diff --git a/hosts/plover/config/wezterm/config.lua b/hosts/plover/config/wezterm/config.lua
new file mode 100644
index 00000000..6c475549
--- /dev/null
+++ b/hosts/plover/config/wezterm/config.lua
@@ -0,0 +1,7 @@
+return {
+  tls_servers = {
+    pem_private_key = "@CERT_DIR@/key.pem",
+    pem_cert = "@CERT_DIR@/cert.pem",
+    pem_ca = "@CERT_DIR@/fullchain.pem",
+  }
+}
diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix
index e3622504..33f2af15 100644
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@@ -40,6 +40,7 @@ in
     ./modules/services/portunus.nix
     ./modules/services/vaultwarden.nix
     ./modules/services/wireguard.nix
+    ./modules/services/wezterm-mux-server.nix
   ];
 
   # Automatic format and partitioning.
diff --git a/hosts/plover/modules/services/wezterm-mux-server.nix b/hosts/plover/modules/services/wezterm-mux-server.nix
new file mode 100644
index 00000000..8f7a7d3e
--- /dev/null
+++ b/hosts/plover/modules/services/wezterm-mux-server.nix
@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+# We're setting up Wezterm mux server with TLS domains.
+let
+  weztermDomain = "mux.${config.networking.domain}";
+  configFile = pkgs.substituteAll {
+    src = ../../config/wezterm/config.lua;
+    CERT_DIR = config.security.acme.certs."${weztermDomain}".directory;
+  };
+in
+{
+  services.wezterm-mux-server = {
+    inherit configFile;
+    enable = true;
+  };
+
+  security.acme.certs."${weztermDomain}" = {
+    group = "wezterm";
+    postRun = ''
+      systemctl restart wezterm-mux-server.service
+    '';
+  };
+}