diff --git a/nixos-configurations/lindberg-build/applications/attic.nix b/nixos-configurations/lindberg-build/applications/attic.nix
deleted file mode 100644
index 05f65a4..0000000
--- a/nixos-configurations/lindberg-build/applications/attic.nix
+++ /dev/null
@@ -1,79 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  atticPort = 8080;
-  atticHostname = "attic.qo.is";
-in
-
-{
-
-  services.atticd = {
-    enable = true;
-
-    # Replace with absolute path to your credentials file
-    # generate secret with
-    # nix run system#openssl rand 64 | base64 -w0
-    # ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl"
-    environmentFile = config.sops.secrets."attic/server_token".path;
-
-    settings = {
-      listen = "127.0.0.1:${builtins.toString atticPort}";
-      allowed-hosts = [ "attic.qo.is" ];
-      api-endpoint = "https://attic.qo.is/";
-
-      # Data chunking
-      #
-      # Warning: If you change any of the values here, it will be
-      # difficult to reuse existing chunks for newly-uploaded NARs
-      # since the cutpoints will be different. As a result, the
-      # deduplication ratio will suffer for a while after the change.
-      chunking = {
-        # The minimum NAR size to trigger chunking
-        #
-        # If 0, chunking is disabled entirely for newly-uploaded NARs.
-        # If 1, all NARs are chunked.
-        nar-size-threshold = 64 * 1024; # 64 KiB
-
-        # The preferred minimum size of a chunk, in bytes
-        min-size = 16 * 1024; # 16 KiB
-
-        # The preferred average size of a chunk, in bytes
-        avg-size = 64 * 1024; # 64 KiB
-
-        # The preferred maximum size of a chunk, in bytes
-        max-size = 256 * 1024; # 256 KiB
-      };
-
-      garbage-collection.default-retention-period = "6 months";
-
-      database.url = "postgresql:///atticd?host=/run/postgresql";
-    };
-  };
-
-  imports = [ ../../../defaults/webserver ];
-
-  # Note: Attic cache availability is "best effort", so no artifacts are backed up.
-
-  services.postgresql = {
-    enable = true;
-    ensureDatabases = [ "atticd" ];
-    ensureUsers = [
-      {
-        name = "atticd";
-        ensureDBOwnership = true;
-      }
-    ];
-  };
-
-  services.nginx = {
-    enable = true;
-    clientMaxBodySize = "1g";
-    virtualHosts.${atticHostname} = {
-      kTLS = true;
-      forceSSL = true;
-      enableACME = true;
-
-      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString atticPort}";
-    };
-  };
-}
diff --git a/nixos-configurations/lindberg-build/applications/default.nix b/nixos-configurations/lindberg-build/applications/default.nix
index 84978fb..d9360ee 100644
--- a/nixos-configurations/lindberg-build/applications/default.nix
+++ b/nixos-configurations/lindberg-build/applications/default.nix
@@ -7,14 +7,15 @@
 {
 
   imports = [
-    ./attic.nix
     ./nixpkgs-cache.nix
   ];
 
   qois.git-ci-runner.enable = true;
+  qois.attic.enable = true;
   qois.postgresql.package = pkgs.postgresql_15;
 
-  # Remove substituters that are hosted on this node, to prevent lockups.
+  # Remove substituters that are hosted on this node, to prevent lockups
+  #  since the current nix implementation is not forgiving with unavailable subsituters.
   # The qois-infrastructure cache is not needed,
   #  since the builds are done (and cached) on this host anyway.
   nix.settings.substituters = lib.mkForce [
diff --git a/nixos-configurations/lindberg-build/secrets.nix b/nixos-configurations/lindberg-build/secrets.nix
index 988fc1f..8d66d7e 100644
--- a/nixos-configurations/lindberg-build/secrets.nix
+++ b/nixos-configurations/lindberg-build/secrets.nix
@@ -1,9 +1,6 @@
 { ... }:
 {
   sops.secrets = {
-    "attic/server_token" = {
-      restartUnits = [ "atticd.service" ];
-    };
     "gitlab-runner/default-registration" = {
       restartUnits = [ "gitlab-runner.service" ];
     };
diff --git a/nixos-configurations/lindberg-nextcloud/default.nix b/nixos-configurations/lindberg-nextcloud/default.nix
index 0f1c769..08034a8 100644
--- a/nixos-configurations/lindberg-nextcloud/default.nix
+++ b/nixos-configurations/lindberg-nextcloud/default.nix
@@ -5,7 +5,6 @@
     ../../defaults/backplane-net
     ../../defaults/base-vm
     ../../defaults/meta
-    ../../defaults/webserver
     ./applications
     ./backup.nix
     ./secrets.nix
diff --git a/nixos-modules/qois/attic/default.nix b/nixos-modules/qois/attic/default.nix
new file mode 100644
index 0000000..adb9e4b
--- /dev/null
+++ b/nixos-modules/qois/attic/default.nix
@@ -0,0 +1,98 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.qois.attic;
+in
+{
+
+  options.qois.attic = {
+    enable = mkEnableOption "Enable attic service";
+    domain = mkOption {
+      description = "Domain for attic server";
+      type = types.str;
+      default = "attic.qo.is";
+    };
+    port = mkOption {
+      description = "Server Port";
+      type = types.numbers.between 1 65536;
+      default = 8080;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets."attic/server_token".restartUnits = [ "atticd.service" ];
+
+    services.atticd = {
+      enable = true;
+
+      # Replace with absolute path to your credentials file
+      # generate secret with
+      # nix run system#openssl rand 64 | base64 -w0
+      # ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl"
+      environmentFile = config.sops.secrets."attic/server_token".path;
+
+      settings = {
+        listen = "127.0.0.1:${toString cfg.port}";
+        allowed-hosts = [ cfg.domain ];
+        api-endpoint = "https://${cfg.domain}/";
+
+        # Data chunking
+        #
+        # Warning: If you change any of the values here, it will be
+        # difficult to reuse existing chunks for newly-uploaded NARs
+        # since the cutpoints will be different. As a result, the
+        # deduplication ratio will suffer for a while after the change.
+        chunking = {
+          # The minimum NAR size to trigger chunking
+          #
+          # If 0, chunking is disabled entirely for newly-uploaded NARs.
+          # If 1, all NARs are chunked.
+          nar-size-threshold = 64 * 1024; # 64 KiB
+
+          # The preferred minimum size of a chunk, in bytes
+          min-size = 16 * 1024; # 16 KiB
+
+          # The preferred average size of a chunk, in bytes
+          avg-size = 64 * 1024; # 64 KiB
+
+          # The preferred maximum size of a chunk, in bytes
+          max-size = 256 * 1024; # 256 KiB
+        };
+
+        garbage-collection.default-retention-period = "6 months";
+
+        database.url = "postgresql:///atticd?host=/run/postgresql";
+      };
+    };
+
+    # Note: Attic cache availability is "best effort", so no artifacts are backed up.
+
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "atticd" ];
+      ensureUsers = [
+        {
+          name = "atticd";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    services.nginx = {
+      enable = true;
+      clientMaxBodySize = "1g";
+      virtualHosts.${cfg.domain} = {
+        kTLS = true;
+        forceSSL = true;
+        enableACME = true;
+
+        locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+  };
+}
diff --git a/defaults/webserver/default.nix b/nixos-modules/qois/nginx/default.nix
similarity index 85%
rename from defaults/webserver/default.nix
rename to nixos-modules/qois/nginx/default.nix
index 2aa4aaf..3fd799d 100644
--- a/defaults/webserver/default.nix
+++ b/nixos-modules/qois/nginx/default.nix
@@ -1,12 +1,9 @@
 {
-  config,
-  lib,
-  pkgs,
   ...
 }:
 
 {
-  services.nginx = {
+  config.services.nginx = {
     recommendedTlsSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;