diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix
index 18a457d..26e7ec9 100644
--- a/modules/hosts/nixos/hetznix01/default.nix
+++ b/modules/hosts/nixos/hetznix01/default.nix
@@ -23,9 +23,9 @@
   networking = {
     # Open ports in the firewall.
     firewall.allowedTCPPorts = [
-      22 # ssh
-      25 # SMTP (unencrypted)
-      80 # http to local Nginx
+      22  # ssh
+      25  # SMTP (unencrypted)
+      80  # http to local Nginx
       443 # https to local Nginx
       465 # SMTP with TLS 
       587 # SMTP with STARTTLS
diff --git a/modules/hosts/nixos/hetznix01/post-install/default.nix b/modules/hosts/nixos/hetznix01/post-install/default.nix
index 12c8f5a..e1a6e50 100644
--- a/modules/hosts/nixos/hetznix01/post-install/default.nix
+++ b/modules/hosts/nixos/hetznix01/post-install/default.nix
@@ -1,4 +1,6 @@
-{ config, username, ... }: {
+{ config, username, ... }: let
+  domain = "technicalissues.us";
+in {
   imports = [
     ../../../../system/common/linux/lets-encrypt.nix
     ../../../../system/common/linux/restic.nix
@@ -10,33 +12,51 @@
     enable = true;
     enableImap = false;
     enableImapSsl = false;
-    fqdn = "mail.alt.technicalissues.us";
+    fqdn = "mail.alt.${domain}";
     domains = [
-      "alt.technicalissues.us"
+      "alt.${domain}"
       "indianspringsbsa.org"
     ];
     forwards = {
       "webmaster@indianspringsbsa.org" = "gene+indianspringsbsa.org@geneliverman.com";
       "newsletter@indianspringsbsa.org" = "gene+indianspringsbsa.org@geneliverman.com";
-      "@alt.technicalissues.us" = "gene+alt.technicalissues.us@geneliverman.com";
+      "@alt.${domain}" = "gene+alt.${domain}@geneliverman.com";
+      "${username}@localhost" = "${username}@technicalissues.us";
+      "root@localhost" = "root@technicalissues.us";
+      "root@${config.networking.hostName}" = "root@technicalissues.us";
     };
 
     # Use Let's Encrypt certificates from Nginx
     certificateScheme = "acme";
   };
 
-  # Cert for the mail server
-  security.acme.certs."alt.technicalissues.us" = {
-    extraDomainNames = [
-      "mail.alt.technicalissues.us"
-      "mail.indianspringsbsa.org"
-    ];
-    reloadServices = [
-      "postfix.service"
-    ];
-  };
-
   services = {
+    plausible = {
+      enable = true;
+      adminUser = {
+        # activate is used to skip the email verification of the admin-user that's
+        # automatically created by plausible. This is only supported if
+        # postgresql is configured by the module. This is done by default, but
+        # can be turned off with services.plausible.database.postgres.setup.
+        activate = true;
+        email = "${username}@technicalissues.us";
+        name = username;
+        passwordFile = config.sops.secrets.plausible_admin_pass.path;
+      };
+      database = {
+        clickhouse.setup = true;
+        postgres.setup = true;
+      };
+      mail.email = "stats@${domain}";
+      server = {
+        baseUrl = "https://stats.${domain}";
+        disableRegistration = true;
+        port = 8001;
+        # secretKeybaseFile is a path to the file which contains the secret generated
+        # with openssl as described above.
+        secretKeybaseFile = config.sops.secrets.plausible_secret_key_base.path;
+      };
+    };
     restic.backups.daily.paths = [
       "${config.users.users.${username}.home}/compose-files/owntracks"
       "/var/backup/postgresql"
@@ -77,6 +97,8 @@
         owner = config.users.users.nginx.name;
         restartUnits = ["nginx.service"];
       };
+      plausible_admin_pass.owner = config.users.users.nginx.name;
+      plausible_secret_key_base.owner = config.users.users.nginx.name;
       tailscale_key = {
         restartUnits = [ "tailscaled-autoconnect.service" ];
       };
diff --git a/modules/hosts/nixos/hetznix01/post-install/nginx.nix b/modules/hosts/nixos/hetznix01/post-install/nginx.nix
index 74e6ba5..7721cf6 100644
--- a/modules/hosts/nixos/hetznix01/post-install/nginx.nix
+++ b/modules/hosts/nixos/hetznix01/post-install/nginx.nix
@@ -26,6 +26,9 @@ in {
       "hetznix01.${domain}" = {
         serverAliases = [
           "technicalissues.us"
+          "alt.technicalissues.us"
+          "mail.alt.technicalissues.us"
+          "mail.indianspringsbsa.org"
         ];
         default = true;
         enableACME = true;
@@ -120,6 +123,12 @@ in {
           };
         };
       };
+      "stats.${domain}" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/".proxyPass = "http://127.0.0.1:8001";
+      };
       "utk.${domain}" = {
         enableACME = true;
         acmeRoot = null;
diff --git a/modules/hosts/nixos/hetznix01/secrets.yaml b/modules/hosts/nixos/hetznix01/secrets.yaml
index 10532b2..c5f194c 100644
--- a/modules/hosts/nixos/hetznix01/secrets.yaml
+++ b/modules/hosts/nixos/hetznix01/secrets.yaml
@@ -4,6 +4,8 @@ matrix_secrets_yaml: ENC[AES256_GCM,data:6DLtAZIYBlL7iQVS/FBeUEhHyAOFZ5JRNqFBqi5
 matrix_homeserver_signing_key: ENC[AES256_GCM,data:+RflNxFfS2w9LbavT7YnCQIhJWI49kN7pOa9/dH0BpDWxKQaLE4ZYBYq0ikAgcHaF3+rBL3f6KxUacw=,iv:6+nZzuxBUwjM74XHCD89YWfyuMRcoIwQlHLiNN4NWdc=,tag:91yigynRz6QdEd4rF7d/9g==,type:str]
 mqtt_recorder_pass: ENC[AES256_GCM,data:N44nv2mk5zguWXNHdKsxhoKUjiduD1hzsAb6,iv:aLudKuUBTPXgtAF33exELH/PESD0CqoDaydeqdhcmbA=,tag:3lhrqO8jxJiRHWZjWSRa0g==,type:str]
 owntracks_basic_auth: ENC[AES256_GCM,data:GX1U1uf7+erE+g9GzhXK5ED2QicfcbpRCwpJDw6Zr9X2FtdMYleH5mhLxw==,iv:PflRq+P50+oFf4wv5wwlY6V9bApGuJ3tlYTvJZ5mg0E=,tag:VHBY5qv7rX74DGURsYaWpw==,type:str]
+plausible_admin_pass: ENC[AES256_GCM,data:nMGHMTp3YsDGP3YA9qmZqRCBA5BonS7SaLo=,iv:gN9qu+35DHiJVKh8vHF6KAwrFqgfdNNCC0+q3L/mBGg=,tag:XKlzT4Bp9IIKTSAmjDhd1Q==,type:str]
+plausible_secret_key_base: ENC[AES256_GCM,data:6Co3VO9Ocmd6cppRpm763jjpRE9yCb75FnrrvCD5XtQPoq6c7ZnCPfSPzWF7jOv6e0g+ghao015myEe3pmNlPcx55KE4LpPwNGHdGbFHmNsGiIDrDUC3Hw==,iv:0FXSF//7FAGrQKiMOfHFoWE539MzCnz7xUTHxxatTCI=,tag:cKMFwyLYScKVM3v+6hvwzg==,type:str]
 tailscale_key: ENC[AES256_GCM,data:Bl00WuIrLvxmt7aNsoXC6G7XFls7waZMzdfo/MsEOZl/i3wHwrjrmgwd3V4GkaJ42UjrC1OLobrkuLves4w=,iv:tlCu0EWgvhvs1ANdtQr7KWHJ2RjpHniUm/rFC4L/MHs=,tag:+8eov9w+SPGZPnjMdrN8gA==,type:str]
 sops:
     kms: []
@@ -20,8 +22,8 @@ sops:
             WkI4ejBaODI0d0tjWHpTT3VWTXNyaXcKMDtvHN4gcZqBNslyC+NwYW05zgs8QuPV
             W6EktAz+xu6kx5BJbli5GkUFmj52AtEGIqZ1Sr4a0pKQACC87XcTQA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-19T01:44:04Z"
-    mac: ENC[AES256_GCM,data:PU4r7DhcG6OgqTCeKBtxyAHDErGH6Eh33sOd+KuImQ74ajgahFNfd4zO27OldZbSERkOYLuFqw7w9+zblV3eaaXRQx97Ek3z4oMtJFv2t9lnNfG0lm45c1eECKV742mzTDi6/bcnQMdn/CaGli8DL45IGGctW+beXRJza0S3wEY=,iv:51WymgQc4OWcannaD4g+fjp4vc75WonWsOMS3Jyz7Xo=,tag:dmNFFgkuKQxy2Snb/HjX/A==,type:str]
+    lastmodified: "2024-06-29T04:40:44Z"
+    mac: ENC[AES256_GCM,data:94kylK+CFinvS2tjvu9vIanSjyVGkzu4IfDWvXvzxazR2U61IXuuaykPF3iDFKA9bC2cV4symPLmx7hAHFdN87mycOvkprUQzJTXORLdPjW90piaMvlETOH/lrjDq7R0TeIFfwj1hOrj0HrCg8tR6g49agl8uO/HoZQUtarZAf0=,iv:azMsvPUrR95r+dEWlBFilTdh+Zx26FNVcECX315njkI=,tag:DFZSHW3zq7ZD2KliTjL31A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1