diff --git a/hosts/shan/default.nix b/hosts/shan/default.nix
index 2b9e51a..3eb93f6 100644
--- a/hosts/shan/default.nix
+++ b/hosts/shan/default.nix
@@ -1,6 +1,7 @@
 {
   modulesPath,
   pubkeys,
+  config,
   ...
 }:
 {
@@ -35,12 +36,8 @@
     container = {
       kitchenowl = {
         enable = true;
-        openFirewall = true;
         version = "v0.6.4";
       };
-      nginxproxymanager = {
-        enable = true;
-      };
     };
 
     server = {
@@ -131,6 +128,56 @@
       };
     };
   };
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "contact@ccnlc.eu";
+      dnsProvider = "ovh";
+      environmentFile = "/run/secrets/ovh";
+    };
+
+    certs."ccnlc.eu" = {
+      group = "nginx";
+      extraDomainNames = [ "*.ccnlc.eu" ];
+    };
+  };
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    clientMaxBodySize = "100M";
+    virtualHosts =
+      let
+        mkVHLocal = mkVH "http://localhost";
+        mkVH = domain: port: {
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "${domain}:${toString port}";
+            extraConfig = ''
+              proxy_ssl_server_name on;
+              proxy_pass_header Authorization;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection $http_connection;
+              proxy_http_version 1.1;
+            '';
+          };
+          useACMEHost = "ccnlc.eu";
+        };
+      in
+      {
+        "octoprint.ccnlc.eu" = mkVHLocal config.services.octoprint.port;
+        "immich.ccnlc.eu" = mkVHLocal config.services.immich.port;
+        "jellyfin.ccnlc.eu" = mkVHLocal 8096;
+        "ntfy.ccnlc.eu" = mkVHLocal 9393;
+        "dav.ccnlc.eu" = mkVHLocal 5232;
+        "assistant.ccnlc.eu" = mkVHLocal config.services.home-assistant.config.http.server_port;
+        "kitchenowl.ccnlc.eu" = mkVHLocal config.modules.container.kitchenowl.port;
+        "navidrome.ccnlc.eu" = mkVHLocal config.services.navidrome.settings.Port;
+        "paperless.ccnlc.eu" = mkVHLocal config.modules.server.paperless.port;
+        "fritz.ccnlc.eu" = mkVH "http://192.168.178.1" 80;
+        "truenas.ccnlc.eu" = mkVH "https://192.168.178.21" 443;
+      };
+  };
 
   services = {
     openssh = {
@@ -141,23 +188,15 @@
       };
     };
 
-    jellyfin = {
-      enable = true;
-      openFirewall = true;
-    };
-
-    immich = {
-      enable = true;
-      openFirewall = true;
-      host = "0.0.0.0";
-    };
+    jellyfin.enable = true;
+    immich.enable = true;
 
     radicale = {
       enable = true;
       # Documentation at <https://radicale.org/v3.html#configuration>
       settings = {
         server = {
-          hosts = [ "0.0.0.0:5232" ];
+          hosts = [ "127.0.0.1:5232" ];
         };
         auth = {
           type = "htpasswd";
@@ -178,7 +217,7 @@
         in
         {
           base-url = "https://ntfy.ccnlc.eu";
-          listen-http = "0.0.0.0:9393";
+          listen-http = "127.0.0.1:9393";
           auth-default-access = "deny-all";
           behind-proxy = true;
           attachment-cache-dir = "${root}/attachments";
@@ -189,7 +228,6 @@
 
     octoprint = {
       enable = true;
-      openFirewall = true;
       port = 5000;
     };
 
@@ -225,8 +263,8 @@
   };
 
   networking.firewall.allowedTCPPorts = [
-    5232
-    9393
+    443
+    80
   ];
 
   fileSystems = {