diff --git a/home-server.nix b/home-server.nix
index 91a3c3c..c955769 100644
--- a/home-server.nix
+++ b/home-server.nix
@@ -22,6 +22,7 @@ in with builtins; {
     ./services/jellyfin.nix
     ./services/etebase.nix
     ./services/website.nix
+    ./services/wkd.nix
     ./services/home-assistant
     ./services/matrix
     ./services/watchtower.nix
@@ -77,6 +78,7 @@ in with builtins; {
     passwordFile = config.age.secrets.cloudflare.path;
     domains = [
       "felschr.com"
+      "openpgpkey.felschr.com"
       "home.felschr.com"
       "esphome.felschr.com"
       "matrix.felschr.com"
diff --git a/services/wkd.nix b/services/wkd.nix
new file mode 100644
index 0000000..b92fb8f
--- /dev/null
+++ b/services/wkd.nix
@@ -0,0 +1,32 @@
+{ config, pkgs, ... }:
+
+{
+  # Direct mode
+  services.nginx.virtualHosts."felschr.com" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/.well-known/openpgpkey/" = {
+      recommendedProxySettings = false;
+      proxyPass = "https://openpgpkey.protonmail.ch";
+      extraConfig = ''
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        proxy_set_header Host $proxy_host;
+        rewrite /.well-known/openpgpkey/(.*) /.well-known/openpgpkey/$host/$1 break;
+      '';
+    };
+  };
+
+  # Advanced mode
+  services.nginx.virtualHosts."openpgpkey.felschr.com" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/.well-known/openpgpkey/felschr.com/" = {
+      recommendedProxySettings = false;
+      proxyPass = "https://openpgpkey.protonmail.ch";
+      extraConfig = ''
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        proxy_set_header Host $proxy_host;
+      '';
+    };
+  };
+}