diff --git a/hosts/cloud/default.nix b/hosts/cloud/default.nix
index 3b24a35..1fb27c9 100644
--- a/hosts/cloud/default.nix
+++ b/hosts/cloud/default.nix
@@ -43,7 +43,8 @@
       torrserver = {
         enable = true;
         expose = true;
-        users = import ./secrets/tsdb.nix;
+        users = import ./secrets/tsusers.nix;
+        webUsers = import ./secrets/tsweb.nix;
       };
     };
   };
diff --git a/hosts/cloud/secrets/tsdb.nix b/hosts/cloud/secrets/tsusers.nix
similarity index 100%
rename from hosts/cloud/secrets/tsdb.nix
rename to hosts/cloud/secrets/tsusers.nix
diff --git a/hosts/cloud/secrets/tsweb.nix b/hosts/cloud/secrets/tsweb.nix
new file mode 100644
index 0000000..5f3cb79
Binary files /dev/null and b/hosts/cloud/secrets/tsweb.nix differ
diff --git a/modules/server/misc/torrserver/default.nix b/modules/server/misc/torrserver/default.nix
index d4c64d2..136521e 100644
--- a/modules/server/misc/torrserver/default.nix
+++ b/modules/server/misc/torrserver/default.nix
@@ -42,6 +42,11 @@ in {
       type = types.attrsOf types.str;
       default = {};
     };
+
+    webUsers = mkOption {
+      type = types.attrsOf types.str;
+      default = {};
+    };
   };
 
   config = mkIf cfg.enable {
@@ -87,7 +92,10 @@ in {
     networking.firewall.allowedUDPPorts = mkIf cfg.expose [ cfg.port ];
 
     services.nginx.virtualHosts."ts.${domain}" = mkIf webIsSupported {
-      locations."/".proxyPass = "http://localhost:${toString cfg.port}";
+      locations."/" = {
+        proxyPass = "http://localhost:${toString cfg.port}";
+        basicAuth = cfg.webUsers;
+      };
 
       enableACME = true;
       forceSSL = true;