diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
index 87584b2aed79..db952413a22d 100644
--- a/nixos/doc/manual/release-notes/rl-2505.section.md
+++ b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -89,6 +89,8 @@
 
 - [immich-public-proxy](https://github.com/alangrainger/immich-public-proxy), a proxy for sharing Immich albums without exposing the Immich API. Available as [services.immich-public-proxy](#opt-services.immich-public-proxy.enable).
 
+- [Zipline](https://zipline.diced.sh/), a ShareX/file upload server that is easy to use, packed with features, and with an easy setup. Available as [services.zipline](#opt-services.zipline.enable).
+
 - [mqtt-exporter](https://github.com/kpetremann/mqtt-exporter/), a Prometheus exporter for exposing messages from MQTT. Available as [services.prometheus.exporters.mqtt](#opt-services.prometheus.exporters.mqtt.enable).
 
 - [nvidia-gpu](https://github.com/utkuozdemir/nvidia_gpu_exporter), a Prometheus exporter that scrapes `nvidia-smi` for GPU metrics. Available as [services.prometheus.exporters.nvidia-gpu](#opt-services.prometheus.exporters.nvidia-gpu.enable).
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 8fa4b6e9d110..81ccad637425 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1576,6 +1576,7 @@
   ./services/web-apps/your_spotify.nix
   ./services/web-apps/youtrack.nix
   ./services/web-apps/zabbix.nix
+  ./services/web-apps/zipline.nix
   ./services/web-apps/zitadel.nix
   ./services/web-servers/agate.nix
   ./services/web-servers/apache-httpd/default.nix
diff --git a/nixos/modules/services/web-apps/zipline.nix b/nixos/modules/services/web-apps/zipline.nix
new file mode 100644
index 000000000000..b13ba3494f8f
--- /dev/null
+++ b/nixos/modules/services/web-apps/zipline.nix
@@ -0,0 +1,136 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.zipline;
+in
+{
+  meta.maintainers = with lib.maintainers; [ defelo ];
+
+  options.services.zipline = {
+    enable = lib.mkEnableOption "Zipline";
+
+    package = lib.mkPackageOption pkgs "zipline" { };
+
+    settings = lib.mkOption {
+      description = ''
+        Configuration of Zipline. See <https://zipline.diced.sh/docs/config> for more information.
+      '';
+      default = { };
+      example = {
+        CORE_SECRET = "changethis";
+        CORE_DATABASE_URL = "postgres://postgres:postgres@postgres/postgres";
+        CORE_HOST = "0.0.0.0";
+        CORE_PORT = "3000";
+        DATASOURCE_LOCAL_DIRECTORY = "/var/lib/zipline/uploads";
+      };
+
+      type = lib.types.submodule {
+        freeformType =
+          with lib.types;
+          attrsOf (oneOf [
+            str
+            int
+          ]);
+
+        options = {
+          CORE_HOST = lib.mkOption {
+            type = lib.types.str;
+            description = "The hostname to listen on.";
+            default = "127.0.0.1";
+            example = "0.0.0.0";
+          };
+
+          CORE_PORT = lib.mkOption {
+            type = lib.types.port;
+            description = "The port to listen on.";
+            default = 3000;
+            example = 8000;
+          };
+        };
+      };
+    };
+
+    environmentFiles = lib.mkOption {
+      type = lib.types.listOf lib.types.path;
+      default = [ ];
+      example = [ "/run/secrets/zipline.env" ];
+      description = ''
+        Files to load environment variables from (in addition to [](#opt-services.zipline.settings)). This is useful to avoid putting secrets into the nix store. See <https://zipline.diced.sh/docs/config> for more information.
+      '';
+    };
+
+    database.createLocally = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = ''
+        Whether to enable and configure a local PostgreSQL database server.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.zipline.settings = {
+      CORE_DATABASE_URL = lib.mkIf cfg.database.createLocally "postgresql://zipline@localhost/zipline?host=/run/postgresql";
+      DATASOURCE_LOCAL_DIRECTORY = lib.mkDefault "/var/lib/zipline/uploads"; # created automatically by zipline
+    };
+
+    services.postgresql = lib.mkIf cfg.database.createLocally {
+      enable = true;
+      ensureUsers = lib.singleton {
+        name = "zipline";
+        ensureDBOwnership = true;
+      };
+      ensureDatabases = [ "zipline" ];
+    };
+
+    systemd.services.zipline = {
+      wantedBy = [ "multi-user.target" ];
+
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ] ++ lib.optional cfg.database.createLocally "postgresql.service";
+      requires = lib.optional cfg.database.createLocally "postgresql.service";
+
+      environment = lib.mapAttrs (_: value: toString value) cfg.settings;
+
+      serviceConfig = {
+        User = "zipline";
+        Group = "zipline";
+        DynamicUser = true;
+        StateDirectory = "zipline";
+        EnvironmentFile = cfg.environmentFiles;
+        ExecStart = lib.getExe cfg.package;
+
+        # Hardening
+        CapabilityBoundingSet = [ "" ];
+        DeviceAllow = [ "" ];
+        LockPersonality = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+      };
+    };
+  };
+}