diff --git a/secrets/calibre-web/htpasswd.age b/secrets/calibre-web/htpasswd.age
new file mode 100644
index 0000000..19f7437
Binary files /dev/null and b/secrets/calibre-web/htpasswd.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 1c34c5a..63c1fbe 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -25,6 +25,7 @@ in {
   "owntracks/recorder.env.age".publicKeys = [ felschr home-pc home-server ];
   "owntracks/htpasswd.age".publicKeys = [ felschr home-pc home-server ];
   "etebase-server.age".publicKeys = [ felschr home-pc home-server ];
+  "calibre-web/htpasswd.age".publicKeys = [ felschr home-pc home-server ];
   "miniflux.age".publicKeys = [ felschr home-pc home-server ];
   "paperless.age".publicKeys = [ felschr home-pc home-server ];
   "nextcloud/admin.age".publicKeys = [ felschr home-pc home-server ];
diff --git a/services/calibre-web.nix b/services/calibre-web.nix
index 275a651..f4371ab 100644
--- a/services/calibre-web.nix
+++ b/services/calibre-web.nix
@@ -2,6 +2,11 @@
 
 let port = 8088;
 in {
+  age.secrets.calibre-web-htpasswd = {
+    file = ../secrets/calibre-web/htpasswd.age;
+    owner = config.services.nginx.user;
+  };
+
   services.calibre-web = {
     enable = true;
     group = "media";
@@ -16,11 +21,17 @@ in {
     virtualHosts."books.felschr.com" = {
       enableACME = true;
       forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://[::1]:${toString port}";
-        extraConfig = ''
-          client_max_body_size 500M;
-        '';
+      locations = {
+        "/" = {
+          proxyPass = "http://[::1]:${toString port}";
+          extraConfig = ''
+            client_max_body_size 500M;
+          '';
+        };
+        "/opds" = {
+          proxyPass = "http://[::1]:${toString port}";
+          basicAuthFile = config.age.secrets.calibre-web-htpasswd.path;
+        };
       };
     };
   };