diff --git a/secrets/mcp.yaml b/secrets/mcp.yaml
index fcd8cc0..451e4ff 100644
--- a/secrets/mcp.yaml
+++ b/secrets/mcp.yaml
@@ -6,6 +6,9 @@ openproject:
     secret-key-base: ENC[AES256_GCM,data:luTuUtxL/SGx6O10y9cRiAzJHw==,iv:8qVJm+obsHr9eV0h+jdpsreeFGxEM+UFZHHiIUUPs6w=,tag:+zpjhKoIiNNSSYxe1QkQ7Q==,type:str]
 focalboard:
     database: ENC[AES256_GCM,data:GDxYdkVV+tl3qHxWMMoetmMnLnY=,iv:JujgNPyUEHCmD/yW3UKCTj9GTk9a7EkvUiyFLF4sF8A=,tag:46YZ7AthpiiaX69aN9a3Bg==,type:str]
+offen:
+    secret: ENC[AES256_GCM,data:sH2siPc/QH1O2M7ZlJwqhqlHRIeLIG9r,iv:eD29ALx2ji0rm1t9j6RulTZT3f6VLK7dxpPOze3qDKA=,tag:zqJTgT2UeA/ecBS4VremUw==,type:str]
+    smtp-token: ENC[AES256_GCM,data:ZTfe65g3JykPvG2l0AN8UQ==,iv:GTruGo/vcP+imfJyqB3NX9ic8dz5jvTEh6SF+OeqMDM=,tag:kgwd59pG/WUt8OAaVzi39Q==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -30,8 +33,8 @@ sops:
             by9aNFY4dXNxaWxnTXFTQS9reHhuQWMKh5rZ93nFtBV9EpFVRp+E+GXZ6xzVy2Jw
             vFh4deGcAb60q4odSaeWfk1Dr7L9Ua69oK9omjbCNUt+P7Kwlfca7Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-21T19:34:54Z"
-    mac: ENC[AES256_GCM,data:D44YsnrRpYQmJxAjXdap+Ya6iqPrhdEmiaTgUOM53JYmkihIvmMxm3b09xMxucv3B7tvi5vCfcllgij+RZ2RPnQDFg8ZzYQu7AQSG8rgwoh3E9Zijx2gQm59hhvJlca2cB710hUL87Tkdbvz26LZevIf5gP83u2JCkXLzr9O/Ew=,iv:lMthECFXzbao4bVVK9eJgK5ubu1NUg97BI2T9OqlICw=,tag:8t+2kPoqKeSKF8e+x5dtmg==,type:str]
+    lastmodified: "2025-04-24T23:16:22Z"
+    mac: ENC[AES256_GCM,data:NY9uhBwukENyny0lSnYDrdRDlAm5o0kGBs8Tes4x3/dofWibl9HqHobilg4qrLFzwCgQsgyPAFoRKV7ZVQ25YHjXM4YnoFVmUASfyTfoejWet/J3HwOO1xNkX8N6iYWJRYHOWaKMm46ZvkjmqAB0N6L7Z/8Uk7b09HoAxJ3aVHA=,iv:kI3kv0e9kcc8cb4H+YCnQYs7qDbucQYo264lz4zR/2E=,tag:ELqxtawXwhEPBncDz3REVA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4
diff --git a/system/hosts/mcp/containers.nix b/system/hosts/mcp/containers.nix
index 5762a52..a6dd8ad 100644
--- a/system/hosts/mcp/containers.nix
+++ b/system/hosts/mcp/containers.nix
@@ -10,8 +10,9 @@
     ./containers/jobhunt.nix
     ./containers/mariadb.nix
     ./containers/nextcloud.nix
-    ./containers/prometheus.nix
+    ./containers/offen.nix
     ./containers/pocket-id.nix
+    ./containers/prometheus.nix
     ./containers/public-homepage.nix
     ./containers/searxng.nix
     ./containers/shared-postgres.nix
diff --git a/system/hosts/mcp/containers/lib.nix b/system/hosts/mcp/containers/lib.nix
index 38b6a8b..7696a38 100644
--- a/system/hosts/mcp/containers/lib.nix
+++ b/system/hosts/mcp/containers/lib.nix
@@ -36,6 +36,7 @@ in
     environmentFiles ? [],
     public ? false,
     user ? null,
+    extraOptions ? [],
   }:
     let
       routerRule = if public then hostRule hostName domain else localHostRule hostName domain;
@@ -48,7 +49,7 @@ in
       };
     in
     {
-      inherit image dependsOn volumes environment environmentFiles ports user;
+      inherit image dependsOn volumes environment environmentFiles ports user extraOptions;
       autoStart = true;
       labels = {
         "traefik.enable" = "true";
diff --git a/system/hosts/mcp/containers/offen.nix b/system/hosts/mcp/containers/offen.nix
new file mode 100644
index 0000000..34bc826
--- /dev/null
+++ b/system/hosts/mcp/containers/offen.nix
@@ -0,0 +1,47 @@
+{ config, ... }:
+let
+  inherit (import ./lib.nix config) mkContainer terakoda;
+  userIds = import ./user-ids.nix;
+in {
+  users = userIds.mkUserAndGroup "offen" userIds.offen;
+
+  sops = {
+    secrets = {
+      "offen/smtp-token" = {};
+      "offen/secret" = {};
+    };
+    templates."offen.env" = {
+      mode = "0400";
+      owner = config.users.users.offen.name;
+      group = config.users.users.offen.group;
+      content = ''
+        OFFEN_SECRET="${config.sops.placeholder."offen/secret"}"
+        OFFEN_SMTP_USER="offen@terakoda.com"
+        OFFEN_SMTP_PASSWORD="${config.sops.placeholder."offen/smtp-token"}"
+        OFFEN_SMTP_HOST="smtp.protonmail.ch"
+        OFFEN_SMTP_PORT="587"
+        OFFEN_SMTP_SENDER="offen@terakoda.com"
+        OFFEN_SMTP_AUTHTYPE="LOGIN"
+      '';
+    };
+  };
+
+  virtualisation.oci-containers.containers.offen = mkContainer {
+    image = "offen/offen";
+    hostName = "offen";
+    domain = terakoda;
+    user = "${toString userIds.offen.uid}:${toString userIds.offen.gid}";
+    port = 80;
+    volumes = [
+      "${config.sops.templates."offen.env".path}:/etc/offen/offen.env:ro"
+      "/tank/offen/data:/var/opt/offen"
+    ];
+    # TODO: When running with this option the service fails to start with errors:
+    #   Unmounting /var/lib/containers/storage/overlay/{hash}/merged: invalid argument
+    #   Error: mounting storage for container {hash}: creating overlay mount to {overlay info}
+    # extraOptions = [
+    #   "--uidmap=10000:${toString userIds.offen.uid}"
+    #   "--gidmap=10001:${toString userIds.offen.gid}"
+    # ];
+  };
+}
diff --git a/system/hosts/mcp/containers/user-ids.nix b/system/hosts/mcp/containers/user-ids.nix
index c3c1c7a..71b3a06 100644
--- a/system/hosts/mcp/containers/user-ids.nix
+++ b/system/hosts/mcp/containers/user-ids.nix
@@ -17,4 +17,21 @@
     uid = 2006;
     gid = 2006;
   };
+  offen = {
+    uid = 2007;
+    gid = 2007;
+  };
+
+  mkUserAndGroup = name: ids: {
+    groups."${name}" = {
+      gid = ids.gid;
+    };
+
+    users."${name}" = {
+      uid = ids.uid;
+      isSystemUser = true;
+      description = "System User for ${name}";
+      group = "${name}";
+    };
+  };
 }