diff --git a/machines/storage/s0/default.nix b/machines/storage/s0/default.nix
index bc58395..3036cd6 100644
--- a/machines/storage/s0/default.nix
+++ b/machines/storage/s0/default.nix
@@ -253,6 +253,7 @@
         (mkVirtualHost "budget.s0.neet.dev" "http://localhost:${toString config.services.actual.settings.port}") # actual budget
         (mkVirtualHost "linkwarden.s0.neet.dev" "http://localhost:${toString config.services.linkwarden.port}")
         (mkVirtualHost "memos.s0.neet.dev" "http://localhost:${toString config.services.memos.port}")
+        (mkVirtualHost "outline.s0.neet.dev" "http://localhost:${toString config.services.outline.port}")
       ];
 
     tailscaleAuth = {
@@ -276,6 +277,7 @@
         "budget.s0.neet.dev"
         "linkwarden.s0.neet.dev"
         # "memos.s0.neet.dev" # messes up memos /auth route
+        # "outline.s0.neet.dev" # messes up outline /auth route
       ];
       expectedTailnet = "koi-bebop.ts.net";
     };
@@ -351,5 +353,26 @@
     port = 57643;
   };
 
+  services.outline = {
+    enable = true;
+    forceHttps = false; # https through nginx
+    port = 43933;
+    publicUrl = "https://outline.s0.neet.dev";
+    storage.storageType = "local";
+    smtp = {
+      secure = true;
+      fromEmail = "robot@runyan.org";
+      username = "robot@runyan.org";
+      replyEmail = "robot@runyan.org";
+      host = "mail.neet.dev";
+      port = 465;
+      passwordFile = "/run/agenix/robots-email-pw";
+    };
+  };
+  age.secrets.robots-email-pw = {
+    file = ../../../secrets/robots-email-pw.age;
+    owner = config.services.outline.user;
+  };
+
   boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
 }
diff --git a/machines/storage/s0/properties.nix b/machines/storage/s0/properties.nix
index f58f391..9d133c8 100644
--- a/machines/storage/s0/properties.nix
+++ b/machines/storage/s0/properties.nix
@@ -16,6 +16,7 @@
     "zigbee"
     "media-server"
     "linkwarden"
+    "outline"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
diff --git a/secrets/robots-email-pw.age b/secrets/robots-email-pw.age
index 362c882..4622b7d 100644
Binary files a/secrets/robots-email-pw.age and b/secrets/robots-email-pw.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3071fd2..50c279e 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -17,7 +17,7 @@ with roles;
   "cris-hashed-email-pw.age".publicKeys = email-server;
   "sasl_relay_passwd.age".publicKeys = email-server;
   "hashed-robots-email-pw.age".publicKeys = email-server;
-  "robots-email-pw.age".publicKeys = gitea;
+  "robots-email-pw.age".publicKeys = gitea ++ outline;
 
   # nix binary cache
   # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=