diff --git a/systems/x86_64-linux/sgx/acme.nix b/systems/x86_64-linux/sgx/acme.nix
new file mode 100644
index 0000000..76f7414
--- /dev/null
+++ b/systems/x86_64-linux/sgx/acme.nix
@@ -0,0 +1,23 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+{
+  sops.secrets.internetbs = {
+    sopsFile = ../../../.secrets/hetzner/internetbs.yaml; # bring your own password file
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "harald@hoyer.xyz";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.sops.secrets.internetbs.path;
+    };
+    certs = {
+      "internal.hoyer.world" = {   };
+    };
+  };
+}
diff --git a/systems/x86_64-linux/sgx/default.nix b/systems/x86_64-linux/sgx/default.nix
index a49666d..cd67e5b 100644
--- a/systems/x86_64-linux/sgx/default.nix
+++ b/systems/x86_64-linux/sgx/default.nix
@@ -11,6 +11,8 @@
     ./backup.nix
     ./network.nix
     ./openwebui.nix
+    ./acme.nix
+    ./nginx.nix
   ];
 
   sops.secrets.pccs.sopsFile = ../../../.secrets/sgx/pccs.yaml;
diff --git a/systems/x86_64-linux/sgx/nginx.nix b/systems/x86_64-linux/sgx/nginx.nix
new file mode 100644
index 0000000..18fdb1b
--- /dev/null
+++ b/systems/x86_64-linux/sgx/nginx.nix
@@ -0,0 +1,29 @@
+{ pkgs, lib, ... }:
+{
+  users.users.nginx.extraGroups = [ "acme" ];
+  services.nginx = {
+    enable = true;
+    clientMaxBodySize = "1000M";
+    appendHttpConfig = ''
+      log_format vcombined '$host:$server_port '
+              '$remote_addr - $remote_user [$time_local] '
+              '"$request" $status $body_bytes_sent '
+              '"$http_referer" "$http_user_agent"';
+      access_log /var/log/nginx/access.log vcombined;
+    '';
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "internal.hoyer.world" = {
+        enableACME = false;
+        useACMEHost = "internal.hoyer.world";
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${config.services.open-webui.port}";
+        };
+      };
+    };
+  };
+}
diff --git a/systems/x86_64-linux/sgx/openwebui.nix b/systems/x86_64-linux/sgx/openwebui.nix
index 3bd2995..009acc6 100644
--- a/systems/x86_64-linux/sgx/openwebui.nix
+++ b/systems/x86_64-linux/sgx/openwebui.nix
@@ -4,7 +4,6 @@
     enable = true;
     port = 8080;
     host = "0.0.0.0";
-    openFirewall= true;
     environment = {
       ANONYMIZED_TELEMETRY = "False";
       DO_NOT_TRACK = "True";