diff --git a/config/hosts/marisa.nix b/config/hosts/marisa.nix
index 6d96fbbe..8ca5605e 100644
--- a/config/hosts/marisa.nix
+++ b/config/hosts/marisa.nix
@@ -59,6 +59,11 @@
     };
   };
 
+  services.owncast = {
+    enable = true;
+    port = 8082;
+  };
+
   network = {
     addresses.public = {
       enable = true;
@@ -75,7 +80,7 @@
     firewall = {
       public = {
         interfaces = singleton "ens3";
-        tcp.ports = singleton 52969;
+        tcp.ports = [ 1935 52969 ];
       };
       private.interfaces = singleton "yggdrasil";
     };
diff --git a/config/services/access.nix b/config/services/access.nix
index ee481994..0d6549b2 100644
--- a/config/services/access.nix
+++ b/config/services/access.nix
@@ -5,7 +5,20 @@
     cname = { inherit (config.network.addresses.public) target; };
   };
 
+  deploy.tf.dns.records.services_owncast = {
+    inherit (config.network.dns) zone;
+    domain = "cast";
+    cname = { inherit (config.network.addresses.public) target; };
+  };
+
   services.nginx.virtualHosts = {
+    "cast.${config.network.dns.domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations = {
+        "/".proxyPass = "http://127.0.0.1:8082";
+      };
+    };
     "media.${config.network.dns.domain}" = {
       forceSSL = true;
       enableACME = true;