diff --git a/flake.nix b/flake.nix
index a7c2aa7..71d5959 100755
--- a/flake.nix
+++ b/flake.nix
@@ -62,6 +62,7 @@
             ./modules/mail
             ./modules/mailman.nix
             ./modules/mysql.nix
+            ./modules/nix-serve.nix
             ./modules/nginx.nix
             # ./modules/hydra.nix
             ./modules/userdir.nix
diff --git a/modules/nix-serve.nix b/modules/nix-serve.nix
new file mode 100644
index 0000000..ef9f255
--- /dev/null
+++ b/modules/nix-serve.nix
@@ -0,0 +1,18 @@
+{ config, ... }:
+let
+  domain = "cache.${config.networking.domain}";
+in
+{
+  sops.secrets."nix-serve/key" = { };
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = config.sops.secrets."nix-serve/key".path;
+  };
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.nix-serve.port}";
+    };
+  };
+}
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index 570bde9..579e6ad 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -1,6 +1,8 @@
 nextcloud_adminpass: ENC[AES256_GCM,data:v6FYsO/RklPSz5uf6aYQDhdudHb0962I1WxJM3VGc0af6s/fEz2j+UTu,iv:WzS+jU7qmNQbd1RWDempdu4nv0ytWeybF/PKoc4mvTc=,tag:1CF3ZnQNDLv11j7UoyYsjg==,type:str]
 hedgedoc_session_secret: ENC[AES256_GCM,data:WFbqr6VX12rpiPuIPlQnwOMdHM1B0yk2PYuuanbqREE=,iv:Iih4/GNs9qN+AM6fdaTJLmmPQIzxIwXHUZttP1Up6qs=,tag:IVZQId4yxbePVQqJB9+3iw==,type:str]
 wg-fsr: ENC[AES256_GCM,data:U/71p+wJvYebUMwl1hEx6L/ZPMuwk03o6pf5QyxV6zDZfAZP2keqJb2j7kQ=,iv:xcYWNxEdR5vMGUYlcbzMcIdSjfynOfFJrR6tUhGpZxA=,tag:FCrW2DkmigK9vuqFW4hkzQ==,type:str]
+nix-serve:
+    key: ENC[AES256_GCM,data:GptsUgeXOOrwJctoMZ+mWXcw9DwJ0f0LOlLyMlH/877N4uA5/NtNKIaFHl3z2GWPRBnDLBzDEO1Q6EDuWbakr+Uq4zTJm2MOV6Qf4kM0BlNpXGIdjvh7tD2La7GV4ID+CT8U6p0E,iv:3A/Yy4PHsq9VdhW4SKIYdpd1enQ5cDiKLk5S9VrH0b4=,tag:WZzbct7LZmOhEvx9KVQ8WA==,type:str]
 dex:
     environment: ENC[AES256_GCM,data:DAQs948lSm86/gt+Eg1Z1mlHBGWlNj6XwX3ko399lN93xkTj7xvYOB0TWeJUoCTlcYmTVFop9AVvc9Bj7W/ck8naUOMr7M5hF0IuPExqSUk0PKTr7JK1SdwvPM5O2aJbgA2uggKhmf8rmwqvSx5Zdv+Hg0aBnVKZUPsBG0LeLG5PqQYzGPmgRBTXP2avE1DlEYh5QuXg01FvXuACdvZ4tTgkx7WQQOS8HJm54hI1JcG0d9w1+MlLWpTqHcNiKYHtZLcmO/mx/7PBPWqddEVz+stOO1Q4kX/upaN0poRm4pva7/mnk/hpLNAFzlwtubVA2/htLLDw7jkiwI0QyRaIpajTPT3OrzlD7TwdJafbuD997QB0GgbtizyDaJfL1OBr7FLakCEUigQQTOw4CkwKqRdsDXDJYFK6DQx/vBCmMKN3CK8q2KN1dKX7qLQsqa+EsDjg6USwP5Z8y/FpFoj3Wfk9zSPfc5JjTiI0IvUM3zmmaKMhx/fyrIa69nhj7g4f,iv:eNV9sEWR0LKZVHFLYbRXiI+akZfOW1+QeELSlrLimGs=,tag:mCXklQnx0EraHQSCYyl8Wg==,type:str]
 portunus:
@@ -45,8 +47,8 @@ sops:
             cGxpRS9BL0tkay9LalQ0bjFxbHhra0kKIS8TzQwbsI24D7vpbtthm2ZFj9SHJEeH
             DxeqddD4RH/6a5h0WamKo/CTdx+QME6fILs/a3cM1IVxL2z0Ef9KmQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-05T20:57:13Z"
-    mac: ENC[AES256_GCM,data:Cp55SIw8m/GxLJBHe+32gv7uZKTp4E1s23GQGttXN9o5n3XlsEQtyE2HSQxQbQzAjh8jOT0wohyOUVqWplVoreTt5tNqmBqgBJyA/lZs/KFAM3J17r4hBi94w5E+eCeOoZPNlJro7xAoQvF4XnyFmwN+SLVqoTwSUZnr+SVF7RI=,iv:rrHE1wU10u/0n5LwwaMEm2oRsQ5oBUgIDTtdPXNyMSM=,tag:3fKzTuJT4GQMCZLX7D9Vsg==,type:str]
+    lastmodified: "2024-02-25T22:06:46Z"
+    mac: ENC[AES256_GCM,data:t0wh40sA6dfXmX6dJx87ZoUJBcYM78qdUbHle0QP7HbKVdROPr3/nO3WkAq4b6ty48Vnk9oSe1d5WW51nNOYY+V5HF3XTAPenFXOGFvFa3/fawcKSgUa4UhZVT+KMNGp+tGJ24D8ZJv1TDlh1yBE2z8SFJpRxL6KvO4A/CEttow=,iv:/v+ph75k5qh4EqVQwOW/IodrQO67JDzOgPGG5EPIMwE=,tag:aGlvjTEXJ3mwYrhM1kVhng==,type:str]
     pgp:
         - created_at: "2023-12-26T17:16:46Z"
           enc: |-