diff --git a/machines/celebrian/configuration.nix b/machines/celebrian/configuration.nix
index 1f29b7a..3148eff 100644
--- a/machines/celebrian/configuration.nix
+++ b/machines/celebrian/configuration.nix
@@ -8,6 +8,7 @@
     [ # Include the results of the hardware scan.
       ../../profiles/base.nix
       ../../services/ssh.nix
+      ../../services/nginx.nix
     ];
 
 
@@ -100,31 +101,31 @@
 
 
 #vpn stuff
-  #need to run at fresh install to create namespace: headscale namespaces create <namespace_name> 
-  services.headscale = {
-    enable = true;
-    user = "headscale";
-    address = "127.0.0.1";
-	    port = 8080;
-    settings = {
-      logtail.enabled = false;
-      metrics_listen_addr = "127.0.0.1:9090";
-      server_url = "https://${"vpn."+config.networking.domain}";
-      dns_config = {
-        base_domain = "${config.networking.domain}";
-        magic_dns = true;
-        nameservers = [
-          "1.1.1.1"
-        ];
-      };
-
-      ##should really implement with fex github and kanidm
-      #oidc = {
-      #  issuer  = "{config.services.kanidm.serverSettings.origin}";
-      #  allowed_domains = Domains;
-      #};
-    };
-  };
+#  #need to run at fresh install to create namespace: headscale namespaces create <namespace_name> 
+#  services.headscale = {
+#    enable = true;
+#    user = "headscale";
+#    address = "127.0.0.1";
+#	    port = 8080;
+#    settings = {
+#      logtail.enabled = false;
+#      metrics_listen_addr = "127.0.0.1:9090";
+#      server_url = "https://${"vpn."+config.networking.domain}";
+#      dns_config = {
+#        base_domain = "${config.networking.domain}";
+#        magic_dns = true;
+#        nameservers = [
+#          "1.1.1.1"
+#        ];
+#      };
+#
+#      ##should really implement with fex github and kanidm
+#      #oidc = {
+#      #  issuer  = "{config.services.kanidm.serverSettings.origin}";
+#      #  allowed_domains = Domains;
+#      #};
+#    };
+#  };
 
   #tailscale
   services.tailscale.enable = true;
@@ -157,9 +158,9 @@ users.users."gunalx".openssh.authorizedKeys.keys = [
     checkReversePath = "loose";
     trustedInterfaces = [ "tailscale0" ];
     allowedUDPPorts = [
-      8096
       80
       443
+      6969
       #config.services.openssh.ports
       config.services.tailscale.port
       config.services.headscale.port
diff --git a/profiles/base.nix b/profiles/base.nix
index d66c8c6..4daa019 100644
--- a/profiles/base.nix
+++ b/profiles/base.nix
@@ -3,7 +3,7 @@
 imports =
     [ 
       ../packages/vim.nix
-      #./sops.nix
+      ./sops.nix
     ];
 
   #nix stuff
diff --git a/profiles/sops.nix b/profiles/sops.nix
index 258856c..0ddbf93 100644
--- a/profiles/sops.nix
+++ b/profiles/sops.nix
@@ -10,7 +10,8 @@
   # This will add secrets.yml to the nix store
   # You can avoid this by adding a string to the full path instead, i.e.
   # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
-  sops.defaultSopsFile = ../secrets/secrets.yaml;
+  sops.defaultSopsFile = "/etc/nixos/nix-dotfiles/secrets/secrets.yaml";
+  sops.validateSopsFiles = false;
   # This will automatically import SSH keys as age keys
   sops.age.sshKeyPaths = [
 			 "/etc/ssh/nixos"
@@ -24,6 +25,6 @@
 
   # This is the actual specification of the secrets.
   #sops.secrets."myservice/my_subdir/my_secret" = {};
-  sops.secrets."acme/certs/domeneshop" = {  };
+  sops.secrets."acme/certs" = {  };
 
 }
diff --git a/services/nginx.nix b/services/nginx.nix
index 754066f..543f207 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -1,9 +1,9 @@
 { config, pkgs, lib, ... }:
 let
   basicAuthUser = "guest";
-  basicAuthPass = "12345678"; 
+  basicAuthPass = ""; 
 in
-{
+{  
 
   #acme and certs helpful blog https://carjorvaz.com/posts/
   security.acme = {
@@ -15,7 +15,7 @@ in
       extraDomainNames = [ "*.${config.networking.domain}"   "lauterer.it" "*.lauterer.it" "*.256.no" "*.256.no"];
       dnsProvider = "domeneshop";   # from here according to privider https://go-acme.github.io/lego/dns/ 
       dnsPropagationCheck = true;
-      credentialsFile =  config.sops.secrets."acme/certs/domeneshop".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
+      credentialsFile =  config.sops.secrets."acme/certs".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
     };
   };
 
@@ -39,37 +39,62 @@ in
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
 
-    virtualHosts.${"vpn."+config.networking.domain} = {
+
+    virtualHosts.${"managment.funn-nas.lauterer.it"} = {
       forceSSL = true;
       useACMEHost = "${config.networking.domain}";
       locations."/" = {
         proxyWebsockets = true;
-        proxyPass = "http://localhost:${toString config.services.headscale.port}";
+        proxyPass = "http://100.104.182.48";
+      };
+      basicAuth = {
+        guest = basicAuthPass;
       };
     };
 
-    virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.)
+    virtualHosts.${"funn-nas.lauterer.it"} = {
       forceSSL = true;
       useACMEHost = "${config.networking.domain}";
       locations."/" = {
         proxyWebsockets = true;
-        proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}";
-
+        proxyPass = "https://100.104.182.48:30044";
+      };
+      basicAuth = {
+        guest = basicAuthPass;
       };
     };
 
-    virtualHosts.${"jellyfin."+config.networking.domain} = {
-      forceSSL = true;
-      #enableACME = true;
-      useACMEHost = "${config.networking.domain}";
-      locations."/" = {
-        proxyPass = "http://jellyfin.galadriel";
-        proxyWebsockets = true;
-        basicAuth = {
-          guest = basicAuthPass;
-        };
-      };
-    };
+   # virtualHosts.${"vpn."+config.networking.domain} = {
+   #   forceSSL = true;
+   #   useACMEHost = "${config.networking.domain}";
+   #   locations."/" = {
+   #     proxyWebsockets = true;
+   #     proxyPass = "http://localhost:${toString config.services.headscale.port}";
+   #   };
+   # };
+
+   # virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.)
+   #   forceSSL = true;
+   #   useACMEHost = "${config.networking.domain}";
+   #   locations."/" = {
+   #     proxyWebsockets = true;
+   #     proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}";
+
+   #   };
+   # };
+
+   # virtualHosts.${"jellyfin."+config.networking.domain} = {
+   #   forceSSL = true;
+   #   #enableACME = true;
+   #   useACMEHost = "${config.networking.domain}";
+   #   locations."/" = {
+   #     proxyPass = "http://jellyfin.galadriel";
+   #     proxyWebsockets = true;
+   #     basicAuth = {
+   #       guest = basicAuthPass;
+   #     };
+   #   };
+   # };
   };
 
 
diff --git a/services/ssh.nix b/services/ssh.nix
index 328b77b..37e5514 100644
--- a/services/ssh.nix
+++ b/services/ssh.nix
@@ -13,13 +13,13 @@
     startWhenNeeded = true;
     ports = [ 6969 ];
     openFirewall = true;
-    settings.Ciphers = [
-      "chacha20-poly1305@openssh.com"
-      "aes256-gcm@openssh.com"
-      "aes128-gcm@openssh.com"
-      "aes256-ctr"
-      # remove some weaker ciphers
-    ];
+    #settings.Ciphers = [
+    #  "chacha20-poly1305@openssh.com"
+    #  "aes256-gcm@openssh.com"
+    #  "aes128-gcm@openssh.com"
+    #  "aes256-ctr"
+    #  # remove some weaker ciphers
+    #];
   };
   services.endlessh = {
     enable = true;