diff --git a/nixos/access/kitchencam.nix b/nixos/access/kitchencam.nix
new file mode 100644
index 00000000..65524353
--- /dev/null
+++ b/nixos/access/kitchencam.nix
@@ -0,0 +1,75 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.options) mkOption;
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (config.services.nginx) virtualHosts;
+  access = config.services.nginx.access.kitchencam;
+in {
+  options.services.nginx.access.kitchencam = with lib.types; {
+    host = mkOption {
+      type = str;
+      default = "kitchencam.local.${config.networking.domain}";
+    };
+    url = mkOption {
+      type = str;
+      default = "http://${access.host}:8080";
+    };
+    streamUrl = mkOption {
+      type = str;
+      default = "http://${access.host}:8081";
+    };
+    domain = mkOption {
+      type = str;
+      default = "kitchen.${config.networking.domain}";
+    };
+    localDomain = mkOption {
+      type = str;
+      default = "kitchen.local.${config.networking.domain}";
+    };
+    tailDomain = mkOption {
+      type = str;
+      default = "kitchen.tail.${config.networking.domain}";
+    };
+    useACMEHost = mkOption {
+      type = nullOr str;
+      default = null;
+    };
+  };
+  config.services.nginx = {
+    virtualHosts = let
+      extraConfig = ''
+        proxy_redirect off;
+        proxy_buffering off;
+      '';
+      locations = {
+        "/" = {
+          proxy.websocket.enable = true;
+          proxyPass = access.url;
+        };
+        "/stream" = {
+          proxy.websocket.enable = true;
+          proxyPass = access.streamUrl;
+        };
+      };
+    in {
+      ${access.domain} = {
+        vouch.enable = true;
+        kTLS = mkDefault true;
+        inherit (access) useACMEHost;
+        forceSSL = mkDefault (access.useACMEHost != null);
+        inherit locations extraConfig;
+      };
+      ${access.localDomain} = {
+        serverAliases = mkIf config.services.tailscale.enable [ access.tailDomain ];
+        inherit (virtualHosts.${access.domain}) useACMEHost;
+        addSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.addSSL || virtualHosts.${access.domain}.forceSSL);
+        kTLS = mkDefault true;
+        local.enable = true;
+        inherit locations extraConfig;
+      };
+    };
+  };
+}
diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix
index a53ee588..62440749 100644
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@@ -9,7 +9,7 @@
   mediabox = access.systemFor "mediabox";
   tei = access.systemFor "tei";
   inherit (mediabox.services) plex;
-  inherit (tei.services) kanidm;
+  inherit (tei.services) kanidm vouch-proxy;
 in {
   imports = let
     inherit (meta) nixos;
@@ -28,6 +28,7 @@ in {
     nixos.access.gensokyo
     nixos.access.kanidm
     nixos.access.freeipa
+    nixos.access.kitchencam
     nixos.access.proxmox
     nixos.access.plex
     nixos.samba
@@ -98,6 +99,17 @@ in {
       inherit (nginx) group;
       extraDomainNames = [access.plex.localDomain];
     };
+    ${access.kitchencam.domain} = {
+      inherit (nginx) group;
+      extraDomainNames = mkMerge [
+        [
+          access.kitchencam.localDomain
+        ]
+        (mkIf tailscale.enable [
+          access.kitchencam.tailDomain
+        ])
+      ];
+    };
   };
 
   services.nginx = let
@@ -114,6 +126,9 @@ in {
     access.freeipa = {
       host = "idp.local.${config.networking.domain}";
     };
+    access.kitchencam = {
+      useACMEHost = access.kitchencam.domain;
+    };
     virtualHosts = {
       ${access.kanidm.domain} = {
         useACMEHost = access.kanidm.domain;
@@ -129,6 +144,13 @@ in {
         addSSL = true;
         useACMEHost = access.plex.domain;
       };
+      ${access.kitchencam.domain} = {
+        vouch = {
+          authUrl = vouch-proxy.authUrl;
+          url = vouch-proxy.url;
+          proxyOrigin = "http://${tei.networking.access.hostnameForNetwork.tail}:${toString vouch-proxy.settings.vouch.port}";
+        };
+      };
     };
   };
 
diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf
index d735fe22..fcc60528 100644
--- a/tf/cloudflare_records.tf
+++ b/tf/cloudflare_records.tf
@@ -21,12 +21,14 @@ module "hakurei_system_records" {
     "ldap",
     "freeipa",
     "smb",
+    "kitchen",
   ]
   global_subdomains = [
     "plex",
     "idp",
     "ldap",
     "smb",
+    "kitchen",
   ]
 }
 
@@ -89,6 +91,14 @@ module "kubernetes_system_records" {
   local_v6  = "fd0a::be24:11ff:fe49:fedc"
 }
 
+module "kitchencam_system_records" {
+  source    = "./system/records"
+  name      = "kitchencam"
+  zone_id   = cloudflare_zone.gensokyo-zone_zone.id
+  zone_zone = cloudflare_zone.gensokyo-zone_zone.zone
+  local_v6  = "fd0a::ba27:ebff:fea8:f4ff"
+}
+
 module "tewi_legacy_system_records" {
   source       = "./system/records"
   name         = "tewi"