diff --git a/flake.nix b/flake.nix
index 5d7bf45..b658da8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -89,6 +89,14 @@
           (mkHomeManagerConfig {})
         ];
       };
+      wintermute = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
+        modules = [
+          ./hosts/wintermute/configuration.nix
+        ];
+      };
+
       bootstrap = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         specialArgs = { inherit inputs; };
diff --git a/hosts/wintermute/caddy.nix b/hosts/wintermute/caddy.nix
new file mode 100644
index 0000000..a9d1e04
--- /dev/null
+++ b/hosts/wintermute/caddy.nix
@@ -0,0 +1,60 @@
+{ config, pkgs, inputs, lib, ... }:
+let
+  # String = simple site, Attrset = custom site.
+  sites = {
+    "analytics.figtree.dev" = "http://192.168.80.1:3300";
+    "figtree.dev"           = "http://192.168.1.63:8080";
+    "files.figtree.dev"     = "http://192.168.80.4:8080";
+    "git.figtree.dev"       = "http://192.168.80.8:3000";
+    "nc.figtree.dev"        = "http://192.168.1.62:11000";
+    "paperless.figtree.dev" = "http://192.168.1.63:8010";
+    "photos.figtree.dev"    = "http://192.168.80.1:2283";
+    "shiori.figtree.dev"    = "http://192.168.80.4:8234";
+    "tasks.figtree.dev"     = "http://192.168.80.7:3456";
+    "www.figtree.dev"       = "http://192.168.1.63:8080";
+    "ha.figtree.dev"        = "http://192.168.1.50:8123";
+    # "budget.figtree.dev"    = "http://192.168.80.1:5006";
+
+    # .lan domains automatically get "tls internal"
+    "home.lan"    = "http://192.168.1.63:3000";
+    "budget.lan"  = "http://192.168.80.1:5006";
+    "torrent.lan" = "http://192.168.1.65:8080";
+    "books.lan"   = "http://192.168.80.4:8010";
+    "recipes.lan" = "http://192.168.80.4:8222";
+    "jelly.lan"   = "http://192.168.80.4:8096";
+    "plex.lan"    = "http://192.168.1.63:32400";
+  };
+
+  # Normalize sites:
+  # 1. Turn strings into { backend = "..."; }.
+  # 2. Automatically prepend `tls internal` for any domain ending in .lan.
+  normalizedSites = lib.mapAttrs (domain: siteConfig:
+    let
+      baseConfig = if lib.isString siteConfig then { backend = siteConfig; } else siteConfig;
+      isLanDomain = lib.hasSuffix ".lan" domain;
+    in
+      if isLanDomain then
+        baseConfig // {
+          extraBefore = ''
+            tls internal
+            ${lib.optionalString (baseConfig ? extraBefore) baseConfig.extraBefore}
+          '';
+        }
+      else
+        baseConfig
+  ) sites;
+
+  mkVHost = cfg: {
+    extraConfig = ''
+      ${lib.optionalString (cfg ? extraBefore) cfg.extraBefore}
+      reverse_proxy ${cfg.backend}
+      ${lib.optionalString (cfg ? extra) cfg.extra}
+    '';
+  };
+in
+{
+  services.caddy = {
+    enable = true;
+    virtualHosts = lib.mapAttrs (_: cfg: mkVHost cfg) normalizedSites;
+  };
+}
diff --git a/hosts/wintermute/configuration.nix b/hosts/wintermute/configuration.nix
new file mode 100644
index 0000000..f81c3ba
--- /dev/null
+++ b/hosts/wintermute/configuration.nix
@@ -0,0 +1,35 @@
+{ config, modulesPath, pkgs, inputs, ... }:
+
+{
+  imports = [
+    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+    ../modules/core.nix
+    ./caddy.nix
+  ];
+
+  nix.settings.sandbox = false;
+
+  proxmoxLXC = {
+    manageNetwork = false;
+    privileged = true;
+  };
+
+  networking.hostName = "wintermute";
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.avahi = {
+    enable = true;
+    nssmdns4 = true;
+    nssmdns6 = true;
+    publish = {
+      enable = true;
+      addresses = true;
+    };
+    openFirewall = true;
+  };
+
+  documentation.man.man-db.enable = false;
+
+  system.stateVersion = "25.11";
+}