diff --git a/roles/cryptpad.nix b/roles/cryptpad.nix
new file mode 100644
index 0000000..d28f960
--- /dev/null
+++ b/roles/cryptpad.nix
@@ -0,0 +1,77 @@
+# NixOps configuration for the hosts running a Cryptpad server
+
+{ config, pkgs, lib, ... }:
+
+{
+
+  services.cryptpad = {
+    enable = true;                        # Enable Cryptpad server
+  };
+
+  services.nginx = {
+    enable = true;                        # Enable Nginx
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts."pad.mcwhirter.io" = {   # Cryptpad hostname
+      enableACME = true;                  # Use ACME certs
+      forceSSL = true;                    # Force SSL
+      locations = {
+        "/".proxyPass = "http://[::]:3000/";
+        "^~ /cryptpad_websocket" = {
+          proxyPass = "http://[::]:3000";
+          extraConfig = ''
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+            # WebSocket support (nginx 1.4)
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection upgrade;
+          '';
+        };
+        "^~ /customize.dist/" = {
+           # This is needed in order to prevent infinite recursion between /customize/ and the root
+        };
+        "^~ /customize/" = {
+          extraConfig = ''
+            rewrite ^/customize/(.*)$ $1 break;
+          '';
+          tryFiles = "/customize/$uri /customize.dist/$uri";
+        };
+        "/api/config" = {
+          proxyPass = "http://localhost:3000";
+          extraConfig = ''
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          '';
+        };
+        "^~ /block/" = {
+          extraConfig = ''
+            add_header Cache-Control max-age=0;
+          '';
+          tryFiles = "$uri =404";
+        };
+        "~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams)$" = {
+          extraConfig = ''
+            rewrite ^(.*)$ $1/ redirect;
+          '';
+        };
+      };
+      #extraConfig = ''
+      #  try_files /www/$uri /www/$uri/index.html /customize/$uri;
+      #'';
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    certs = {
+      "pad.mcwhirter.io".email = "craige@mcwhirter.io";
+    };
+  };
+
+}