diff --git a/module.nix b/module.nix
index edb3a82..eb0d2fb 100644
--- a/module.nix
+++ b/module.nix
@@ -14,6 +14,12 @@ in
       description = "Address and port for the MyMX server to listen on.";
     };
 
+    domain = lib.mkOption {
+      type = lib.types.str;
+      default = "mymx.extremist.software";
+      description = "Domain name for the Caddy virtual host.";
+    };
+
     webhookSecretFile = lib.mkOption {
       type = lib.types.path;
       description = "Path to a file containing the MyMX webhook secret.";
@@ -51,6 +57,21 @@ in
       }];
     };
 
+    services.caddy.virtualHosts.${cfg.domain} = {
+      extraConfig = ''
+        rate_limit {
+          zone mymx_per_ip {
+            key {remote.ip}
+            events 60
+            window 1m
+          }
+        }
+        reverse_proxy localhost:${
+          builtins.elemAt (lib.splitString ":" cfg.listenAddr) 1
+        }
+      '';
+    };
+
     systemd.services.mymx = {
       description = "MyMX Webhook Receiver";
       after = [ "postgresql.service" "network.target" ];