diff --git a/configuration.nix b/configuration.nix
index d282f04..216f926 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -1,5 +1,9 @@
 { pkgs, ... }@inputs: {
-  imports = [ ./hardware-configuration.nix ./misskey-service.nix ];
+  imports = [
+    ./hardware-configuration.nix
+    ./misskey-service.nix
+    ./heartles-xyz-proxy.nix
+  ];
 
   nix.settings = {
     experimental-features = [ "nix-command" "flakes" ];
diff --git a/flake.lock b/flake.lock
index 1a20b85..87bbb9f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1708831307,
-        "narHash": "sha256-0iL/DuGjiUeck1zEaL+aIe2WvA3/cVhp/SlmTcOZXH4=",
+        "lastModified": 1709128929,
+        "narHash": "sha256-GWrv9a+AgGhG4/eI/CyVVIIygia7cEy68Huv3P8oyaw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5bf1cadb72ab4e77cb0b700dab76bcdaf88f706b",
+        "rev": "c8e74c2f83fe12b4e5a8bd1abbc090575b0f7611",
         "type": "github"
       },
       "original": {
@@ -41,11 +41,11 @@
     },
     "unstable": {
       "locked": {
-        "lastModified": 1708807242,
-        "narHash": "sha256-sRTRkhMD4delO/hPxxi+XwLqPn8BuUq6nnj4JqLwOu0=",
+        "lastModified": 1709150264,
+        "narHash": "sha256-HofykKuisObPUfj0E9CJVfaMhawXkYx3G8UIFR/XQ38=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "73de017ef2d18a04ac4bfd0c02650007ccb31c2a",
+        "rev": "9099616b93301d5cf84274b184a3a5ec69e94e08",
         "type": "github"
       },
       "original": {
diff --git a/heartles-xyz-proxy.nix b/heartles-xyz-proxy.nix
new file mode 100644
index 0000000..92a605c
--- /dev/null
+++ b/heartles-xyz-proxy.nix
@@ -0,0 +1,54 @@
+{ config, lib, ... }: {
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin+acme@heartles.xyz";
+    certs."STAR.home.heartles.xyz" = {
+      domain = "*.home.heartles.xyz";
+      dnsProvider = "namecheap";
+      credentialsFile = "/etc/nixos-secrets/namecheap-acme";
+      group = "nginx";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "*.home.heartles.xyz" = {
+        listen = [
+          {
+            port = 443;
+            addr = "0.0.0.0";
+            ssl = true;
+          }
+          {
+            port = 80;
+            addr = "0.0.0.0";
+          }
+          {
+            port = 443;
+            addr = "[::]";
+            ssl = true;
+          }
+          {
+            port = 80;
+            addr = "[::]";
+          }
+        ];
+
+        useACMEHost = "STAR.home.heartles.xyz";
+        forceSSL = true;
+
+        locations."/" = {
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_ssl_name $host;
+            include /etc/nixos-secrets/nginx-proxy-pass-home.conf;
+          '';
+        };
+      };
+    };
+  };
+}