist = "*.*.*.*";
+  };
+}
+