diff --git a/hosts/glyph/services/db.nix b/hosts/glyph/services/db.nix
index bc35dfb..5da6706 100644
--- a/hosts/glyph/services/db.nix
+++ b/hosts/glyph/services/db.nix
@@ -39,6 +39,6 @@
 
   services.postgresqlBackup = {
     enable = true;
-    databases = ["atticd" "grafana" "open-webui" "pocketid"];
+    databases = ["atticd" "grafana" "open-webui" "pocketid" "windmill"];
   };
 }
diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix
index 5bcb18f..ac1081b 100644
--- a/hosts/glyph/services/default.nix
+++ b/hosts/glyph/services/default.nix
@@ -18,6 +18,7 @@
     ./prometheus.nix
     ./samba.nix
     ./torrents.nix
+    ./windmill.nix
   ];
   users.groups.media = {};
   users.users.mu.extraGroups = ["media"];
diff --git a/hosts/glyph/services/windmill.nix b/hosts/glyph/services/windmill.nix
new file mode 100644
index 0000000..50071be
--- /dev/null
+++ b/hosts/glyph/services/windmill.nix
@@ -0,0 +1,47 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  services.windmill = {
+    enable = true;
+    serverPort = 8100;
+    baseUrl = "https://windmill.zx.dev";
+    database.createLocally = true;
+  };
+
+  # The NixOS module's initdb omits table grants from the upstream
+  # init-db-as-superuser.sql, causing permission errors at runtime.
+  # Patch the initdb service to include them.
+  systemd.services.windmill-initdb.script = let
+    cfg = config.services.windmill;
+    psql = "${config.services.postgresql.package}/bin/psql";
+  in ''
+    ${psql} -tA <<"EOF"
+      DO $$
+      BEGIN
+          IF NOT EXISTS (
+              SELECT FROM pg_catalog.pg_roles
+              WHERE rolname = 'windmill_user'
+          ) THEN
+              CREATE ROLE windmill_user;
+          END IF;
+          IF NOT EXISTS (
+              SELECT FROM pg_catalog.pg_roles
+              WHERE rolname = 'windmill_admin'
+          ) THEN
+            CREATE ROLE windmill_admin WITH BYPASSRLS;
+            GRANT windmill_user TO windmill_admin;
+          END IF;
+          GRANT windmill_admin TO ${cfg.database.user};
+      END
+      $$;
+
+      GRANT ALL PRIVILEGES ON DATABASE ${cfg.database.name} TO windmill_user;
+      GRANT ALL ON ALL TABLES IN SCHEMA public TO windmill_user;
+      GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO windmill_user;
+      ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO windmill_user;
+      ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO windmill_user;
+    EOF
+  '';
+}
diff --git a/hosts/spore/services/web/default.nix b/hosts/spore/services/web/default.nix
index aa91a52..334a76c 100644
--- a/hosts/spore/services/web/default.nix
+++ b/hosts/spore/services/web/default.nix
@@ -45,6 +45,14 @@
           "/pgp".return = "302 https://keyoxide.org/hkp/413d1a0152bcb08d2e3ddacaf88c08579051ab48";
         };
       };
+      "windmill.zx.dev" = {
+        forceSSL = true;
+        useACMEHost = "zx.dev";
+        locations."/" = {
+          proxyPass = "http://glyph.rove-duck.ts.net:8100";
+          proxyWebsockets = true;
+        };
+      };
       "torrents.zx.dev" = {
         forceSSL = true;
         useACMEHost = "zx.dev";