diff --git a/services.nix b/services.nix
index 0c6a9f9..d819e24 100644
--- a/services.nix
+++ b/services.nix
@@ -1,6 +1,48 @@
 { config, pkgs, ... }:
 
 {
+  services.haproxy.enable = true;
+  services.haproxy.config = ''
+    defaults
+      log /dev/log local0
+      log /dev/log local1 notice
+      chroot /var/lib/haproxy
+      user haproxy
+      group haproxy
+      option forwardfor
+      option http-server-close
+    frontend www-http
+      bind tars.nyanlout.re:80
+      reqadd X-Forwarded-Proto:\ http
+      default_backend www-backend
+    frontend www-https
+      bind tars.nyanlout.re:443 ssl crt /var/lib/acme/tars.nyanlout.re/fullchain.pem
+      reqadd X-Forwarded-Proto:\ https
+      acl letsencrypt-acl path_beg /.well-known/acme-challenge/
+      use_backend letsencrypt-backend if letsencrypt-acl
+      default_backend www-backend
+    backend www-backend
+      redirect scheme https if !{ ssl_fc }
+      server www-1 127.0.0.1:3000 check
+    backend letsencrypt-backend
+      server letsencrypt 127.0.0.1:54321
+  '';
+
+  services.nginx.enable = true;
+  services.nginx.virtualHosts = {
+    "acme" = {
+      listen = [ { port = 54321; } ];
+      locations = { "/" = { root = "/var/www/challenges" }; };
+    };
+  };
+
+  security.acme.certs = {
+    "tars.nyanlout.re" = {
+      webroot = "/var/www/challenges";
+      email = "paul@nyanlout.re";
+    };
+  };
+
   services.influxdb.enable = true;
   services.influxdb.dataDir = "/var/db/influxdb";
 
@@ -64,6 +106,7 @@
   };
 
   networking.firewall.allowedTCPPorts = [
+    80 443 # HAProxy
     3000 # Grafana
     8096 # Emby
     111 2049 4000 4001 4002 # NFS