diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix
index 2e915a3..b9f5e42 100644
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@@ -22,6 +22,7 @@
     modules.services.nginx
     modules.services.postgres
     modules.services.unbound
+    modules.services.website
 
     ./filesystem.nix
     ./kernel.nix
diff --git a/modules/default.nix b/modules/default.nix
index 8a66d93..9a1898a 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -26,6 +26,7 @@ in {
     ./services/transmission.nix
     ./services/unbound.nix
     ./services/vaultwarden.nix
+    ./services/website.nix
   ];
   system = mkAttrsFromPaths [
     ./system/aagl.nix
diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix
index eb4767b..be8adaf 100644
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@@ -1,4 +1,4 @@
-{ config, inputs, ... }: {
+{ config, ... }: {
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   security.acme = {
     acceptTerms = true;
diff --git a/modules/services/website.nix b/modules/services/website.nix
new file mode 100644
index 0000000..5e7a223
--- /dev/null
+++ b/modules/services/website.nix
@@ -0,0 +1,24 @@
+{ inputs, ... }: {
+  services.nginx.virtualHosts = {
+    "lava.moe" = {
+      useACMEHost = "lava.moe";
+      forceSSL = true;
+      root = inputs.website.outPath;
+    };
+    "cdn.lava.moe" = {
+      useACMEHost = "lava.moe";
+      forceSSL = true;
+      root = "/persist/cdn";
+    };
+    "_" = {
+      default = true;
+      addSSL = true;
+      # TODO generate this somewhere
+      sslCertificate = "/persist/fakeCerts/fake.crt";
+      sslCertificateKey = "/persist/fakeCerts/fake.key";
+      extraConfig = ''
+        return 444;
+      '';
+    };
+  };
+}