diff --git a/agenix/hosts/sail/config.nix b/agenix/hosts/sail/config.nix
index a06b003..86dae4d 100644
--- a/agenix/hosts/sail/config.nix
+++ b/agenix/hosts/sail/config.nix
@@ -69,5 +69,9 @@
     nitter-config = {
       file = ./nitter/config.age;
     };
+
+    nitter-auth = {
+      file = ./nitter/auth.age;
+    };
   };
 }
diff --git a/agenix/hosts/sail/nitter/auth.age b/agenix/hosts/sail/nitter/auth.age
new file mode 100644
index 0000000..fe3448d
--- /dev/null
+++ b/agenix/hosts/sail/nitter/auth.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 MtGp6g C5+QHpB3eGllrFooaLK+9oQD85593tINMrFULP6BwkA
+hWYPmH2nEBiL70xoHpY5zPpYP2GvZNrRFaheCyyFgb4
+-> ssh-ed25519 NbV4hw Jf+0XhUx+OyLPijrbWe9r0ZPjvG0fpKTJPzRo2lBSBQ
+PkFvC59DidoMKbGFxdLeS+A2WRofeUsLl5FRSezWVIE
+-> qJKfV-grease
+T2novACQv6OJIJrNnNVby8vYTW38Tg
+--- 1v41uCUA6qXJNkzYDAQhRKnJrDcQMaURSVlFFpsfA8o
+S“¨\k0?¹ã€ZŠ4þJ"~–…›ZJæJ¹9í$éòGÿâÉ%,ä7I¯
vÄÜà!ñö¡±´zzõ¹’s“Èiü	X
+"ëØ_¯K
diff --git a/secrets.nix b/secrets.nix
index 75a4544..923c78c 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -23,4 +23,5 @@ in
   "agenix/hosts/sail/freshrss/databasePassword.age".publicKeys = sail;
 
   "agenix/hosts/sail/nitter/config.age".publicKeys = sail;
+  "agenix/hosts/sail/nitter/auth.age".publicKeys = sail;
 }
diff --git a/system/nixos/nitter.nix b/system/nixos/nitter.nix
index ce7f7a1..afba923 100644
--- a/system/nixos/nitter.nix
+++ b/system/nixos/nitter.nix
@@ -22,4 +22,25 @@
       };
     };
   };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."nitter.only.internal" = {
+      listen = [
+        {
+          addr = "127.0.0.1";
+          port = 80;
+        }
+      ];
+
+      forceSSL = false;
+      enableACME = false;
+      basicAuthFile = config.age.secrets.nitter-auth.path;
+
+      locations."/" = {
+        recommendedProxySettings = true;
+        proxyPass = "http://127.0.0.1:8001";
+      };
+    };
+  };
 }