diff --git a/2-nomad-config/openreader.nomad.hcl b/2-nomad-config/openreader.nomad.hcl
new file mode 100644
index 0000000..7383f34
--- /dev/null
+++ b/2-nomad-config/openreader.nomad.hcl
@@ -0,0 +1,116 @@
+job "openreader" {
+  group "openreader" {
+    network {
+      mode = "bridge"
+      port "http" {
+        to = 3003
+      }
+    }
+
+    # Consul Connect sidecar with upstream to postgres
+    service {
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "postgres"
+              local_bind_port  = 5432
+            }
+          }
+        }
+      }
+    }
+
+    service {
+      name = "openreader"
+      port = "http"
+
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.openreader.middlewares=auth@file",
+      ]
+
+      check {
+        type     = "http"
+        path     = "/"
+        interval = "10s"
+        timeout  = "2s"
+      }
+    }
+
+    service {
+      name         = "openreader-api"
+      port         = "http"
+      address_mode = "alloc" # Use allocation IP for Connect as the sidecar can't access the host's published port (hairpin/loopback NAT issue)
+
+      connect {
+        sidecar_service {}
+      }
+
+      check {
+        type     = "http"
+        path     = "/"
+        interval = "10s"
+        timeout  = "2s"
+      }
+    }
+
+    task "openreader" {
+      driver = "docker"
+
+      config {
+        image = "ghcr.io/richardr1126/openreader:v2.1.2"
+        ports = ["http"]
+      }
+
+      env = {
+        TZ = "Australia/Melbourne"
+
+        # Use embedded SeaweedFS for blob storage (data lives in /app/docstore/seaweedfs).
+        # Port 8333 is not exposed; browser uploads/downloads fall back through the app API.
+        USE_EMBEDDED_WEED_MINI = "true"
+        S3_ENDPOINT            = "http://localhost:8333"
+        S3_FORCE_PATH_STYLE    = "true"
+
+        # Auth is intentionally disabled (no BASE_URL / AUTH_SECRET set).
+        # Access is controlled by the Authelia middleware on the Traefik router above.
+
+        # To enable server-side library import from an Unraid share, add a second CSI volume
+        # mount for the share (e.g. unraid_media_books → /app/docstore/library:ro) and set:
+        #   IMPORT_LIBRARY_DIR = "/app/docstore/library"
+      }
+
+      template {
+        data        = <<EOF
+POSTGRES_URL=postgresql://openreader:{{ with nomadVar "nomad/jobs/openreader" }}{{ .database_pw }}{{ end }}@localhost:5432/openreader
+EOF
+        destination = "secrets/openreader.env"
+        env         = true
+      }
+
+      volume_mount {
+        volume      = "unraid_appdata_openreader"
+        destination = "/app/docstore"
+        read_only   = false
+      }
+
+      resources {
+        cpu        = 200
+        memory     = 750
+        memory_max = 1024
+      }
+    }
+
+    volume "unraid_appdata_openreader" {
+      type            = "csi"
+      read_only       = false
+      source          = "unraid_appdata_openreader"
+      access_mode     = "single-node-writer"
+      attachment_mode = "file-system"
+
+      mount_options {
+        mount_flags = ["uid=1000", "gid=1000"]
+      }
+    }
+  }
+}
diff --git a/2-nomad-config/openreader.tf b/2-nomad-config/openreader.tf
new file mode 100644
index 0000000..b38cd5f
--- /dev/null
+++ b/2-nomad-config/openreader.tf
@@ -0,0 +1,26 @@
+resource "nomad_job" "openreader" {
+  jobspec = file("openreader.nomad.hcl")
+}
+
+resource "nomad_variable" "openreader" {
+  path = "nomad/jobs/openreader"
+  items = {
+    database_pw = data.sops_file.secrets.data["openreader.database_pw"]
+  }
+}
+
+resource "postgresql_role" "openreader" {
+  name     = "openreader"
+  password = data.sops_file.secrets.data["openreader.database_pw"]
+  login    = true
+}
+
+resource "postgresql_database" "openreader" {
+  name  = "openreader"
+  owner = postgresql_role.openreader.name
+}
+
+module "appdata_openreader" {
+  source = "./modules/appdata"
+  name   = "openreader"
+}
diff --git a/2-nomad-config/secrets/secrets.enc.json b/2-nomad-config/secrets/secrets.enc.json
index 08f24e1..c3b502a 100644
--- a/2-nomad-config/secrets/secrets.enc.json
+++ b/2-nomad-config/secrets/secrets.enc.json
@@ -46,6 +46,9 @@
 	"frigate": {
 		"rtsp_password": "ENC[AES256_GCM,data:8vq06/IkNOUgpHmf,iv:lj8buuIC0ub0YOUiOiaN6tokkIT2/+bBwFNz2QXmCd4=,tag:EMm/bIHdJSAtjYAlrNOCMw==,type:str]"
 	},
+	"openreader": {
+		"database_pw": "ENC[AES256_GCM,data:2Ey9Ypb2Ked/LP/ApJhCqhKWuzognxVK7ku60nERp7I=,iv:KdLFD+fuNpYmPEU5G96SvFcQeZB0XlnOh/6uf7OfFqI=,tag:h7DQlqx5fxhiHuWyFd7svQ==,type:str]"
+	},
 	"sops": {
 		"age": [
 			{
@@ -53,8 +56,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2026-03-28T02:45:25Z",
-		"mac": "ENC[AES256_GCM,data:LOzPiZlrS5Rqcsub1jfQ2yfKfTzySA19RjA566MdEY3/h1NmWrodfysPU1bZ9ClOALTFmv6JfmBVxrJ3Mq8T3YBT1qoVjkg7aRO8x6WCMRt11Lba2/SwjLDNFkE/EItvMu10RhzxIYLzZTf+X3zHiLVuSQ4aS9vn9IGTa8yWQ0k=,iv:x7GSxq7G6JpVtHi0nGHM8FDx9gDZI4bR+jJQremxKpc=,tag:DsjEhCOt+XPs2WVznxvYCg==,type:str]",
+		"lastmodified": "2026-04-04T05:12:13Z",
+		"mac": "ENC[AES256_GCM,data:P1WUI3bLnB1PFKlhO6M0FXZQ5T9fse1uwus4j7y9D3o1DNHHpq7wZdkXbedtpy3MikQGrXdAlS/jlyWW52CeOoFXdMmdiFNmnlO63BMOiySaoDJ9TyR0Bxf3n5urx7HxgYTQxCSPCaxovtAnQma8i+ckSr3jqJHDchEJlJX4LOc=,iv:+Y2Ml8rKmx8tIlYRGMsvfZMS3PtlwD7Bd6chYPk7EdA=,tag:rQwp7qEpLkQfeNCrfvbYMA==,type:str]",
 		"encrypted_regex": "^(.*)$",
 		"version": "3.10.2"
 	}