diff --git a/config/users.nix b/config/users.nix
index bf62d6d..455852c 100644
--- a/config/users.nix
+++ b/config/users.nix
@@ -46,5 +46,6 @@
       firefly-iii = uidGid 965;
       firefly-pico = uidGid 964;
       avahi = uidGid 963;
+      firefly-iii-data-importer = uidGid 962;
     };
 }
diff --git a/hosts/sentinel/firezone.nix b/hosts/sentinel/firezone.nix
index 674b72f..32f6abb 100644
--- a/hosts/sentinel/firezone.nix
+++ b/hosts/sentinel/firezone.nix
@@ -14,6 +14,7 @@ let
     globals.services.grafana.domain
     globals.services.firefly.domain
     globals.services.firefly-pico.domain
+    globals.services.firefly-data-importer.domain
     globals.services.immich.domain
     globals.services.influxdb.domain
     globals.services.loki.domain
diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index f69e832..bf19d63 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -15,6 +15,7 @@ let
     globals.services.grafana.domain
     globals.services.firefly.domain
     globals.services.firefly-pico.domain
+    globals.services.firefly-data-importer.domain
     globals.services.immich.domain
     globals.services.influxdb.domain
     globals.services.loki.domain
diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix
index fe00c8b..a152511 100644
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@@ -114,6 +114,7 @@ in
               globals.services.grafana.domain
               globals.services.firefly.domain
               globals.services.firefly-pico.domain
+              globals.services.firefly-data-importer.domain
               globals.services.immich.domain
               globals.services.influxdb.domain
               globals.services.loki.domain
diff --git a/hosts/ward/guests/firefly.nix b/hosts/ward/guests/firefly.nix
index ab43289..9443d7b 100644
--- a/hosts/ward/guests/firefly.nix
+++ b/hosts/ward/guests/firefly.nix
@@ -7,6 +7,7 @@
 let
   fireflyDomain = "firefly.${globals.domains.me}";
   fireflyPicoDomain = "firefly-pico.${globals.domains.me}";
+  fireflyDataImporterDomain = "firefly-data-importer.${globals.domains.me}";
   wardWebProxyCfg = nodes.ward-web-proxy.config;
 in
 {
@@ -17,6 +18,7 @@ in
 
   globals.services.firefly.domain = fireflyDomain;
   globals.services.firefly-pico.domain = fireflyPicoDomain;
+  globals.services.firefly-data-importer.domain = fireflyDataImporterDomain;
   globals.monitoring.http.firefly = {
     url = "https://${fireflyDomain}";
     expectedBodyRegex = "Firefly III";
@@ -42,6 +44,13 @@ in
     owner = "firefly-pico";
   };
 
+  age.secrets.firefly-data-importer-app-key = {
+    generator.script = _: ''
+      echo "base64:$(head -c 32 /dev/urandom | base64)"
+    '';
+    owner = "firefly-data-importer";
+  };
+
   environment.persistence."/persist".directories = [
     {
       directory = "/var/lib/firefly-iii";
@@ -51,6 +60,10 @@ in
       directory = "/var/lib/firefly-pico";
       user = "firefly-pico";
     }
+    {
+      directory = "/var/lib/firefly-iii-data-importer";
+      user = "firefly-iii-data-importer";
+    }
   ];
 
   networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [
@@ -89,6 +102,23 @@ in
     };
   };
 
+  services.firefly-iii-data-importer = {
+    enable = true;
+    enableNginx = true;
+    virtualHost = globals.services.firefly-data-importer.domain;
+    settings = {
+      LOG_CHANNEL = "syslog";
+      APP_ENV = "local";
+      APP_URL = "https://${globals.services.firefly-data-importer.domain}";
+      TZ = "Europe/Berlin";
+      FIREFLY_III_URL = config.services.firefly-iii.settings.APP_URL;
+      VANITY_URL = config.services.firefly-iii.settings.APP_URL;
+      TRUSTED_PROXIES = wardWebProxyCfg.wireguard.proxy-home.ipv4;
+      EXPECT_SECURE_URL = "true";
+      APP_KEY_FILE = config.age.secrets.firefly-data-importer-app-key.path;
+    };
+  };
+
   services.nginx.commonHttpConfig = ''
     log_format json_combined escape=json '{'
       '"time": $msec,'
diff --git a/secrets/generated/ward-firefly/firefly-data-importer-app-key.age b/secrets/generated/ward-firefly/firefly-data-importer-app-key.age
new file mode 100644
index 0000000..701c1aa
Binary files /dev/null and b/secrets/generated/ward-firefly/firefly-data-importer-app-key.age differ
diff --git a/secrets/rekeyed/ward-firefly/bf62c2abb03665ad857f821820811918-firefly-data-importer-app-key.age b/secrets/rekeyed/ward-firefly/bf62c2abb03665ad857f821820811918-firefly-data-importer-app-key.age
new file mode 100644
index 0000000..0fe750c
--- /dev/null
+++ b/secrets/rekeyed/ward-firefly/bf62c2abb03665ad857f821820811918-firefly-data-importer-app-key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 YHfciQ Ta83gRa74Qw3CSktDEV58orXyTabF1iyMe9o0EftLAk
+JedF0o7cg0cyr7NTlDUQGQTrqTsOUyqr2qGgeb04F98
+-> c7X&&-grease M (u|w5r1t Bu&{
+KgBrgDovK7GWxFLq7kkwA5UNWr5QqlzeWbU13cTt8DXC4TCdSS9A+Wjzl+qDykzW
+5oZ6tFgvWFFF2E/3Ym1YjTTl3cOvxG0RG6Bj/GXNVjo8PeTJ5Ny9h+yOJ/YuAcY
+--- cqhrBzqNMukHeBPQe1mlHpVZfVWgUAepvPV8JGbAUVA
+ÑR<,VÏHÀíY·ZÅ#Š}·*Ïª¦!Äâ[ärƒµÙúê¢kÈ¾èÜ†Ê“o’jcÎ>92­/dbû=sÛöE{1~"îûû&ö»j$8H
\ No newline at end of file