diff --git a/machine/empyrean/default.nix b/machine/empyrean/default.nix
index 7521dca..52f90a9 100644
--- a/machine/empyrean/default.nix
+++ b/machine/empyrean/default.nix
@@ -74,6 +74,45 @@
       # Home service stub domains
       "mopidy.home.ktvb.site" = service-stub;
       "jellyfin.home.ktvb.site" = service-stub;
+      # mTLS secure domains
+      "www.secure.ktvb.site" = {
+        enableACME = true;
+        forceSSL = true;
+        root = "/srv/www.secure.ktvb.site";
+        extraConfig = ''
+          # Enable mTLS
+          ssl_verify_client on;
+          ssl_client_certificate /etc/nginx/client-ca.crt;
+          index index.html;
+        '';
+      };
+      "mopidy.secure.ktvb.site" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".proxyPass = "http://10.22.20.2";
+        locations."/mopidy/ws" = {
+          proxyPass = "http://10.22.20.2";
+          extraConfig = ''
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+          '';
+        };
+        extraConfig = ''
+          # Enable mTLS
+          ssl_verify_client on;
+          ssl_client_certificate /etc/nginx/client-ca.crt;
+        '';
+      };
+      "immich.secure.ktvb.site" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".proxyPass = "http://10.22.20.8:2283";
+        extraConfig = ''
+          # enable mTLS
+          ssl_verify_client on;
+          ssl_client_certificate /etc/nginx/client-ca.crt;
+        '';
+      };
       # mirror revproxy
       "mirror.alogoulogoi.com" = {
         enableACME = true;