diff --git a/hosts/glyph/secrets/opencode-env.age b/hosts/glyph/secrets/opencode-env.age
new file mode 100644
index 00000000..53853997
--- /dev/null
+++ b/hosts/glyph/secrets/opencode-env.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 rSr+rA WMdeQarDYcNv0Y8Rwk2jsrJqTso8H/w2853O/+VMiG8
+WeK56rOFQyn2z2F8XW42fTiGj3ZSokthERyR9cYghbw
+-> ssh-ed25519 3EWhnQ wDLrhguuuCFFY8I6yyVXpM/xApjSRUz5BXczlnrigDM
+J4ftBWVM/2Ufbr85Tod+G8E3SjjeeqdNvsoFHWlBfWg
+--- bu7a+yuc8cmBJiMv4I1792IHlMsZgu3SUm1Upk6C7LE
+/Â±~M!û.Ê\WU.n< |ø°4xŽJuÀbnÚ
\ No newline at end of file
diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix
index 59bc0e8b..b71dcab6 100644
--- a/hosts/glyph/services/default.nix
+++ b/hosts/glyph/services/default.nix
@@ -12,6 +12,7 @@
     ./jellyfin.nix
     ./nfs.nix
     ./open-terminal.nix
+    ./opencode.nix
     ./open-webui.nix
     ./prometheus.nix
     ./samba.nix
diff --git a/hosts/glyph/services/opencode.nix b/hosts/glyph/services/opencode.nix
new file mode 100644
index 00000000..511b58c6
--- /dev/null
+++ b/hosts/glyph/services/opencode.nix
@@ -0,0 +1,30 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  port = 8890;
+in {
+  age.secrets.opencode-env = {
+    file = ./../secrets/opencode-env.age;
+    mode = "440";
+  };
+
+  systemd.services.opencode = {
+    description = "OpenCode AI coding agent web interface";
+    after = ["network-online.target"];
+    wants = ["network-online.target"];
+    wantedBy = ["multi-user.target"];
+
+    serviceConfig = {
+      Type = "simple";
+      DynamicUser = true;
+      StateDirectory = "opencode";
+      WorkingDirectory = "/var/lib/opencode";
+      EnvironmentFile = config.age.secrets.opencode-env.path;
+      ExecStart = "${pkgs.opencode}/bin/opencode web --port ${toString port} --hostname 0.0.0.0";
+      Restart = "on-failure";
+      RestartSec = 5;
+    };
+  };
+}
diff --git a/hosts/spore/services/web/default.nix b/hosts/spore/services/web/default.nix
index 14b99f8e..7b67c948 100644
--- a/hosts/spore/services/web/default.nix
+++ b/hosts/spore/services/web/default.nix
@@ -90,6 +90,15 @@
           proxyWebsockets = true;
         };
       };
+      "code.zx.dev" = {
+        forceSSL = true;
+        useACMEHost = "zx.dev";
+        requireAuth = true;
+        locations."/" = {
+          proxyPass = "http://glyph.rove-duck.ts.net:8890";
+          proxyWebsockets = true;
+        };
+      };
       "cache.zx.dev" = {
         forceSSL = true;
         useACMEHost = "zx.dev";
diff --git a/lib/secrets/glyph.nix b/lib/secrets/glyph.nix
index 20f33a62..e7c67cf6 100644
--- a/lib/secrets/glyph.nix
+++ b/lib/secrets/glyph.nix
@@ -10,5 +10,6 @@ in {
   "hosts/glyph/secrets/open-webui-api-key.age".publicKeys = keys;
   "hosts/glyph/secrets/open-webui-env.age".publicKeys = keys;
   "hosts/glyph/secrets/graphite-auth-token.age".publicKeys = keys;
+  "hosts/glyph/secrets/opencode-env.age".publicKeys = keys;
   "hosts/glyph/secrets/attic-credentials.age".publicKeys = keys;
 }