diff --git a/machine/backyard/default.nix b/machine/backyard/default.nix
index c8ff983..bcc11b6 100644
--- a/machine/backyard/default.nix
+++ b/machine/backyard/default.nix
@@ -26,6 +26,28 @@
 
   networking.firewall = {
     enable = true;
+    allowedTCPPorts = [
+      7474  # mirror revproxy
+    ];
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      default = {
+        default = true;
+        rejectSSL = true;
+        locations."/".return = "444";
+      };
+      "mirror.backyard.home" = {
+        listen = [
+          { addr = "10.22.20.8"; }
+          # Serve the mirror on a unique port to ensure the revproxy connects to the right vhost
+          { addr = "10.22.20.8"; port = 7474; }
+        ];
+        root = "/pool/tvb/doc/website/mirror";
+      };
+    };
   };
 
   environment.systemPackages = with pkgs; [
@@ -56,6 +78,10 @@
 
   users.groups = {
     katydid.gid = 1102;
+    tvbpoolro = {
+      gid = 1201;
+      members = [ "tvb" "nginx" ];
+    };
   };
 
   # This value governs how some stateful data, like databases, are handled
diff --git a/modules/beatific.nix b/modules/beatific.nix
index 137772c..b008717 100644
--- a/modules/beatific.nix
+++ b/modules/beatific.nix
@@ -243,6 +243,7 @@ in {
         ];
         "10.22.20.8" = [
           "backyard.home"
+          "mirror.backyard.home"
           "jellyfin.home.ktvb.site"
         ];
         "10.22.20.9" = [