diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index 6a3baf98a00..93d068418d7 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -246,6 +246,7 @@
       dspam = 222;
       gale = 223;
       matrix-synapse = 224;
+      rspamd = 225;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -469,6 +470,7 @@
       dspam = 222;
       gale = 223;
       matrix-synapse = 224;
+      rspamd = 225;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 4f125b09afb..6b3cbcf388b 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -193,6 +193,7 @@
   ./services/mail/postfix.nix
   ./services/mail/postsrsd.nix
   ./services/mail/spamassassin.nix
+  ./services/mail/rspamd.nix
   ./services/misc/apache-kafka.nix
   ./services/misc/autofs.nix
   ./services/misc/bepasty.nix
diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix
new file mode 100644
index 00000000000..a083f829324
--- /dev/null
+++ b/nixos/modules/services/mail/rspamd.nix
@@ -0,0 +1,90 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.services.rspamd;
+
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.rspamd = {
+
+      enable = mkOption {
+        default = false;
+        description = "Whether to run the rspamd daemon.";
+      };
+
+      debug = mkOption {
+        default = false;
+        description = "Whether to run the rspamd daemon in debug mode.";
+      };
+
+      user = mkOption {
+        type = types.string;
+        default = "rspamd";
+        description = ''
+          User to use when no root privileges are required.
+        '';
+       };
+
+      group = mkOption {
+        type = types.string;
+        default = "rspamd";
+        description = ''
+          Group to use when no root privileges are required.
+        '';
+       };
+    };
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    # Allow users to run 'rspamc' and 'rspamadm'.
+    environment.systemPackages = [ pkgs.rspamd ];
+
+    users.extraUsers = singleton {
+      name = cfg.user;
+      description = "rspamd daemon";
+      uid = config.ids.uids.rspamd;
+      group = cfg.group;
+    };
+
+    users.extraGroups = singleton {
+      name = cfg.group;
+      gid = config.ids.gids.spamd;
+    };
+
+    systemd.services.rspamd = {
+      description = "Rspamd Service";
+
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -f";
+        RuntimeDirectory = "/var/lib/rspamd";
+        PermissionsStartOnly = true;
+        Restart = "always";
+      };
+
+      preStart = ''
+        ${pkgs.coreutils}/bin/mkdir -p /var/{lib,log}/rspamd
+        ${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} /var/lib/rspamd
+      '';
+
+    };
+
+  };
+
+}