diff --git a/modules/services/nix-cache-client.nix b/modules/services/nix-cache-client.nix
index 3037053..83504e8 100644
--- a/modules/services/nix-cache-client.nix
+++ b/modules/services/nix-cache-client.nix
@@ -31,7 +31,7 @@ in
       ];
       distributedBuilds = true;
       settings = {
-        substituters = [ "ssh://nix-ssh@cache.sinerva.eu" ];
+        substituters = [ "https://cache.sinerva.eu" ];
         trusted-public-keys = [ "cache.sinerva.eu:TaIhyAKozO/r88EBWMSdbp+TB0YlcXT/EADunYoYLVc=" ];
         builders-use-substitutes = true;
         max-jobs = lib.mkIf cfg.disableLocalBuilds 0;
diff --git a/modules/services/nix-cache-server.nix b/modules/services/nix-cache-server.nix
index 879ed57..5358a85 100644
--- a/modules/services/nix-cache-server.nix
+++ b/modules/services/nix-cache-server.nix
@@ -1,6 +1,7 @@
 { config, lib, ... }:
 let
   cfg = config.custom.services.nixCacheServer;
+  cacheDomain = "cache.sinerva.eu";
 in
 {
   options.custom.services.nixCacheServer.enable = lib.mkEnableOption "Nix SSH cache server";
@@ -8,6 +9,21 @@ in
   config = lib.mkIf cfg.enable {
     sops.secrets.priv-cache-key.sopsFile = ../../secrets/ci.yaml;
 
+    services = {
+      nix-serve = {
+        enable = true;
+        bindAddress = "127.0.0.2";
+        port = 8081;
+        secretKeyFile = config.sops.secrets.priv-cache-key.path;
+      };
+
+      nginx.virtualHosts = {
+        ${cacheDomain}.locations."/" = {
+          proxyPass = "http://127.0.0.2:8081";
+        };
+      };
+    };
+
     nix = {
       extraOptions = ''
         secret-key-files = ${config.sops.secrets.priv-cache-key.path}