diff --git a/modules/nixos/rtl_tcp.nix b/modules/nixos/rtl_tcp.nix
new file mode 100644
index 00000000..1a31961d
--- /dev/null
+++ b/modules/nixos/rtl_tcp.nix
@@ -0,0 +1,75 @@
+{
+  pkgs,
+  config,
+  lib,
+  utils,
+  ...
+}: let
+  inherit (lib.options) mkOption mkEnableOption mkPackageOption;
+  inherit (lib.modules) mkIf mkMerge mkOptionDefault mkDefault;
+  inherit (lib.trivial) mapNullable;
+  inherit (lib.lists) optionals;
+  inherit (utils) escapeSystemdExecArgs;
+  cfg = config.services.rtl_tcp;
+  defaultPort = 1234;
+  defaultUser = "rtl_tcp";
+in {
+  options.services.rtl_tcp = with lib.types; {
+    enable = mkEnableOption "rtl_tcp";
+    package = mkPackageOption pkgs "rtl-sdr-blog" {};
+    port = mkOption {
+      type = port;
+      default = defaultPort;
+    };
+    openFirewall = mkOption {
+      type = bool;
+      default = false;
+    };
+    user = mkOption {
+      type = nullOr str;
+      default = defaultUser;
+    };
+    group = mkOption {
+      type = nullOr str;
+    };
+    extraArgs = mkOption {
+      type = listOf str;
+      default = [];
+    };
+  };
+
+  config = let
+    serviceConf.services.rtl_tcp = {
+      group = mkOptionDefault (if cfg.user == defaultUser then defaultUser else null);
+    };
+    execArgs = optionals (cfg.port != defaultPort) [
+      "-p" (toString cfg.port)
+    ] ++ cfg.extraArgs;
+    conf.systemd.services.rtl_tcp = {
+      wantedBy = ["multi-user.target"];
+      after = ["network.target"];
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/rtl_tcp ${escapeSystemdExecArgs execArgs}";
+        DynamicUser = mkDefault (cfg.user == null);
+        User = if cfg.user != null then cfg.user else defaultUser;
+        Group = cfg.group;
+      };
+    };
+    conf.environment.systemPackages = [cfg.package];
+    conf.users.users.${defaultUser} = mkIf (cfg.user == defaultUser) {
+      group = cfg.group;
+      isSystemUser = true;
+      extraGroups = mkIf config.hardware.rtl-sdr.enable [
+        "plugdev"
+      ];
+    };
+    conf.users.groups.${defaultUser} = mkIf (cfg.user == defaultUser) {
+    };
+    conf.networking.firewall = {
+      allowedTCPPorts = mkIf cfg.openFirewall [cfg.port];
+    };
+  in mkMerge [
+    (mkIf cfg.enable conf)
+    serviceConf
+  ];
+}
diff --git a/modules/system/exports/rtl.nix b/modules/system/exports/rtl.nix
new file mode 100644
index 00000000..65f1f0fc
--- /dev/null
+++ b/modules/system/exports/rtl.nix
@@ -0,0 +1,34 @@
+{
+  lib,
+  gensokyo-zone,
+  ...
+}: let
+  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
+  inherit (lib.modules) mkIf;
+in {
+  config.exports.services.rtl_tcp = {config, ...}: {
+    id = mkAlmostOptionDefault "rtl";
+    nixos = {
+      serviceAttr = "rtl_tcp";
+      assertions = let
+        mkAssertion = f: nixosConfig: let
+          cfg = nixosConfig.services.rtl_tcp;
+        in
+          f nixosConfig cfg;
+      in
+        mkIf config.enable [
+          (mkAssertion (nixosConfig: cfg: {
+            assertion = config.ports.tcp.port == cfg.port;
+            message = "port mismatch";
+          }))
+        ];
+    };
+    defaults.port.listen = mkAlmostOptionDefault "lan";
+    ports = {
+      tcp = {
+        port = mkAlmostOptionDefault 1234;
+        transport = "tcp";
+      };
+    };
+  };
+}
diff --git a/nixos/openwebrx.nix b/nixos/openwebrx.nix
index 6664584a..127b710a 100644
--- a/nixos/openwebrx.nix
+++ b/nixos/openwebrx.nix
@@ -4,17 +4,25 @@
   pkgs,
   ...
 }: let
-  inherit (lib.modules) mkIf mkDefault;
+  inherit (lib.options) mkOption;
+  inherit (lib.modules) mkIf mkDefault mkOptionDefault;
   cfg = config.services.openwebrx;
   user = "openwebrx";
 in {
-  services.openwebrx = {
+  options.services.openwebrx = with lib.types; {
+    hardwareDev = mkOption {
+      type = nullOr int;
+    };
+  };
+
+  config.services.openwebrx = {
     enable = mkDefault true;
     package = mkDefault pkgs.openwebrxplus;
     user = mkDefault user;
+    hardwareDev = mkIf config.hardware.rtl-sdr.enable (mkOptionDefault 0);
   };
 
-  users = mkIf cfg.enable {
+  config.users = mkIf cfg.enable {
     users.${user} = {
       uid = 912;
       isSystemUser = true;
@@ -29,7 +37,7 @@ in {
     };
   };
 
-  sops.secrets = let
+  config.sops.secrets = let
     sopsFile = mkDefault ./secrets/openwebrx.yaml;
   in
     mkIf cfg.enable {
@@ -41,7 +49,7 @@ in {
       };
     };
 
-  networking.firewall = mkIf cfg.enable {
+  config.networking.firewall = mkIf cfg.enable {
     interfaces.lan.allowedTCPPorts = mkIf cfg.enable [
       cfg.port
     ];
diff --git a/nixos/rtl_tcp.nix b/nixos/rtl_tcp.nix
new file mode 100644
index 00000000..01c4469e
--- /dev/null
+++ b/nixos/rtl_tcp.nix
@@ -0,0 +1,18 @@
+{
+  config,
+  gensokyo-zone,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkIf;
+  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
+  cfg = config.services.rtl_tcp;
+in {
+  services.rtl_tcp = {
+    enable = mkAlmostOptionDefault true;
+  };
+  hardware.rtl-sdr.enable = mkAlmostOptionDefault true;
+  networking.firewall.interfaces.lan = mkIf (cfg.enable && !cfg.openFirewall) {
+    allowedTCPPorts = [cfg.port];
+  };
+}
diff --git a/systems/kasen/default.nix b/systems/kasen/default.nix
index 8099b19a..b609721a 100644
--- a/systems/kasen/default.nix
+++ b/systems/kasen/default.nix
@@ -13,6 +13,7 @@ _: {
       tailscale.enable = true;
       nginx.enable = true;
       openwebrx.enable = true;
+      rtl_tcp.enable = true;
     };
   };
   network.networks = {
diff --git a/systems/kasen/nixos.nix b/systems/kasen/nixos.nix
index 6e8e1b92..74d270ce 100644
--- a/systems/kasen/nixos.nix
+++ b/systems/kasen/nixos.nix
@@ -3,7 +3,9 @@
   config,
   lib,
   ...
-}: {
+}: let
+  inherit (lib.modules) mkIf;
+in {
   imports = let
     inherit (meta) nixos;
   in [
@@ -12,12 +14,14 @@
     nixos.tailscale
     nixos.nginx
     nixos.openwebrx
+    nixos.rtl_tcp
   ];
 
   boot.loader.grub.enable = false;
   boot.loader.generic-extlinux-compatible.enable = true;
 
   hardware.rtl-sdr.enable = true;
+  services.openwebrx.hardwareDev = mkIf config.services.rtl_tcp.enable null;
 
   sops.defaultSopsFile = ./secrets.yaml;
 
diff --git a/tf/tailscale_devices.tf b/tf/tailscale_devices.tf
index cc2cc27f..8f36046a 100644
--- a/tf/tailscale_devices.tf
+++ b/tf/tailscale_devices.tf
@@ -3,6 +3,7 @@ locals {
   tailscale_tag_genso     = "tag:gensokyo"
   tailscale_tag_reisen    = "tag:reisen"
   tailscale_tag_minecraft = "tag:minecraft"
+  tailscale_tag_rtl       = "tag:rtl"
 
   tailscale_tag_arc        = "tag:arc"
   tailscale_tag_arc_deploy = "tag:arc-deploy"
@@ -29,6 +30,7 @@ resource "tailscale_acl" "tailnet" {
       "${local.tailscale_tag_reisen}" : [local.tailscale_group_admin, local.tailscale_tag_infra],
       "${local.tailscale_tag_genso}" : [local.tailscale_group_admin, local.tailscale_tag_arc_deploy, local.tailscale_tag_kat_deploy],
       "${local.tailscale_tag_minecraft}" : [local.tailscale_group_admin, local.tailscale_tag_infra],
+      "${local.tailscale_tag_rtl}" : [local.tailscale_group_admin, local.tailscale_tag_infra],
       "${local.tailscale_tag_arc}" : [local.tailscale_user_arc, local.tailscale_tag_arc_deploy],
       "${local.tailscale_tag_arc_deploy}" : [local.tailscale_user_arc],
       "${local.tailscale_tag_kat}" : [local.tailscale_user_kat, local.tailscale_tag_kat_deploy],
@@ -60,6 +62,14 @@ resource "tailscale_acl" "tailnet" {
           "${local.tailscale_tag_minecraft}:19132,19133,25565",
         ]
       },
+      {
+        action = "accept"
+        src    = ["*"]
+        dst = [
+          "autogroup:self:*",
+          "${local.tailscale_tag_rtl}:1234",
+        ]
+      },
       {
         action = "accept"
         src    = [local.tailscale_group_member]