diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix
index 104a454..9c2f4a1 100644
--- a/hosts/picard/default.nix
+++ b/hosts/picard/default.nix
@@ -41,6 +41,7 @@
       "adb"
       "prometheus-exporters"
       "promtail"
+      "dump1090"
     ]
     ++ [ ./disko.nix ];
 
diff --git a/modules/dump1090/default.nix b/modules/dump1090/default.nix
new file mode 100644
index 0000000..d6f2456
--- /dev/null
+++ b/modules/dump1090/default.nix
@@ -0,0 +1,45 @@
+{ pkgs, lib, ... }:
+{
+  systemd.services.dump1090-fa = {
+    description = "dump1090 ADS-B receiver (FlightAware customization)";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      DynamicUser = true;
+      SupplementaryGroups = "plugdev";
+      ExecStart = lib.escapeShellArgs [
+        (lib.getExe pkgs.dump1090)
+        "--net"
+        "--write-json"
+        "%t/dump1090-fa"
+      ];
+      RuntimeDirectory = "dump1090-fa";
+      WorkingDirectory = "%t/dump1090-fa";
+      RuntimeDirectoryMode = 755;
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."dump1090-fa" = {
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8080;
+        }
+      ];
+      locations = {
+        "/".alias = "${pkgs.dump1090}/share/dump1090/";
+        "/data/".alias = "/run/dump1090-fa/";
+      };
+    };
+  };
+
+  # TODO before upstreaming in nixpkgs
+  # - add `meta.mainProgram` to dump1090
+  # - rename dump1090 to dump1090-fa
+  # - optionally create an alias for dump1090
+  # - securing the systemd service (`systemd-analyze security dump1090-fa`)
+}