diff --git a/machines/okarin/configuration.nix b/machines/okarin/configuration.nix
index c4541d1..021a7d0 100644
--- a/machines/okarin/configuration.nix
+++ b/machines/okarin/configuration.nix
@@ -5,7 +5,7 @@
     ./hardware-configuration.nix
     ../../modules
 
-    ./services/maggus.bayern.nix
+    ./services/static-sites.nix
     ./services/proxy.nix
   ];
 
diff --git a/machines/okarin/services/maggus.bayern.nix b/machines/okarin/services/maggus.bayern.nix
deleted file mode 100644
index c7e02a0..0000000
--- a/machines/okarin/services/maggus.bayern.nix
+++ /dev/null
@@ -1,32 +0,0 @@
-{ pkgs, ... }:
-
-{
-  users.users.maggus = {
-    isSystemUser = true;
-    group = "maggus";
-    shell = "/bin/sh";
-
-    openssh.authorizedKeys.keys = map (key: "command=\"${pkgs.rrsync}/bin/rrsync -wo /var/www/maggus.bayern/\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}") [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
-    ];
-  };
-  users.groups.maggus = { };
-
-  systemd.tmpfiles.rules = [
-    "d /var/www/maggus.bayern 0755 maggus root -"
-  ];
-
-  services.nginx.virtualHosts = {
-    "maggus.bayern" = {
-      enableACME = true;
-      forceSSL = true;
-      root = "/var/www/maggus.bayern";
-    };
-    "www.maggus.bayern" = {
-      enableACME = true;
-      forceSSL = true;
-      globalRedirect = "maggus.bayern";
-    };
-  };
-}
diff --git a/machines/okarin/services/static-sites.nix b/machines/okarin/services/static-sites.nix
new file mode 100644
index 0000000..756e92f
--- /dev/null
+++ b/machines/okarin/services/static-sites.nix
@@ -0,0 +1,13 @@
+{ config, ... }:
+
+{
+  sbruder.static-webserver.vhosts = {
+    "maggus.bayern".user = {
+      name = "maggus";
+      keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
+      ] ++ config.sbruder.pubkeys.trustedKeys;
+    };
+  };
+}
diff --git a/modules/default.nix b/modules/default.nix
index 10dee35..a3a083a 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -47,6 +47,7 @@
     ./restic
     ./secrets.nix
     ./ssh.nix
+    ./static-webserver.nix
     ./syncthing.nix
     ./tmux.nix
     ./tools.nix
diff --git a/modules/static-webserver.nix b/modules/static-webserver.nix
new file mode 100644
index 0000000..0ee1635
--- /dev/null
+++ b/modules/static-webserver.nix
@@ -0,0 +1,73 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sbruder.static-webserver;
+in
+{
+  options.sbruder.static-webserver = {
+    root = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/www";
+    };
+    vhosts = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule ({ name, vhostCfg, ... }: {
+        options = {
+          redirects = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+            default = [ "www.${name}" ];
+          };
+          root = lib.mkOption {
+            type = lib.types.str;
+            default = "${cfg.root}/${name}";
+          };
+          user = {
+            name = lib.mkOption {
+              type = lib.types.str;
+            };
+            keys = lib.mkOption {
+              type = lib.types.listOf lib.types.str;
+            };
+          };
+        };
+      }));
+      default = { };
+    };
+  };
+
+  config = lib.mkIf (cfg.vhosts != { }) {
+    users.users = lib.mapAttrs'
+      (_: { user, root, ... }: lib.nameValuePair user.name {
+        isSystemUser = true;
+        group = user.name;
+        shell = "/bin/sh";
+
+        openssh.authorizedKeys.keys = map
+          (key: "command=\"${pkgs.rrsync}/bin/rrsync -wo ${root}\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}")
+          user.keys;
+      })
+      cfg.vhosts;
+    users.groups = lib.mapAttrs' (_: { user, ... }: lib.nameValuePair user.name { }) cfg.vhosts;
+
+    systemd.tmpfiles.rules = map
+      ({ root, user, ... }: "d ${root} 0755 ${user.name} ${user.name} -")
+      (lib.attrValues cfg.vhosts);
+
+    services.nginx.virtualHosts = lib.attrsets.mergeAttrsList
+      (lib.mapAttrsToList
+        (primaryDomain: vhostCfg:
+          ({
+            ${primaryDomain} = {
+              enableACME = true;
+              forceSSL = true;
+              root = vhostCfg.root;
+            };
+          } // (lib.listToAttrs (map
+            (domain: lib.nameValuePair domain {
+              enableACME = true;
+              forceSSL = true;
+              globalRedirect = primaryDomain;
+            })
+            vhostCfg.redirects)))
+        )
+        cfg.vhosts);
+  };
+}