diff --git a/hosts/remilia/mailserver.nix b/hosts/remilia/mailserver.nix
index 2871d51..bdcf8b3 100644
--- a/hosts/remilia/mailserver.nix
+++ b/hosts/remilia/mailserver.nix
@@ -6,15 +6,13 @@
     sendingFqdn = fqdn;
     domains = singleton "weirdnatto.in";
     certificateDomains = singleton "mail.weirdnatto.in";
-    certificateScheme = 2;
+    certificateScheme = 3;
     loginAccounts = {
       "natto@weirdnatto.in" = {
         hashedPasswordFile = "/var/secrets/natto@weirdnatto.in.key";
-        aliases = [ "@weirdnatto.in" ];
       };
       "masti@weirdnatto.in" = {
         hashedPasswordFile = "/var/secrets/masti@weirdnatto.in.key";
-        aliases = [ "@weirdnatto.in" ];
       };
     };
     enablePop3 = false;
diff --git a/hosts/remilia/services.nix b/hosts/remilia/services.nix
index c536987..5d6274d 100755
--- a/hosts/remilia/services.nix
+++ b/hosts/remilia/services.nix
@@ -13,29 +13,46 @@
     };
     nginx = {
       enable = true;
-      package = (pkgs.nginx.overrideAttrs (oa: {
-        configureFlags = oa.configureFlags ++ [ "--with-mail" "--with-mail_ssl_module" ];
-      }));
+      clientMaxBodySize = "512m";
+      package = pkgs.nginx.override {
+        withMail = true;
+      };
+      appendHttpConfig = ''
+        map $uri $expires {
+          default off;
+          ~\.(jpg|jpeg|png|gif|ico|css|js|pdf)$ 30d;
+        }
+      '';
       virtualHosts =
         let
           genericHttpRProxy = { addr, ssl ? true, conf ? "" }: {
-            addSSL = true;
+            addSSL = ssl;
             enableACME = ssl;
             locations."/" = {
               proxyPass = toString addr;
               extraConfig = ''
+                expires $expires;
                 proxy_set_header Host $host;
               '' + conf;
             };
           };
         in
         {
+          "weirdnatto.in" = {
+            addSSL = true;
+            enableACME = true;
+            locations."/" = {
+              root = "/var/lib/site";
+              index = "index.html";
+            };
+            serverAliases = [ "www.weirdnatto.in" ];
+          };
           "vault.weirdnatto.in" = genericHttpRProxy { addr = "https://10.55.0.2:8800"; };
           "consul.weirdnatto.in" = genericHttpRProxy { addr = "http://10.55.0.2:8500"; };
-          "ci.weirdnatto.in" = genericHttpRProxy { addr = "http://10.55.0.2:6666"; };
-          "radio.weirdnatto.in" = genericHttpRProxy { addr = "http://10.55.0.3:8000"; };
+          "f.weirdnatto.in" = genericHttpRProxy { addr = "http://10.55.0.2:8888"; };
+          "radio.weirdnatto.in" = genericHttpRProxy { addr = "http://10.55.0.3:8001"; };
           "git.weirdnatto.in" = genericHttpRProxy {
-            addr = "http://10.55.0.2:5000";
+            addr = "http://10.55.0.2:5001";
             conf = "client_max_body_size 64M;";
           };
           "nomad.weirdnatto.in" = genericHttpRProxy {
@@ -45,60 +62,21 @@
               proxy_read_timeout 310s;
             '';
           };
-          "weirdnatto.in" = {
-            addSSL = true;
-            enableACME = true;
-            locations."/".proxyPass = "http://10.55.0.2:80";
-            serverAliases = [ "www.weirdnatto.in" ];
+          "alo.weirdnatto.in" = genericHttpRProxy {
+            addr = "http://10.55.0.2:4004";
+            conf = ''
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            '';
           };
         };
     };
-    vault-agent = {
-      enable = true;
-      settings = {
-        vault = {
-          address = "https://10.55.0.2:8800";
-          client_cert = "/var/certs/cert.pem";
-          client_key = "/var/certs/key.pem";
-        };
-        auto_auth = {
-          method = [
-            {
-              "cert" = {
-                name = "Remilia";
-              };
-            }
-          ];
-        };
-        template = [
-          {
-            source = pkgs.writeText "wg.tpl" ''
-              {{ with secret "kv/systems/Remilia/wg" }}{{ .Data.data.private }}{{ end }}
-            '';
-            destination = "/var/secrets/wg.key";
-          }
-          {
-            source = pkgs.writeText "natto@weirdnatto.in.tpl" ''
-              {{ with secret "kv/systems/Remilia/mail" }}{{ .Data.data.nattomail }}{{ end }}
-            '';
-            destination = "/var/secrets/natto@weirdnatto.in.key";
-          }
-          {
-            source = pkgs.writeText "masti@weirdnatto.in.tpl" ''
-              {{ with secret "kv/systems/Remilia/mail" }}{{ .Data.data.mastimail }}{{ end }}
-            '';
-            destination = "/var/secrets/masti@weirdnatto.in.key";
-          }
-        ];
-      };
-    };
-
   };
 
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHingN2Aho+KGgEvBMjtoez+W1svl9uVoa4vG0d646j"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILCH975XCps+VCzo8Fpp5BkbtiFmj9y3//FBVYlQ7/yo"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0jyHWuWBKzucnARINqQ/A0AFPghxayh0DDthbpOhaz"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMu+SbTrfE62nT7gkZCwiOVOlI2TkVz+RJQ49HbnHvnQ"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFyKi0HYfkgvEDvjzmDRGwAq2z2KOkfv7scTVSnonBh"
   ];
   security.acme = {
@@ -106,7 +84,8 @@
     certs = {
       "weirdnatto.in".extraDomainNames = lib.singleton "www.weirdnatto.in";
     } //
-    lib.mapAttrs' (n: _: lib.nameValuePair n ({ email = "natto@weirdnatto.in"; })) config.services.nginx.virtualHosts;
+    lib.mapAttrs (n: _: { email = "natto@weirdnatto.in"; })
+      (lib.filterAttrs (_: v: v.enableACME) config.services.nginx.virtualHosts);
   };
   security.pki.certificateFiles = [ ../../cert.pem ];
 }