diff --git a/hosts/tadpole/modules/certs/default.nix b/hosts/tadpole/modules/certs/default.nix
index e845a61..b3bc173 100644
--- a/hosts/tadpole/modules/certs/default.nix
+++ b/hosts/tadpole/modules/certs/default.nix
@@ -17,6 +17,11 @@
         webroot = "/var/lib/acme/acme-challenge/";
         group = "nginx";
       };
+
+      "api.whib.ppp.pm" = {
+        webroot = "/var/lib/acme/acme-challenge/";
+        group = "nginx";
+      };
     };
   };
 }
diff --git a/hosts/tadpole/modules/default.nix b/hosts/tadpole/modules/default.nix
index 9954f50..b33c937 100644
--- a/hosts/tadpole/modules/default.nix
+++ b/hosts/tadpole/modules/default.nix
@@ -22,6 +22,7 @@ in
       };
 
       pppdotpm-site.enable = true;
+      whib-backend.enable = true;
     };
   };
 }
diff --git a/hosts/tadpole/modules/whib/default.nix b/hosts/tadpole/modules/whib/default.nix
new file mode 100644
index 0000000..dacd91e
--- /dev/null
+++ b/hosts/tadpole/modules/whib/default.nix
@@ -0,0 +1,72 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  enabled = config.mod.whib-backend.enable;
+in
+{
+  options = {
+    mod.whib-backend = {
+      enable = lib.mkEnableOption "enable WHIB backend";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    assertions = [
+      {
+        assertion = config.services.nginx.enable;
+        message = "Option 'config.services.nginx' must be enabled";
+      }
+    ];
+
+    services.whib-backend = {
+      enable = true;
+
+      domain = "api.whib.ppp.pm";
+      useACMEHost = "api.whib.ppp.pm";
+
+      backend = {
+        signingKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-signing-key.path})";
+      };
+
+      postgres = {
+        database = "whib";
+        host = "postgres";
+        port = "5432";
+        user = "whib";
+        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-postgres-password.path})";
+
+        backup = {
+          interval = "*-*-* 00:00:00 UTC";
+
+          gpgPassphraseFile = config.age.secrets.whib-gpg-key.path;
+
+          backblazeBucket = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-bucket.path})";
+          backblazeKeyID = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key-id.path})";
+          backblazeKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key.path})";
+        };
+      };
+
+      grafana = {
+        domain = "grafana.whib.ppp.pm";
+        useACMEHost = "grafana.whib.ppp.pm";
+
+        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-grafana-password.path})";
+      };
+    };
+
+    age.secrets = {
+      "whib-signing-key".file = ../../../../secrets/tadpole/whib-signing-key.age;
+      "whib-postgres-password".file = ../../../../secrets/tadpole/whib-postgres-password.age;
+      "whib-grafana-password".file = ../../../../secrets/tadpole/whib-grafana-password.age;
+
+      "whib-gpg-key".file = ../../../../secrets/tadpole/whib-gpg-key.age;
+      "whib-backblaze-bucket".file = ../../../../secrets/tadpole/whib-backblaze-bucket.age;
+      "whib-backblaze-key-id".file = ../../../../secrets/tadpole/whib-backblaze-key-id.age;
+      "whib-backblaze-key".file = ../../../../secrets/tadpole/whib-backblaze-key.age;
+    };
+  };
+}