diff --git a/flake.nix b/flake.nix
index 8f807bb..e7e5033 100644
--- a/flake.nix
+++ b/flake.nix
@@ -157,6 +157,12 @@
           isServer = true;
         };
 
+        "cyper-proxy" = mkSystem {
+          hostName = "cyper-proxy";
+          system = "x86_64-linux";
+          isServer = true;
+        };
+
         "cyper-node-1" = mkSystem {
           hostName = "cyper-node-1";
           system = "x86_64-linux";
diff --git a/hosts/cyper-proxy/configuration.nix b/hosts/cyper-proxy/configuration.nix
new file mode 100644
index 0000000..e721792
--- /dev/null
+++ b/hosts/cyper-proxy/configuration.nix
@@ -0,0 +1,30 @@
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../nixos/roles/nginx.nix
+  ];
+
+  networking = {
+    hostName = "cyper-proxy";
+    useNetworkd = true;
+    useDHCP = false;
+    firewall.enable = true;
+  };
+
+  systemd.network = {
+    enable = true;
+    networks."10-venet" = {
+      matchConfig.Name = "venet0";
+      networkConfig = {
+        Address = "178.254.8.35/24";
+        DNS = "178.254.16.141 178.254.16.151";
+        DHCP = "no";
+      };
+      routes = [
+        { routeConfig.Destination = "0.0.0.0/0"; }
+      ];
+    };
+  };
+
+  system.stateVersion = "26.05";
+}
diff --git a/hosts/cyper-proxy/hardware-configuration.nix b/hosts/cyper-proxy/hardware-configuration.nix
new file mode 100644
index 0000000..ac3fc03
--- /dev/null
+++ b/hosts/cyper-proxy/hardware-configuration.nix
@@ -0,0 +1,24 @@
+{ lib, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd.availableKernelModules = [ ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+    loader.grub.enable = false;
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "ext4";
+  };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/nixos/roles/nginx.nix b/nixos/roles/nginx.nix
new file mode 100644
index 0000000..0ab4385
--- /dev/null
+++ b/nixos/roles/nginx.nix
@@ -0,0 +1,142 @@
+{ ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "your@email.de";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    virtualHosts = {
+      "git.cyperpunk.de" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://100.109.179.25:9000";
+        };
+      };
+
+      "www.cyperpunk.de" = {
+        enableACME = true;
+        locations = {
+          "/" = {
+            proxyPass = "http://100.109.179.25:15005";
+            proxyWebsockets = true;
+          };
+          "/grafana" = {
+            proxyPass = "http://100.109.179.25:2342";
+            proxyWebsockets = true;
+          };
+        };
+      };
+
+      "search.cyperpunk.de" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://100.109.179.25:11080";
+        };
+      };
+
+      "vault.cyperpunk.de" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://100.109.179.25:8222";
+          proxyWebsockets = true;
+        };
+      };
+
+      "file.cyperpunk.de" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://100.109.179.25:10000";
+        };
+      };
+
+      "calvin.cyperpunk.de" = {
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://100.109.179.25:15006";
+        };
+      };
+
+      "cyperpunk.de" = {
+        forceSSL = true;
+        enableACME = true;
+        http2 = true;
+        extraConfig = ''
+          client_max_body_size 50m;
+        '';
+        locations."/" = {
+          proxyPass = "http://100.109.179.25:8008";
+          proxyWebsockets = true;
+        };
+      };
+
+      "matrix.cyperpunk.de" = {
+        forceSSL = true;
+        enableACME = true;
+        http2 = true;
+        extraConfig = ''
+          client_max_body_size 50m;
+        '';
+        locations."/" = {
+          proxyPass = "http://100.109.179.25:8008";
+          proxyWebsockets = true;
+        };
+      };
+
+      "cinny.cyperpunk.de" = {
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://100.109.179.25:8009";
+          proxyWebsockets = true;
+        };
+      };
+
+      "element.cyperpunk.de" = {
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://100.109.179.25:8010";
+          proxyWebsockets = true;
+        };
+      };
+
+      "fluffy.cyperpunk.de" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://100.109.179.25:8012";
+          proxyWebsockets = true;
+        };
+      };
+
+      "livekit.cyperpunk.de" = {
+        enableACME = true;
+        locations = {
+          "/" = {
+            proxyPass = "http://192.168.64.1:7880";
+            proxyWebsockets = true;
+          };
+          "/_matrix/livekit/jwt" = {
+            proxyPass = "http://192.168.64.1:8080";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+}