diff --git a/data_bags/credentials/ejabberd.json b/data_bags/credentials/ejabberd.json
index bda5a71..fb14aca 100644
--- a/data_bags/credentials/ejabberd.json
+++ b/data_bags/credentials/ejabberd.json
@@ -1,23 +1,30 @@
 {
   "id": "ejabberd",
   "5apps_ldap_password": {
-    "encrypted_data": "mfV9TyC4OM055JnyV73mq4qY840pH1tZC9LnIaA3A80CY2kVteC4\n",
-    "iv": "gpEC3IK9BN9RkaYz\n",
-    "auth_tag": "WXYWOjUCgEw5OR5VMh+Enw==\n",
+    "encrypted_data": "H7WrXu2iGreO5MSoaNKAAAQOxh92rij4j4UPffs7Rjq1mtd4dMed\n",
+    "iv": "uEOoET/OOSDjiELM\n",
+    "auth_tag": "ehYOXsKPHNXrYNy0xJ+BSw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "kosmos_ldap_password": {
-    "encrypted_data": "Q9znUOIIXU+XsPWet4rDCjHsPPxlA3EfNTkEER/EdfoCajd1Txuh\n",
-    "iv": "7SAOAwSU8rZGopB1\n",
-    "auth_tag": "X8yIyw2BFbQMAVTMYLA67g==\n",
+    "encrypted_data": "1u+tUrEj5JZ0F+j59f7VKztBTyn1vqT6V3H3K7uC9kHQCOUFmg3x\n",
+    "iv": "NjhasM5iVF6tBzps\n",
+    "auth_tag": "kSNqc3xEQavZifWcPeeFpA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "uploads_secret": {
+    "encrypted_data": "2IVxvsaGP1+D0zOT0g9+Zz4Eg42Y8FPe8GiwQDZq6I1f\n",
+    "iv": "+Ujln/JDnL/afzZ3\n",
+    "auth_tag": "v0QBCsEemxBaBvi6kazj+w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "admins": {
-    "encrypted_data": "xKtiBOgn4ysJt4byry31cVJUHEsatWDwHEzEve/N5NxTOh1f4QBD+Q68IYzv\nV0ulBjtW91yFcQqKNx/prAVcK3khbnsEzg8uoub9o6hSMwp16LL5x/u6T6u2\n5DwWBEy08yuaujkko57ir0Yv7mfRedT1i5SaH9pgg5VLm56G/PXrlPFfjwaU\n",
-    "iv": "fpL3EA1VbXxxi+yq\n",
-    "auth_tag": "iJMJAmw5gHWLFJM5kdzR9A==\n",
+    "encrypted_data": "3kH8Cbc4Wy1RMd8HLa7aOCZWCZEyjmXq7JC3T0875472F708JjuOXuEqmUeG\nI82OE7lfMVrOup+hiMk9aCTQqxArayWFRZeWnMN2Ji/dbl12wJ/zKWSOPDQ2\nBHzJ/U6NoHBzmAV/PyirmD8KBNkZxCN8vhCq5azZTnmNQmu8CBxM+qUDDhd1\n",
+    "iv": "dro4RKs1MDD+riaM\n",
+    "auth_tag": "7yiBW9jyMzcAPWw/XR8zNQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }
diff --git a/site-cookbooks/kosmos-ejabberd/attributes/default.rb b/site-cookbooks/kosmos-ejabberd/attributes/default.rb
index f724394..9a91622 100644
--- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb
@@ -10,3 +10,12 @@ node.override["tor"]["HiddenServices"]["ejabberd"] = {
     "5269 127.0.0.1:5269"
   ]
 }
+
+node.default["kosmos-ejabberd"]["uploads"] = {
+  "domain" => "uploads.kosmos.chat",
+  "max_upload_size_mb" => "100",
+  "upload.pm" => {
+    "repo" => "https://gitea.kosmos.org/kosmos/ngx_http_upload.git",
+    "revision" => "0.2"
+  }
+}
diff --git a/site-cookbooks/kosmos-ejabberd/metadata.rb b/site-cookbooks/kosmos-ejabberd/metadata.rb
index 1525cc0..4cf04db 100644
--- a/site-cookbooks/kosmos-ejabberd/metadata.rb
+++ b/site-cookbooks/kosmos-ejabberd/metadata.rb
@@ -19,8 +19,9 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
 #
 # source_url 'https://github.com/<insert_org_here>/kosmos-ejabberd'
 
-depends "kosmos-postgresql"
 depends "kosmos-base"
+depends "kosmos-postgresql"
+depends "kosmos-nginx"
 depends "backup"
 depends "firewall"
 depends "tor-full"
diff --git a/site-cookbooks/kosmos-ejabberd/recipes/upload_service.rb b/site-cookbooks/kosmos-ejabberd/recipes/upload_service.rb
new file mode 100644
index 0000000..3fb4038
--- /dev/null
+++ b/site-cookbooks/kosmos-ejabberd/recipes/upload_service.rb
@@ -0,0 +1,60 @@
+#
+# Cookbook:: kosmos-ejabberd
+# Recipe:: upload_service
+#
+
+include_recipe "kosmos-nginx::with_perl"
+
+ejabberd_credentials = data_bag_item("credentials", "ejabberd")
+uploads_secret = ejabberd_credentials["uploads_secret"]
+
+upload_config = node["kosmos-ejabberd"]["uploads"]
+domain = upload_config["domain"]
+
+git "/opt/upload.pm" do
+  repository upload_config["upload.pm"]["repo"]
+  revision upload_config["upload.pm"]["revision"]
+  action :sync
+end
+
+directory "/var/www/upload" do
+  user node["nginx"]["user"]
+  group node["nginx"]["group"]
+  mode "0640"
+end
+
+ruby_block "configure uploads secret" do
+  block do
+    file = Chef::Util::FileEdit.new("/opt/upload.pm/upload.pm")
+    file.search_file_replace(%r{it-is-secret}, uploads_secret)
+    file.write_file
+  end
+end
+
+ruby_block "configure perl module in nginx" do
+  block do
+    file = Chef::Util::FileEdit.new("/etc/nginx/nginx.conf")
+    file.insert_line_after_match(
+      %r{types_hash_bucket_size},
+      "\n\n  perl_modules /opt/upload.pm;\n  perl_require upload.pm;"
+    )
+    file.write_file
+  end
+end
+
+template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
+  source "nginx_conf_upload_service.erb"
+  owner node["nginx"]["user"]
+  mode 0640
+  variables server_name: domain,
+            ssl_cert:    "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:     "/etc/letsencrypt/live/#{domain}/privkey.pem",
+            max_upload_size_mb: upload_config["max_upload_size_mb"]
+  notifies :reload, "service[nginx]", :delayed
+end
+
+nginx_site domain do
+  action :enable
+end
+
+nginx_certbot_site domain
diff --git a/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_upload_service.erb b/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_upload_service.erb
new file mode 100644
index 0000000..bbf25a5
--- /dev/null
+++ b/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_upload_service.erb
@@ -0,0 +1,19 @@
+<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+# Generated by Chef
+
+server {
+  listen 443 ssl http2;
+  server_name <%= @server_name %>;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  root /var/www/upload;
+
+  client_max_body_size <%= @max_upload_size_mb %>m;
+
+  location / {
+    perl upload::handle;
+  }
+}
+<% end -%>
diff --git a/site-cookbooks/kosmos-nginx/recipes/with_perl.rb b/site-cookbooks/kosmos-nginx/recipes/with_perl.rb
new file mode 100644
index 0000000..bac0223
--- /dev/null
+++ b/site-cookbooks/kosmos-nginx/recipes/with_perl.rb
@@ -0,0 +1,33 @@
+node.override['nginx']['default_site_enabled'] = false
+node.override['nginx']['server_tokens']        = 'off'
+
+node.override['nginx']['package_name'] = 'nginx-core'
+include_recipe 'nginx'
+
+package 'libnginx-mod-http-perl'
+
+# Generate Strong Diffie-Hellman Group (increases security)
+# https://weakdh.org/sysadmin.html
+openssl_dhparam "/etc/ssl/private/dhparams.pem" do
+  key_length 2048
+  mode 0600
+  owner 'www-data'
+end
+
+cookbook_file "#{node['nginx']['dir']}/conf.d/tls_config.conf" do
+  source 'nginx_tls_config.conf'
+  owner  'root'
+  group  'root'
+  mode   '0644'
+  notifies :restart, 'service[nginx]'
+end
+
+unless node.chef_environment == "development"
+  include_recipe 'kosmos-base::firewall'
+
+  firewall_rule 'http/https' do
+    port     [80, 443]
+    protocol :tcp
+    command  :allow
+  end
+end