diff --git a/machines/okarin/configuration.nix b/machines/okarin/configuration.nix
index ff39e93..c4541d1 100644
--- a/machines/okarin/configuration.nix
+++ b/machines/okarin/configuration.nix
@@ -5,6 +5,7 @@
     ./hardware-configuration.nix
     ../../modules
 
+    ./services/maggus.bayern.nix
     ./services/proxy.nix
   ];
 
diff --git a/machines/okarin/services/maggus.bayern.nix b/machines/okarin/services/maggus.bayern.nix
new file mode 100644
index 0000000..c7e02a0
--- /dev/null
+++ b/machines/okarin/services/maggus.bayern.nix
@@ -0,0 +1,32 @@
+{ pkgs, ... }:
+
+{
+  users.users.maggus = {
+    isSystemUser = true;
+    group = "maggus";
+    shell = "/bin/sh";
+
+    openssh.authorizedKeys.keys = map (key: "command=\"${pkgs.rrsync}/bin/rrsync -wo /var/www/maggus.bayern/\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}") [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
+    ];
+  };
+  users.groups.maggus = { };
+
+  systemd.tmpfiles.rules = [
+    "d /var/www/maggus.bayern 0755 maggus root -"
+  ];
+
+  services.nginx.virtualHosts = {
+    "maggus.bayern" = {
+      enableACME = true;
+      forceSSL = true;
+      root = "/var/www/maggus.bayern";
+    };
+    "www.maggus.bayern" = {
+      enableACME = true;
+      forceSSL = true;
+      globalRedirect = "maggus.bayern";
+    };
+  };
+}