diff --git a/ops/nixos/whitby/default.nix b/ops/nixos/whitby/default.nix
index 145b2137b..7c1071945 100644
--- a/ops/nixos/whitby/default.nix
+++ b/ops/nixos/whitby/default.nix
@@ -18,8 +18,10 @@ in {
     "${depot.depotPath}/ops/nixos/clbot.nix"
     "${depot.depotPath}/ops/nixos/depot.nix"
     "${depot.depotPath}/ops/nixos/smtprelay.nix"
+    "${depot.depotPath}/ops/nixos/sourcegraph.nix"
     "${depot.depotPath}/ops/nixos/tvl-slapd/default.nix"
     "${depot.depotPath}/ops/nixos/tvl-sso/default.nix"
+    "${depot.depotPath}/ops/nixos/www/cs.tvl.fyi.nix"
     "${depot.depotPath}/ops/nixos/www/login.tvl.fyi.nix"
     "${depot.depotPath}/ops/nixos/www/tvl.fyi.nix"
   ];
@@ -108,7 +110,7 @@ in {
       interface = "enp196s0";
     };
 
-    firewall.allowedTCPPorts = [ 22 80 443 ];
+    firewall.allowedTCPPorts = [ 22 80 443 4238 ];
 
     interfaces.enp196s0.useDHCP = true;
     interfaces.enp196s0.ipv6.addresses = [
@@ -187,6 +189,9 @@ in {
     };
   };
 
+  # Run a SourceGraph code search instance
+  services.depot.sourcegraph.enable = true;
+
   environment.systemPackages = with nixpkgs; [
     bb
     curl
diff --git a/ops/nixos/www/cs.tvl.fyi.nix b/ops/nixos/www/cs.tvl.fyi.nix
new file mode 100644
index 000000000..ed2adcbf8
--- /dev/null
+++ b/ops/nixos/www/cs.tvl.fyi.nix
@@ -0,0 +1,30 @@
+{ config, ... }:
+
+{
+  imports = [
+    ./base.nix
+  ];
+
+  config = {
+    services.nginx.virtualHosts."cs.tvl.fyi" = {
+      serverName = "cs.tvl.fyi";
+      enableACME = true;
+      forceSSL = true;
+
+      extraConfig = ''
+        location = / {
+          return 301 https://cs.tvl.fyi/depot;
+        }
+
+        location / {
+          proxy_set_header X-Sg-Auth "Anonymous";
+          proxy_pass http://localhost:${toString config.services.depot.sourcegraph.port};
+        }
+
+        location /users/Anonymous/settings {
+          return 301 https://cs.tvl.fyi;
+        }
+      '';
+    };
+  };
+}