diff --git a/.sops.yaml b/.sops.yaml
index 21ddf45..2404034 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -6,6 +6,7 @@ keys:
   - &nextcloud age1ds7zgenz9a664jqx5308m6q5mgtavzmelg239xsj8mdh64pmqa9qtkffmk
   - &toaster age1qyj95tsntreefqeetawqy5pf26456s9c0v3tzz8yzs706c0jsg6qv56jzk
   - &music age1aj7mgq8jxv0n5rnpqtgu4l56ymqyq86qacn3jp7ve2emk0eheuaqgm4rtt
+  - &news  age1aj7mgq8jxv0n5rnpqtgu4l56ymqyq86qacn3jp7ve2emk0eheuaqgm4rtt
 creation_rules:
   - path_regex: secrets/microwave/[^/]+\.yaml$
     key_groups:
@@ -43,3 +44,9 @@ creation_rules:
         - *admin_oxa
         age:
         - *music
+  - path_regex: secrets/news/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+        - *admin_oxa
+        age:
+        - *news
diff --git a/flake.nix b/flake.nix
index cd1171b..c539d76 100644
--- a/flake.nix
+++ b/flake.nix
@@ -156,6 +156,7 @@
           modules = [
             sops-nix.nixosModules.sops
             microvm.nixosModules.microvm
+            ./microvms/news
           ];
         };
       };
diff --git a/hosts/cirrus/nextcloud-proxy.nix b/hosts/cirrus/nextcloud-proxy.nix
index 7a4fa67..3b5166a 100644
--- a/hosts/cirrus/nextcloud-proxy.nix
+++ b/hosts/cirrus/nextcloud-proxy.nix
@@ -48,5 +48,17 @@
         };
       };
     };
+    "news.oxapentane.com" = {
+      enableACME = true;
+      forceSSL = true;
+      extraConfig = ''
+        client_max_body_size 32M;
+      '';
+      locations = {
+        "/" = {
+          proxyPass = "http://10.34.45.102:8080";
+        };
+      };
+    };
   };
 }
diff --git a/hosts/cirrus/wireguard-server.nix b/hosts/cirrus/wireguard-server.nix
index d9fc754..526e8db 100644
--- a/hosts/cirrus/wireguard-server.nix
+++ b/hosts/cirrus/wireguard-server.nix
@@ -95,6 +95,14 @@
             PersistentKeepalive = 25;
           };
         }
+        # news
+        {
+          wireguardPeerConfig = {
+            PublicKey = "guzNmsPcQw4EGSLU3X0SP+WPKAcoMc+xv9SLWdHV1V0=";
+            AllowedIPs = [ "10.34.45.102/32" ];
+            PersistentKeepalive = 25;
+          };
+        }
       ];
     };
     networks."oxaproxy" = {
diff --git a/hosts/dishwasher/microvms.nix b/hosts/dishwasher/microvms.nix
index e395f10..e5cc7c8 100644
--- a/hosts/dishwasher/microvms.nix
+++ b/hosts/dishwasher/microvms.nix
@@ -8,5 +8,9 @@
       flake = inputs.self;
       updateFlake = "github:oxapentane/nix-config/master";
     };
+    news = {
+      flake = inputs.self;
+      updateFlake = "github:oxapentane/nix-config/master";
+    };
   };
 }
diff --git a/microvms/news/default.nix b/microvms/news/default.nix
new file mode 100644
index 0000000..9ad3e18
--- /dev/null
+++ b/microvms/news/default.nix
@@ -0,0 +1,49 @@
+{ config, ... }: {
+  imports = [
+    ./miniflux.nix
+    ./oxaproxy.nix
+  ];
+
+  microvm = {
+    hypervisor = "qemu";
+    mem = 1 * 1024;
+    vcpu = 1;
+
+    shares = [{
+      source = "/nix/store";
+      mountPoint = "/nix/.ro-store";
+      tag = "store";
+      proto = "virtiofs";
+      socket = "store.socket";
+    }] ++ map
+      (dir: {
+        source = "/var/lib/microvms/${config.networking.hostName}/${dir}";
+        mountPoint = "/${dir}";
+        tag = dir;
+        proto = "virtiofs";
+        socket = "${dir}.socket";
+      }) [ "etc" "var" "home" ];
+
+    interfaces = [{
+      type = "tap";
+      id = "vm-news";
+      mac = "EA:40:E8:60:C5:38";
+    }];
+  };
+
+  networking = {
+    hostName = "news";
+  };
+
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "prohibit-password";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 22 ];
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP6xE2ey0C8XXfvniiiHiqXsCC277jKI9RXEA+s2LQLUI5zl7v350i3Oa8H3NCcPj39lfMreqE6ncxcOhqYyzahPrrMkOqgbPAoRvq8H3ophLK+56O3xdHoKwLBwRD1yoGACjqG4UTiTrmnN2ateENgYcnTEY1e4vDw1qMj1drUXCsZ/6mkBBmHJiFfCaR4yCMt1r4gGi/dAC7ifnBP3oSyV/lJEwPxYYkGlbOBIvX/7Ar98pJS6xYPB3jHs9gwyNNON63d0fNYrwBojXPPCnGGaRZNOkBTzex3zZYp12ThINQ2xl8tRp9D8qpZ7vrLjhTD6AXkOBRzmDj+NsCeEaeTuWajqUM93iKncYUI+JxR1t7q8gA2pBMFzLesMXnx7R+5Kw7QDtSJM7a4GMIfsocPwf64BH6rzxEz68rXFE3P+J77PPM9CuaYw90JXHo3z220zYw2nMQ/1qjATVZw/hiVrLmQMVfmFJIufnGjTBs2sy3IoNyzvYm/oDeNNg1cdSV9gyyRKZhK08fxjXN5GSf9vZkfZa9tHtqaZ99HI40GQBHUVx1K2/NQJY8TVTSA+v16SFnJK8BIbmp/WFCuvDcMkgLIbqiYtDASe7P2mKIib86uOENT+P820egeLiTQ06kFw/gfUa8t69d5qEcjiQZ+lxCeYIs/E9KrEXHvRUWew== cardno:16 811 348"
+  ];
+
+  system.stateVersion = "22.11";
+}
diff --git a/microvms/news/miniflux.nix b/microvms/news/miniflux.nix
new file mode 100644
index 0000000..c4cd628
--- /dev/null
+++ b/microvms/news/miniflux.nix
@@ -0,0 +1,18 @@
+{ config, ... }:
+let
+  listenport = 8080;
+in
+  {
+    sops.secrets."miniflux-admin" = { };
+
+  networking.firewall.interfaces.oxaproxy.allowedTCPPorts = [ listenport ];
+  services.miniflux = {
+    enable = true;
+    config = {
+      LISTEN_ADDR = "10.34.45.102:${toString listenport}";
+      POLLING_FREQUENCY = "37";
+      CREATE_ADMIN = "1";
+    };
+    adminCredentialsFile = config.sops.secrets."miniflux-admin".path;
+  };
+}
diff --git a/microvms/news/oxaproxy.nix b/microvms/news/oxaproxy.nix
new file mode 100644
index 0000000..451bb53
--- /dev/null
+++ b/microvms/news/oxaproxy.nix
@@ -0,0 +1,68 @@
+{ config, ... }: {
+
+  networking.wireguard.enable = true;
+  networking.useNetworkd = true;
+
+  #oxaproxy secret
+  sops.defaultSopsFile = ../../secrets/news/secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets."oxaproxy-seckey" = {
+    owner = config.users.users.systemd-network.name;
+  };
+
+  systemd.network = {
+    enable = true;
+    netdevs."10-oxaproxy" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "oxaproxy";
+        Description = "oxa's enterprise reverse-proxy network";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = config.sops.secrets."oxaproxy-seckey".path;
+        #own pubkey: guzNmsPcQw4EGSLU3X0SP+WPKAcoMc+xv9SLWdHV1V0=
+      };
+      wireguardPeers = [
+        {
+          # cirrus
+          wireguardPeerConfig = {
+            PublicKey = "0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM=";
+            AllowedIPs = [ "10.34.45.0/24" ];
+            Endpoint = [ "95.216.166.21:51821" ];
+            PersistentKeepalive = 25;
+          };
+        }
+      ];
+    };
+    networks."10-oxaproxy" = {
+      matchConfig.Name = "oxaproxy";
+      networkConfig = {
+        Address = "10.34.45.102/24";
+      };
+    };
+
+    networks."111-host" = {
+      matchConfig.Name = "enp0s8";
+      networkConfig = {
+        Address = "10.99.99.102/24";
+      };
+      routes = [
+        {
+          routeConfig = {
+            Gateway = "10.99.99.1";
+            Destination = "0.0.0.0/0";
+            Metric = 1024;
+          };
+        }
+        {
+          routeConfig = {
+            Gateway = "10.99.99.1";
+            Destination = "10.99.99.0/24";
+            Metric = 1024;
+          };
+        }
+      ];
+    };
+  };
+}
diff --git a/secrets/news/secrets.yaml b/secrets/news/secrets.yaml
new file mode 100644
index 0000000..ef32c68
--- /dev/null
+++ b/secrets/news/secrets.yaml
@@ -0,0 +1,83 @@
+oxaproxy-seckey: ENC[AES256_GCM,data:NqyjByJof6wzi4xZqCjpJ02wLAkcsV+vJXqg9DjqQUMOlnrMUJkAdJowPCY=,iv:jy/2oMeTXRiUJNS3nPYUOWOIxualfLzJuBM4jA9XSAM=,tag:RbhH2H0HPWEuHjXgqMwhkQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1aj7mgq8jxv0n5rnpqtgu4l56ymqyq86qacn3jp7ve2emk0eheuaqgm4rtt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdUd4ZVFNdVUyRjVPamxJ
+            cmRnRlE0bFplbmFrQzZOb2JibzBpUWJ5SVVRCnFpN2VpU0x6MzJDajhiV3g0N2pt
+            K0F0VS81ckNBTXRnam51c0F1dXM4eEEKLS0tIFlVeTJlSHhtSzRtQms0M1BYRk1H
+            NjAvUUFWRlVSYzFhd0U3Si9XaTJSbm8KjWuqrXPxLmQfDKpM0dQGU/FNu1OEFTUF
+            MjSLVLCSItNKM+8bsBvwUn2irQ6vC8VzO+zScXrrsQ43d9H4fg3UhA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-05-15T14:44:19Z"
+    mac: ENC[AES256_GCM,data:mqRZUuIuy2PQS2LKKqnNmDEniJhEZuaY1xQX6ysvXNd9WcG4EtTjiIiaXuR8P+5/9DJZOaNWDw9wl3bcwzanErkeW3wlP6F/nWo3w04wFn6wh3RYVf7FQ0aZKbaDd9xyEfSr4DvUAcpj5M8snhG9wEQ48X5u6ZZS4SOPSSbhTR0=,iv:Kd/4PZA2PUEjS9vSoVqcPiDrAcJKK6ew9wuQeqAE3EU=,tag:vkQ5/7bk7iZTKnrhB3/OSA==,type:str]
+    pgp:
+        - created_at: "2023-05-15T14:28:38Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7zUOKwzpAE7AQ/+Pe3QY5ilSZzo/g5QVGaIpyw6ZP4PqJ+qw4qAfxqbvNev
+            xc8xv/e2R+Afuioxf9T01hPIxDHoGbqQuOySFoo+tAeY3+RupmPluOOtDjPsDYjA
+            IXPAC1F/nFf+7HXL5Qly6VbE5lgd0hC/e4TGccO5Ro+JHtwWElecpK9ZmJFFu79x
+            A6bc3pM/Sp4CGjxwMLuv3wEYpqaID4Ng3Yqzl4hZJQ0QTjgdbfKs52WUZa7IQLp9
+            JySNN7eIInh1792XBCM4IR6Jt+KaZFi2o4iASe8jugbj/OQGhdRjkkJHQjZucJhv
+            5FE8tqYbyPUJLvVrJJkAcieHRLUiiCQ6KsecbW/e2lNaSOeIlm0x650F1Vc84taU
+            lHsd7DypxzytnDesGDHrFAlACnB81XxD1bqnik91+F4N6Q6Z7hraGoP+bgn0cuBT
+            Q6elOC/biRgm8z1TIMeldAfpbW8b3n2DhbPYH2hJil6tN0cjV/Fxxg9EY1lsMVL6
+            r8/wOOzPd+DdLzOcQT/n3oNejweAxOkykrDJzo108vbq0t1zEwmGy2h4mrdEpQLj
+            1FFEJ4PxUos73A8SrGD2TkcT0Bqa7gQbF2/OR2VFR2aUJtU/Rw7cmRmT8FlBhDYw
+            b0zlhitkt8H6LESJAEn+ucTTu/mg4jcPrckovaMlVcFzcCjtogSQJBH3kgvDV33S
+            UQEx0TpwUkQtp3OBzTQKe82JtBSDKbpzePSHifJ9eNLI5yxDxNm+faBZSDTcVl3P
+            fXb9AUsUqHEB7powPqkRQMlDMcZ5iQWnpS3LKMc8RL9GMw==
+            =n+nq
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
+---
+miniflux-admin: ENC[AES256_GCM,data:D6wOaC6pWS+4PD/KIT1MCPNkV4/mnjO88rSvmIwKkqj2dC641cnP3psfMb1/6QpI/C+pURcgzFaNUuHWoqwqQWq5i6eWTz1Y/wha,iv:FfjaVjlFLzSj9YHamJNAWOv1LA2fz4v5vG7IRU6OIuo=,tag:f3iPWs/1btzAFl2aneetXA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1aj7mgq8jxv0n5rnpqtgu4l56ymqyq86qacn3jp7ve2emk0eheuaqgm4rtt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdUd4ZVFNdVUyRjVPamxJ
+            cmRnRlE0bFplbmFrQzZOb2JibzBpUWJ5SVVRCnFpN2VpU0x6MzJDajhiV3g0N2pt
+            K0F0VS81ckNBTXRnam51c0F1dXM4eEEKLS0tIFlVeTJlSHhtSzRtQms0M1BYRk1H
+            NjAvUUFWRlVSYzFhd0U3Si9XaTJSbm8KjWuqrXPxLmQfDKpM0dQGU/FNu1OEFTUF
+            MjSLVLCSItNKM+8bsBvwUn2irQ6vC8VzO+zScXrrsQ43d9H4fg3UhA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-05-15T14:44:19Z"
+    mac: ENC[AES256_GCM,data:mqRZUuIuy2PQS2LKKqnNmDEniJhEZuaY1xQX6ysvXNd9WcG4EtTjiIiaXuR8P+5/9DJZOaNWDw9wl3bcwzanErkeW3wlP6F/nWo3w04wFn6wh3RYVf7FQ0aZKbaDd9xyEfSr4DvUAcpj5M8snhG9wEQ48X5u6ZZS4SOPSSbhTR0=,iv:Kd/4PZA2PUEjS9vSoVqcPiDrAcJKK6ew9wuQeqAE3EU=,tag:vkQ5/7bk7iZTKnrhB3/OSA==,type:str]
+    pgp:
+        - created_at: "2023-05-15T14:28:38Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7zUOKwzpAE7AQ/+Pe3QY5ilSZzo/g5QVGaIpyw6ZP4PqJ+qw4qAfxqbvNev
+            xc8xv/e2R+Afuioxf9T01hPIxDHoGbqQuOySFoo+tAeY3+RupmPluOOtDjPsDYjA
+            IXPAC1F/nFf+7HXL5Qly6VbE5lgd0hC/e4TGccO5Ro+JHtwWElecpK9ZmJFFu79x
+            A6bc3pM/Sp4CGjxwMLuv3wEYpqaID4Ng3Yqzl4hZJQ0QTjgdbfKs52WUZa7IQLp9
+            JySNN7eIInh1792XBCM4IR6Jt+KaZFi2o4iASe8jugbj/OQGhdRjkkJHQjZucJhv
+            5FE8tqYbyPUJLvVrJJkAcieHRLUiiCQ6KsecbW/e2lNaSOeIlm0x650F1Vc84taU
+            lHsd7DypxzytnDesGDHrFAlACnB81XxD1bqnik91+F4N6Q6Z7hraGoP+bgn0cuBT
+            Q6elOC/biRgm8z1TIMeldAfpbW8b3n2DhbPYH2hJil6tN0cjV/Fxxg9EY1lsMVL6
+            r8/wOOzPd+DdLzOcQT/n3oNejweAxOkykrDJzo108vbq0t1zEwmGy2h4mrdEpQLj
+            1FFEJ4PxUos73A8SrGD2TkcT0Bqa7gQbF2/OR2VFR2aUJtU/Rw7cmRmT8FlBhDYw
+            b0zlhitkt8H6LESJAEn+ucTTu/mg4jcPrckovaMlVcFzcCjtogSQJBH3kgvDV33S
+            UQEx0TpwUkQtp3OBzTQKe82JtBSDKbpzePSHifJ9eNLI5yxDxNm+faBZSDTcVl3P
+            fXb9AUsUqHEB7powPqkRQMlDMcZ5iQWnpS3LKMc8RL9GMw==
+            =n+nq
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3