diff --git a/configuration/default.nix b/configuration/default.nix
index efa0152..5c0a12d 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -28,6 +28,7 @@ let
 	trackSystemMetrics = (import ./lib/track-system-metrics.nix);
 	trackServiceMetrics = (import ./lib/track-service-metrics.nix);
 	httpHealthChecks = (import ./lib/http-health-checks.nix);
+	nginx = (import ./lib/nginx.nix);
 in {
 	network = {
 		inherit pkgs;
@@ -111,17 +112,7 @@ in {
 			(trackSystemMetrics nodes."machine-haless-03.cryto.net".internalIpv4)
 			(trackServiceMetrics nodes."machine-haless-03.cryto.net".internalIpv4)
 			(httpHealthChecks {
-				http = [
-					"iomfats.cryto.net"
-					"castleroland.cryto.net"
-					"awesomedude.cryto.net"
-					"matrix-rooms.cryto.net"
-					"validatem.cryto.net"
-					"nixos-manual-mdx.cryto.net"
-					"geojson.cryto.net"
-					"ossworks.nl"
-				];
-				https = [
+				both = [
 					"iomfats.cryto.net"
 					"castleroland.cryto.net"
 					"awesomedude.cryto.net"
@@ -132,64 +123,28 @@ in {
 					"ossworks.nl"
 				];
 			})
-		];
-
-		networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-		services.borgbackup.jobs.system = {
-			paths = "/";
-			exclude = [
-				"/nix"
-				"/boot"
-				"/sys"
-				"/run"
-				"/tmp"
-				"/dev"
-				"/proc"
-			];
-			repo = "backup-haless@machine-borg2-01.cryto.net:haless-03";
-			encryption = {
-				mode = "repokey-blake2";
-				passphrase = (import ../private/machine-haless-03.cryto.net/borg-passphrase.nix);
-			};
-			compression = "auto,zlib";
-			startAt = "daily";
-		};
-
-		services.nginx = {
-			enable = true;
-			virtualHosts = {
-				"404.cryto.net" = {
-					default = true;
-					extraConfig = ''
-						return 404;
-					'';
-				};
-				"modular-matrix.cryto.net" = lib.mkMerge [
+			(nginx {
+				"modular-matrix.cryto.net" = [
 					(nginxPresets.letsEncrypt)
 					{ root = ./sources/modular-matrix; }
 				];
-				"geojson.cryto.net" = lib.mkMerge [
+				"geojson.cryto.net" = [
 					(nginxPresets.letsEncrypt)
 					{ root = ../../image-to-geojson/static; }
 				];
-				# "validatem.cryto.net" = lib.mkMerge [
-				# 	(nginxPresets.letsEncrypt)
-				# 	{ root = ./sources/validatem-site; }
-				# ];
-				"validatem.cryto.net" = lib.mkMerge [
+				"validatem.cryto.net" = [
 					(nginxPresets.letsEncrypt)
 					{ root = ../../validatem/site/build; }
 				];
-				"ossworks.nl" = lib.mkMerge [
+				"ossworks.nl" = [
 					(nginxPresets.letsEncrypt)
 					{ root = ../../ossworks-site/build; }
 				];
-				"nixos-manual-mdx.cryto.net" = lib.mkMerge [
+				"nixos-manual-mdx.cryto.net" = [
 					(nginxPresets.letsEncrypt)
 					{ root = ../../nixos-manual-mdx/build; }
 				];
-				"haless.cryto.net" = lib.mkMerge [
+				"haless.cryto.net" = [
 					(nginxPresets.letsEncrypt)
 					{
 						locations."/shadow/" = {
@@ -200,37 +155,59 @@ in {
 						};
 					}
 				];
-				"books.cryto.net" = lib.mkMerge [
+				"books.cryto.net" = [
 					(nginxPresets.letsEncrypt)
 					(nginxPresets.phpDisabled)
 				];
-				"todo.cryto.net" = lib.mkMerge [
+				"todo.cryto.net" = [
 					(nginxPresets.phpDisabled)
 				];
-				"learn.cryto.net" = lib.mkMerge [
+				"learn.cryto.net" = [
 					(nginxPresets.phpDisabled)
 				];
-				"vps-list.cryto.net" = lib.mkMerge [
+				"vps-list.cryto.net" = [
 					(nginxPresets.letsEncrypt)
 					(nginxPresets.phpDisabled)
 				];
-				"iomfats.cryto.net" = lib.mkMerge [
+				"iomfats.cryto.net" = [
 					(nginxPresets.letsEncrypt)
 					(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
 				];
-				"castleroland.cryto.net" = lib.mkMerge [
+				"castleroland.cryto.net" = [
 					(nginxPresets.letsEncrypt)
 					(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
 				];
-				"awesomedude.cryto.net" = lib.mkMerge [
+				"awesomedude.cryto.net" = [
 					(nginxPresets.letsEncrypt)
 					(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
 				];
-				"matrix-rooms.cryto.net" = lib.mkMerge [
+				"matrix-rooms.cryto.net" = [
 					(nginxPresets.letsEncrypt)
 					(nginxPresets.reverseProxy "http://127.0.0.1:3842/")
 				];
+			})
+		];
+
+		networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+		services.borgbackup.jobs.system = {
+			paths = "/";
+			exclude = [
+				"/nix"
+				"/boot"
+				"/sys"
+				"/run"
+				"/tmp"
+				"/dev"
+				"/proc"
+			];
+			repo = "backup-haless@machine-borg2-01.cryto.net:haless-03";
+			encryption = {
+				mode = "repokey-blake2";
+				passphrase = (import ../private/machine-haless-03.cryto.net/borg-passphrase.nix);
 			};
+			compression = "auto,zlib";
+			startAt = "daily";
 		};
 
 		users.groups.mobile-proxy = {};
@@ -309,6 +286,15 @@ in {
 			(tincConfiguration { hostname = "machine-konjassiem-02.cryto.net"; nodes = nodes; })
 			(trackSystemMetrics nodes."machine-konjassiem-02.cryto.net".internalIpv4)
 			(trackServiceMetrics nodes."machine-konjassiem-02.cryto.net".internalIpv4)
+			(httpHealthChecks {
+				both = [ "git.cryto.net" ];
+			})
+			(nginx {
+				"git.cryto.net" = [
+					(nginxPresets.letsEncrypt)
+					(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
+				];
+			})
 		];
 
 		services.postgresql = {
@@ -334,22 +320,6 @@ in {
 
 		networking.firewall.allowedTCPPorts = [ 80 443 ];
 
-		services.nginx = {
-			enable = true;
-			virtualHosts = {
-				"404.cryto.net" = {
-					default = true;
-					extraConfig = ''
-						return 404;
-					'';
-				};
-				"git.cryto.net" = lib.mkMerge [
-					(nginxPresets.letsEncrypt)
-					(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
-				];
-			};
-		};
-
 		# NOTE: Workaround that removes `setuid` from the disallowed syscall list, because otherwise sendmail/opensmtpd breaks
 		# systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap";
 		
@@ -484,36 +454,25 @@ in {
 					# "nix-cache.cryto.net" # Not directory-indexable
 				];
 			})
-		];
-
-		services.nginx = {
-			enable = true;
-			virtualHosts = {
-				"404.cryto.net" = {
-					# Pseudo-hostname just to set a default when no Host header is specified
-					default = true;
-					extraConfig = ''
-						return 404;
-					'';
-				};
-				"hydra.cryto.net" = lib.mkMerge [
+			(nginx {
+				"hydra.cryto.net" = [
 					(nginxPresets.letsEncrypt)
 					(nginxPresets.reverseProxy "http://localhost:3333/")
 				];
-				"prometheus.cryto.net" = lib.mkMerge [
+				"prometheus.cryto.net" = [
 					(nginxPresets.letsEncrypt)
 					(nginxPresets.reverseProxy "http://localhost:9090/")
 				];
-				"metrics.cryto.net" = lib.mkMerge [
+				"metrics.cryto.net" = [
 					(nginxPresets.letsEncrypt)
 					(nginxPresets.reverseProxy "http://localhost:8452/")
 				];
-				"nix-cache.cryto.net" = lib.mkMerge [
+				"nix-cache.cryto.net" = [
 					(nginxPresets.letsEncrypt)
 					{ root = "/var/lib/hydra-builds"; }
 				];
-			};
-		};
+			})
+		];
 
 		services.postgresql = {
 			enable = true;
diff --git a/configuration/lib/nginx.nix b/configuration/lib/nginx.nix
new file mode 100644
index 0000000..7df93ce
--- /dev/null
+++ b/configuration/lib/nginx.nix
@@ -0,0 +1,17 @@
+hosts: { lib, ... }:
+	let
+		mapMkMerge = builtins.mapAttrs (_host: configs: lib.mkMerge configs);
+	in {
+		services.nginx = {
+			enable = true;
+			virtualHosts = {
+				"404.cryto.net" = {
+					# Pseudo-hostname just to set a default when no Host header is specified
+					default = true;
+					extraConfig = ''
+						return 404;
+					'';
+				};
+			} // mapMkMerge hosts;
+		};
+	}