diff --git a/flake.lock b/flake.lock
index 4f0c0ab..14c146c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -334,11 +334,32 @@
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_3",
         "nurausstieg": "nurausstieg",
+        "scan-to-gpg": "scan-to-gpg",
         "solid-xmpp-alarm": "solid-xmpp-alarm",
         "sops-nix": "sops-nix",
         "ssh-to-age": "ssh-to-age"
       }
     },
+    "scan-to-gpg": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1732477156,
+        "narHash": "sha256-Cpw9YtpnZpVz5gcuiJO6rpJjLvS9O/Y8AuRt3/NFz1w=",
+        "ref": "refs/heads/main",
+        "rev": "f727e7f9717bebb13f80dfb6d6a92afe5284ffdf",
+        "revCount": 14,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/scan-to-gpg.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/scan-to-gpg.git"
+      }
+    },
     "solid-xmpp-alarm": {
       "inputs": {
         "nixpkgs": [
diff --git a/flake.nix b/flake.nix
index feb27c8..bcd41ea 100644
--- a/flake.nix
+++ b/flake.nix
@@ -31,6 +31,10 @@
       url = "git+https://git.clerie.de/clerie/nurausstieg.git";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    scan-to-gpg = {
+      url = "git+https://git.clerie.de/clerie/scan-to-gpg.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     solid-xmpp-alarm = {
       url = "git+https://git.clerie.de/clerie/solid-xmpp-alarm.git";
       inputs.nixpkgs.follows = "nixpkgs";
diff --git a/flake/modules.nix b/flake/modules.nix
index 9ba5b94..d608229 100644
--- a/flake/modules.nix
+++ b/flake/modules.nix
@@ -2,6 +2,7 @@
 , fernglas
 , fieldpoc
 , nixos-exporter
+, scan-to-gpg
 , solid-xmpp-alarm
 , sops-nix
 , ...
@@ -13,6 +14,7 @@
     fernglas.nixosModules.default
     fieldpoc.nixosModules.default
     nixos-exporter.nixosModules.default
+    scan-to-gpg.nixosModules.scan-to-gpg
     solid-xmpp-alarm.nixosModules.solid-xmpp-alarm
     sops-nix.nixosModules.sops
   ];
diff --git a/flake/overlay.nix b/flake/overlay.nix
index a2c3cea..0d346a4 100644
--- a/flake/overlay.nix
+++ b/flake/overlay.nix
@@ -4,6 +4,7 @@
 , chaosevents
 , harmonia
 , nurausstieg
+, scan-to-gpg
 , ssh-to-age
 , ...
 }@inputs:
@@ -19,6 +20,8 @@ final: prev: {
   };
   inherit (nurausstieg.packages.${final.system})
     nurausstieg;
+  inherit (scan-to-gpg.packages.${final.system})
+    scan-to-gpg;
   inherit (ssh-to-age.packages.${final.system})
     ssh-to-age;
 }
diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix
index b6d9ce7..0f6387b 100644
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -18,6 +18,7 @@
       ./net-voip.nix
       ./ntp.nix
       ./ppp.nix
+      ./scan-to-gpg.nix
       ./wg-clerie.nix
     ];
 
diff --git a/hosts/carbon/net-printer.nix b/hosts/carbon/net-printer.nix
index bc32d16..8c9be06 100644
--- a/hosts/carbon/net-printer.nix
+++ b/hosts/carbon/net-printer.nix
@@ -37,6 +37,10 @@
     };
   };
 
+  # Enable scan-to-gpg
+  networking.firewall.interfaces."net-printer".allowedTCPPorts = [ 2121 ];
+  networking.firewall.interfaces."net-printer".allowedTCPPortRanges = [ { from = 2130; to = 2134; } ];
+
   clerie.firewall.extraForwardFilterCommands = ''
     # Allow access from Heimnetz to printer
     ip46tables -A forward-filter -i net-heimnetz -o net-printer -j ACCEPT
diff --git a/hosts/carbon/scan-to-gpg.nix b/hosts/carbon/scan-to-gpg.nix
new file mode 100644
index 0000000..3df8019
--- /dev/null
+++ b/hosts/carbon/scan-to-gpg.nix
@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+{
+
+  services.scan-to-gpg = {
+    enable = true;
+    gpgkey = "${pkgs.clerie-keys}/gpg/clerie@clerie.de.asc";
+  };
+
+  users.users."clerie".extraGroups = [ "scan-to-gpg" ];
+}