diff --git a/hosts/best/plausible/default.nix b/hosts/best/plausible/default.nix
new file mode 100644
index 0000000..8e8674f
--- /dev/null
+++ b/hosts/best/plausible/default.nix
@@ -0,0 +1,39 @@
+{ config, self, lib, ... }: let
+  inherit (config.networking) domain;
+  inherit (lib) enabled merge;
+
+  fqdn = "shekels.${domain}";
+  port = 8007;
+in {
+  imports = [
+    (self + /modules/nginx.nix)
+    (self + /modules/postgresql.nix)
+  ];
+
+  secrets.plausibleKey = {
+    file  = ./key.age;
+    owner = "plausible";
+  };
+
+  services.postgresql.ensure = [ "plausible" ];
+
+  services.plausible = enabled {
+    server = {
+      disableRegistration = true; # Setting it explicitly just in case.
+
+      secretKeybaseFile = config.secrets.plausibleKey.path;
+
+      baseUrl = "https://${fqdn}";
+
+      listenAddress = "::1";
+      inherit port;
+    };
+  };
+
+  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
+    locations."/" = {
+      proxyPass       = "http://[::1]:${toString port}";
+      proxyWebsockets = true;
+    };
+  };
+}
diff --git a/hosts/best/plausible/key.age b/hosts/best/plausible/key.age
new file mode 100644
index 0000000..edc645e
--- /dev/null
+++ b/hosts/best/plausible/key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 8y3T6w 6z16kXAqAppYOMXQ7riHs+iP6SFMfJND1KlG0TI+Bgo
+Gm99zghsZ69nBzs8I+Hs3fRM7+dGEaNC7mFwVJZbjO4
+-> ssh-ed25519 CzqbPQ AYm8rfc18ftg7vvt6MVIYlaMcyL09VDoDBLGa0v6STo
+uWmdITsGHXPZfMMBDdaYkbLCHntii4mupaWklLfOYa0
+--- LFjB2mFBC6OkRoM7A9RVGjcXGbMQGKutBz44EDK3YJo
+�uL6l��6e���z�Ō��E�'�G��k磤^xj��j��!YEsDZ�y2�����rF
�jO���K�e�Ï�%�����^�\�|����Є�����Y�n�r�yI
\ No newline at end of file
diff --git a/modules/nginx.nix b/modules/nginx.nix
index bb29cb7..27fc846 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -16,7 +16,7 @@ in {
 
     add_header Strict-Transport-Security $hsts_header always;
 
-    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self'; base-uri 'self';" always;
+    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain}; object-src 'self' ${domain} *.${domain}; base-uri 'self';" always;
 
     add_header Referrer-Policy no-referrer always;
 
diff --git a/secrets.nix b/secrets.nix
index 71e66af..4e0ab44 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -20,6 +20,8 @@ in {
 
   "hosts/best/nextcloud/password.age".publicKeys      = [ best ] ++ admins;
 
+  "hosts/best/plausible/key.age".publicKeys      = [ best ] ++ admins;
+
   # disk
   "hosts/disk/id.age".publicKeys              = [ disk ] ++ admins;
   "hosts/disk/password.age".publicKeys = [ disk ] ++ admins;