diff --git a/disable-services.nix b/disable-services.nix
index 3368d42..1ec45d7 100644
--- a/disable-services.nix
+++ b/disable-services.nix
@@ -1,8 +1,6 @@
 { lib, ... }:
 
 {
-  services."nginx".virtualHosts."lor.sh".enableACME = lib.mkForce false;
-  services."nginx".virtualHosts."lor.sh".forceSSL = lib.mkForce false;
   systemd.services."mastodon-init-db".wantedBy = lib.mkForce [ ];
   systemd.services."mastodon-init-dirs".wantedBy = lib.mkForce [ ];
   systemd.services."mastodon-media-auto-remove".startAt = lib.mkForce [ ];
@@ -10,8 +8,6 @@
   systemd.services."mastodon-sidekiq".wantedBy = lib.mkForce [ ];
   systemd.services."mastodon-streaming".wantedBy = lib.mkForce [ ];
   systemd.services."mastodon-web".wantedBy = lib.mkForce [ ];
-  systemd.services."nginx".wantedBy = lib.mkForce [ ];
-  systemd.services."nginx-config-reload".wantedBy = lib.mkForce [ ];
   systemd.services."postgresqlBackup-mastodon".startAt = lib.mkForce [ ];
   systemd.services."postgresqlBackup-mastodon".wantedBy = lib.mkForce [ ];
   systemd.services."redis-mastodon".wantedBy = lib.mkForce [ ];
diff --git a/mastodon.nix b/mastodon.nix
index 9639b4a..c5a3977 100644
--- a/mastodon.nix
+++ b/mastodon.nix
@@ -62,7 +62,10 @@ let
       --host-bucket='${secrets.backup.hostBucket}' \
       $@
   '';
+
   bucket = secrets.backup.bucket;
+
+  domainName = "lor.sh";
 in {
   services.postgresqlBackup = {
     enable = true;
@@ -91,21 +94,54 @@ in {
   # https://github.com/mperham/sidekiq/wiki/Memory#bloat
   systemd.services.mastodon-sidekiq.environment.MALLOC_ARENA_MAX = "2";
 
+  services.caddy = {
+    enable = true;
+    virtualHosts."${domainName}".extraConfig = ''
+      root * ${mastodon-lor-sh}/public
+      encode gzip
+
+      @static file
+      handle @static {
+          file_server
+      }
+
+      handle /api/v1/streaming* {
+          reverse_proxy unix//run/mastodon-streaming/streaming.socket
+      }
+
+      handle {
+          reverse_proxy unix//run/mastodon-web/web.socket
+      }
+
+      header {
+          Strict-Transport-Security "max-age=31536000;"
+      }
+
+      @5xx expression `{err.status_code} >= 500 && {err.status_code} < 600`
+      handle_errors {
+          rewrite @5xx /500.html
+          file_server
+      }
+    '';
+  };
+
+  users.users.caddy.extraGroups = [ "mastodon" ];
+
   services.mastodon = {
     enable = true;
 
     package = mastodon-lor-sh;
 
-    localDomain = "lor.sh";
-    configureNginx = true;
+    localDomain = "${domainName}";
+    configureNginx = false;
 
     smtp = {
       createLocally = false;
       authenticate = true;
       host = "smtp.eu.mailgun.org";
       port = 587;
-      fromAddress = "Mastodon <mastodon@m.lor.sh>";
-      user = "mastodon@m.lor.sh";
+      fromAddress = "Mastodon <mastodon@m.${domainName}>";
+      user = "mastodon@m.${domainName}";
       passwordFile = builtins.toFile "smtp-password" secrets.smtpPassword;
     };