diff --git a/hosts/tadpole/modules/default.nix b/hosts/tadpole/modules/default.nix
index b33c937..f23086f 100644
--- a/hosts/tadpole/modules/default.nix
+++ b/hosts/tadpole/modules/default.nix
@@ -23,6 +23,7 @@ in
 
       pppdotpm-site.enable = true;
       whib-backend.enable = true;
+      whib-frontend.enable = true;
     };
   };
 }
diff --git a/hosts/tadpole/modules/whib/default.nix b/hosts/tadpole/modules/whib/default.nix
index 86b82b5..6b0f6e9 100644
--- a/hosts/tadpole/modules/whib/default.nix
+++ b/hosts/tadpole/modules/whib/default.nix
@@ -4,49 +4,64 @@
   ...
 }:
 let
-  enabled = config.mod.whib-backend.enable;
+  backendEnabled = config.mod.whib-backend.enable;
+  frontendEnabled = config.mod.whib-frontend.enable;
 in
 {
   options = {
     mod.whib-backend = {
       enable = lib.mkEnableOption "enable WHIB backend";
     };
+
+    mod.whib-frontend = {
+      enable = lib.mkEnableOption "enable WHIB frontend";
+    };
   };
 
-  config = lib.mkIf enabled {
+  config = {
     assertions = [
       {
-        assertion = config.services.nginx.enable;
+        assertion = backendEnabled && config.services.nginx.enable;
         message = "Option 'config.services.nginx' must be enabled";
       }
     ];
 
-    services.whib-backend = {
-      enable = true;
+    services = {
+      whib-backend = lib.mkIf backendEnabled {
+        enable = true;
 
-      backend = {
-        domain = "api.whib.ppp.pm";
-        useACMEHost = "api.whib.ppp.pm";
+        backend = {
+          domain = "api.whib.ppp.pm";
+          useACMEHost = "api.whib.ppp.pm";
 
-        environmentFile = config.age.secrets.whib-backend-env-vars.path;
-      };
+          environmentFile = config.age.secrets.whib-backend-env-vars.path;
+        };
 
-      postgres = {
-        environmentFile = config.age.secrets.whib-postgres-env-vars.path;
+        postgres = {
+          environmentFile = config.age.secrets.whib-postgres-env-vars.path;
 
-        backup = {
-          interval = "*-*-* 00:00:00 UTC";
+          backup = {
+            interval = "*-*-* 00:00:00 UTC";
 
-          environmentFile = config.age.secrets.whib-postgres-backup-env-vars.path;
-          gpgPassphraseFile = config.age.secrets.whib-gpg-key.path;
+            environmentFile = config.age.secrets.whib-postgres-backup-env-vars.path;
+            gpgPassphraseFile = config.age.secrets.whib-gpg-key.path;
+          };
+        };
+
+        grafana = {
+          domain = "grafana.whib.ppp.pm";
+          useACMEHost = "grafana.whib.ppp.pm";
+
+          environmentFile = config.age.secrets.whib-grafana-env-vars.path;
         };
       };
 
-      grafana = {
-        domain = "grafana.whib.ppp.pm";
-        useACMEHost = "grafana.whib.ppp.pm";
+      whib-frontend = lib.mkIf frontendEnabled {
+        enable = true;
 
-        environmentFile = config.age.secrets.whib-grafana-env-vars.path;
+        domain = "whib.ppp.pm";
+        useACMEHost = "whib.ppp.pm";
+        backendHost = "api.whib.ppp.pm";
       };
     };