diff --git a/profiles/http/default.nix b/profiles/http/default.nix
index eabcfa6..d539cd7 100644
--- a/profiles/http/default.nix
+++ b/profiles/http/default.nix
@@ -1,111 +1,119 @@
 { config, pkgs, lib, ... }:
 let
-  mkDomain = subname: "${subname}.${config.networking.fqdn}";
+  inherit (config.pbsds.nginx) mkDomain allSubdomains;
 in
 {
-  # TODO: make these into nixos options with readonly=true
-  _module.args.mkDomain = mkDomain;
-  _module.args.allSubdomains = lib.pipe config.services.nginx.virtualHosts [
-    #(lib.mapAttrsToList (domain: vhost: [ domain ] ++ vhost.serverAliases))
-    (lib.mapAttrsToList (domain: vhost: [ domain ]))
-    lib.flatten
-    (builtins.filter (domain: domain != "" && domain != "_"))
-    (lib.sort (x: y: x<y))
-  ];
-
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "pbsds+acme@hotmail.com"; # TODO: parametrize per host
-  #security.acme.defaults.renewInterval = "daily";
-  #security.acme.defaults.reloadServices
-
-  # https://www.xf.is/2020/06/30/list-of-free-acme-ssl-providers/
-  #security.acme.defaults.server = "https://acme-v02.api.letsencrypt.org/directory" # default
-  #security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # STAGING
-  #security.acme.defaults.server = "https://api.buypass.com/acme/directory"; # no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week
-  #security.acme.defaults.server = "https://api.test4.buypass.no/acme/directory"; # STAGING. no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week
-
-  # DNS-based ACME:
-  # - https://go-acme.github.io/lego/dns/domeneshop/
-  # - https://nixos.org/manual/nixos/stable/index.html#module-security-acme-config-dns-with-vhosts
-  #security.acme.defaults.dnsProvider = "domeneshop";
-  #security.acme.defaults.credentialsFile = "/var/lib/secrets/domeneshop.key"; # TODO: this file must be made by hand, containing env variables.
-
-  services.nginx.enable = true;
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  # TODO:
-  #services.nginx.commonHttpConfig = ''
-  #  proxy_hide_header X-Frame-Options;
-  #'';
-  # TODO: Somehow distribute and add this to all location."/".extraConfig
-  #default = {
-  #  #useACMEHost = config.networking.fqdn;
-  #  forceSSL = true; # addSSL = true;
-  #  enableACME = true; #useACMEHost = acmeDomain;
-  #}
-  # TODO: Somehow distribute and add this to all location."/".extraConfig
-  #commonProxySettings = ''
-  #  proxy_set_header Host $host;
-  #  proxy_set_header X-Real-IP $remote_addr;
-  #  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-  #  proxy_set_header X-Forwarded-Proto $scheme;
-  #  proxy_set_header X-Forwarded-Host $host;
-  #  proxy_set_header X-Forwarded-Server $host;
-  #'';
-
-  services.nginx.recommendedGzipSettings = true;
-  services.nginx.recommendedOptimisation = true;
-  services.nginx.recommendedProxySettings = true;
-  services.nginx.recommendedTlsSettings = true;
-
-  # nginx return 444 for all nonexistent virtualhosts
-  services.nginx.virtualHosts."_" = {
-    addSSL = true;
-    sslCertificate = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
-    sslCertificateKey = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.key.pem";
-    extraConfig = "return 444;";
+  options.pbsds.nginx.mkDomain = lib.mkOption {
+    visible = false; internal = true; readOnly = true;
+    default = subname: "${subname}.${config.networking.fqdn}";
   };
-
-  /** /
-  services.nginx.virtualHosts."" = {
-    default = true;
-    forceSSL = false;
-    enableACME = false;
-    root = pkgs.writeTextDir "index.html" ''
-      <!DOCTYPE html>
-      no
-    '';
-  };
-  /**/
-
-  # Website tunnel
-  # TODO: remove
-  /** /
-  services.nginx.virtualHosts.${config.networking.fqdn} = {
-    forceSSL = true; # addSSL = true;
-    enableACME = true;
-    #acmeRoot = null; # use DNS
-    default = true;
-    serverAliases = map mkDomain [
-      "www"
-      #"*" # requires DNS ACME
+  options.pbsds.nginx.allSubdomains = lib.mkOption {
+    visible = false; internal = true; readOnly = true;
+    default = lib.pipe config.services.nginx.virtualHosts [
+      #(lib.mapAttrsToList (domain: vhost: [ domain ] ++ vhost.serverAliases))
+      (lib.mapAttrsToList (domain: vhost: [ domain ]))
+      lib.flatten
+      (builtins.filter (domain: domain != "" && domain != "_"))
+      (lib.sort (x: y: x<y))
     ];
-    # The alternative to ^ is: config.security.acme.certs."${acmeDomain}".extraDomainNames = [ (mkDomain "foo") ];
-    # TODO: 'nox' alias for everything
-    locations."/" = {
-      proxyPass = "http://pbuntu.pbsds.net";
-      proxyWebsockets = true;
-    };
   };
-  #services.nginx.virtualHosts.${mkDomain "www"} = {
-  #  addSSL = true;
-  #  useACMEHost = acmeDomain; #enableACME = true;
-  #  locations."/" = {
-  #    proxyPass = "http://pbuntu.pbsds.net";
-  #    proxyWebsockets = true;
-  #  };
-  #};
-  /**/
 
 
+  config = {
+
+    security.acme.acceptTerms = true;
+    security.acme.defaults.email = "pbsds+acme@hotmail.com"; # TODO: parametrize per host
+    #security.acme.defaults.renewInterval = "daily";
+    #security.acme.defaults.reloadServices
+
+    # https://www.xf.is/2020/06/30/list-of-free-acme-ssl-providers/
+    #security.acme.defaults.server = "https://acme-v02.api.letsencrypt.org/directory" # default
+    #security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # STAGING
+    #security.acme.defaults.server = "https://api.buypass.com/acme/directory"; # no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week
+    #security.acme.defaults.server = "https://api.test4.buypass.no/acme/directory"; # STAGING. no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week
+
+    # DNS-based ACME:
+    # - https://go-acme.github.io/lego/dns/domeneshop/
+    # - https://nixos.org/manual/nixos/stable/index.html#module-security-acme-config-dns-with-vhosts
+    #security.acme.defaults.dnsProvider = "domeneshop";
+    #security.acme.defaults.credentialsFile = "/var/lib/secrets/domeneshop.key"; # TODO: this file must be made by hand, containing env variables.
+
+    services.nginx.enable = true;
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    # TODO:
+    #services.nginx.commonHttpConfig = ''
+    #  proxy_hide_header X-Frame-Options;
+    #'';
+    # TODO: Somehow distribute and add this to all location."/".extraConfig
+    #default = {
+    #  #useACMEHost = config.networking.fqdn;
+    #  forceSSL = true; # addSSL = true;
+    #  enableACME = true; #useACMEHost = acmeDomain;
+    #}
+    # TODO: Somehow distribute and add this to all location."/".extraConfig
+    #commonProxySettings = ''
+    #  proxy_set_header Host $host;
+    #  proxy_set_header X-Real-IP $remote_addr;
+    #  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    #  proxy_set_header X-Forwarded-Proto $scheme;
+    #  proxy_set_header X-Forwarded-Host $host;
+    #  proxy_set_header X-Forwarded-Server $host;
+    #'';
+
+    services.nginx.recommendedGzipSettings = true;
+    services.nginx.recommendedOptimisation = true;
+    services.nginx.recommendedProxySettings = true;
+    services.nginx.recommendedTlsSettings = true;
+
+    # nginx return 444 for all nonexistent virtualhosts
+    services.nginx.virtualHosts."_" = {
+      addSSL = true;
+      sslCertificate = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
+      sslCertificateKey = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.key.pem";
+      extraConfig = "return 444;";
+    };
+
+    /** /
+    services.nginx.virtualHosts."" = {
+      default = true;
+      forceSSL = false;
+      enableACME = false;
+      root = pkgs.writeTextDir "index.html" ''
+        <!DOCTYPE html>
+        no
+      '';
+    };
+    /**/
+
+    # Website tunnel
+    # TODO: remove
+    /** /
+    services.nginx.virtualHosts.${config.networking.fqdn} = {
+      forceSSL = true; # addSSL = true;
+      enableACME = true;
+      #acmeRoot = null; # use DNS
+      default = true;
+      serverAliases = map mkDomain [
+        "www"
+        #"*" # requires DNS ACME
+      ];
+      # The alternative to ^ is: config.security.acme.certs."${acmeDomain}".extraDomainNames = [ (mkDomain "foo") ];
+      # TODO: 'nox' alias for everything
+      locations."/" = {
+        proxyPass = "http://pbuntu.pbsds.net";
+        proxyWebsockets = true;
+      };
+    };
+    #services.nginx.virtualHosts.${mkDomain "www"} = {
+    #  addSSL = true;
+    #  useACMEHost = acmeDomain; #enableACME = true;
+    #  locations."/" = {
+    #    proxyPass = "http://pbuntu.pbsds.net";
+    #    proxyWebsockets = true;
+    #  };
+    #};
+    /**/
+
+  };
 }
diff --git a/profiles/http/docs/default.nix b/profiles/http/docs/default.nix
index e1c910c..c5a0418 100644
--- a/profiles/http/docs/default.nix
+++ b/profiles/http/docs/default.nix
@@ -1,6 +1,8 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
 
 let
+  inherit (config.pbsds.nginx) mkDomain;
+
   cfg = config.services.docs-to-host;
 
   # https://pagefind.app/docs/ui-usage/
diff --git a/profiles/http/index/default.nix b/profiles/http/index/default.nix
index 979893d..b4adcff 100644
--- a/profiles/http/index/default.nix
+++ b/profiles/http/index/default.nix
@@ -1,5 +1,7 @@
-{ config, pkgs, lib, mkDomain, allSubdomains, ... }:
+{ config, pkgs, lib, ... }:
 let
+  inherit (config.pbsds.nginx) mkDomain allSubdomains;
+
   # TODO: support fully qualified urls as well
   # `null` means filter
   customDescriptions = rec {
diff --git a/profiles/http/services/attic.nix b/profiles/http/services/attic.nix
index 21f5c4d..4ba5409 100644
--- a/profiles/http/services/attic.nix
+++ b/profiles/http/services/attic.nix
@@ -1,4 +1,8 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 
 # attic - multi-tenant nix binary cache
 # https://docs.attic.rs/tutorial.html
diff --git a/profiles/http/services/censordodge.nix b/profiles/http/services/censordodge.nix
index 8544ec9..1651e19 100644
--- a/profiles/http/services/censordodge.nix
+++ b/profiles/http/services/censordodge.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # CensorDodge
   # A lightweight and customisable web proxy
diff --git a/profiles/http/services/cinny.nix b/profiles/http/services/cinny.nix
index b663b10..c827668 100644
--- a/profiles/http/services/cinny.nix
+++ b/profiles/http/services/cinny.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 
 lib.mkIf pkgs.unstable.cinny.meta.available # no CVE's thank you
 
diff --git a/profiles/http/services/convos.nix b/profiles/http/services/convos.nix
index aa170d1..17a1c18 100644
--- a/profiles/http/services/convos.nix
+++ b/profiles/http/services/convos.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Convos
   # The simplest way to use IRC in your browser
diff --git a/profiles/http/services/cryptpad.nix b/profiles/http/services/cryptpad.nix
index 9109fba..da6d198 100644
--- a/profiles/http/services/cryptpad.nix
+++ b/profiles/http/services/cryptpad.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
 
   # Cryptpad
diff --git a/profiles/http/services/element.nix b/profiles/http/services/element.nix
index a4a60ed..66155ef 100644
--- a/profiles/http/services/element.nix
+++ b/profiles/http/services/element.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Element-web
   # A glossy Matrix collaboration client for the web
diff --git a/profiles/http/services/flexget.nix b/profiles/http/services/flexget.nix
index fc9668e..117897b 100644
--- a/profiles/http/services/flexget.nix
+++ b/profiles/http/services/flexget.nix
@@ -3,7 +3,7 @@ let
   cfg = config.services.flexget;
 in
 
-# TODO: run in VM mode if we run transmission in the same VM
+# TODO: run in build-vm mode if we run transmission in the same machine
 lib.mkIf (!config.virtualisation.isVmVariant)
 
 {
diff --git a/profiles/http/services/galene.nix b/profiles/http/services/galene.nix
index 1003612..b3e37df 100644
--- a/profiles/http/services/galene.nix
+++ b/profiles/http/services/galene.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Galene
   # Videoconferencing server that is easy to deploy, written in Go
diff --git a/profiles/http/services/gitea.nix b/profiles/http/services/gitea.nix
index 5b1295e..e0d6354 100644
--- a/profiles/http/services/gitea.nix
+++ b/profiles/http/services/gitea.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Gitea
   # Git with a cup of tea
diff --git a/profiles/http/services/graphana.nix b/profiles/http/services/graphana.nix
index 1d314ec..f1662a5 100644
--- a/profiles/http/services/graphana.nix
+++ b/profiles/http/services/graphana.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Graphana
   # Gorgeous metric viz, dashboards & editors for Graphite, InfluxDB & OpenTSDB
diff --git a/profiles/http/services/hedgedoc.nix b/profiles/http/services/hedgedoc.nix
index 4d1a320..05fa41f 100644
--- a/profiles/http/services/hedgedoc.nix
+++ b/profiles/http/services/hedgedoc.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
     # hedgedoc
     # Realtime collaborative markdown notes on all platforms
diff --git a/profiles/http/services/home-assistant.nix b/profiles/http/services/home-assistant.nix
index fb18c93..7eebdf5 100644
--- a/profiles/http/services/home-assistant.nix
+++ b/profiles/http/services/home-assistant.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
 
   # home-assistant
diff --git a/profiles/http/services/hydra.nix b/profiles/http/services/hydra.nix
index 6dac1bd..1a129d3 100644
--- a/profiles/http/services/hydra.nix
+++ b/profiles/http/services/hydra.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Hydra
   # Nix-based continuous build system
diff --git a/profiles/http/services/invidious.nix b/profiles/http/services/invidious.nix
index 02f328f..cb6c439 100644
--- a/profiles/http/services/invidious.nix
+++ b/profiles/http/services/invidious.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, inputs, mkDomain, ... }:
+{ config, pkgs, lib, inputs, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Invidious
   # An open source alternative front-end to YouTube
diff --git a/profiles/http/services/jellyfin.nix b/profiles/http/services/jellyfin.nix
index 79d9e4b..7be53bb 100644
--- a/profiles/http/services/jellyfin.nix
+++ b/profiles/http/services/jellyfin.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, inputs, mkDomain, ... }:
+{ config, pkgs, lib, inputs, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 
 # don't mount if local VM
 lib.mkIf (!config.virtualisation.isVmVariant)
diff --git a/profiles/http/services/jitsi-meet.nix b/profiles/http/services/jitsi-meet.nix
index 3b26d83..def0503 100644
--- a/profiles/http/services/jitsi-meet.nix
+++ b/profiles/http/services/jitsi-meet.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Jitsi meet
 
diff --git a/profiles/http/services/kukkee.nix b/profiles/http/services/kukkee.nix
index d7e32cb..d936a5e 100644
--- a/profiles/http/services/kukkee.nix
+++ b/profiles/http/services/kukkee.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Kukkee
   # Self-hosted Doodle alternative: a meeting poll tool
diff --git a/profiles/http/services/matrix-synapse.nix b/profiles/http/services/matrix-synapse.nix
index 47b8e9d..a465eaf 100644
--- a/profiles/http/services/matrix-synapse.nix
+++ b/profiles/http/services/matrix-synapse.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # matrix-synapse
   /**/
diff --git a/profiles/http/services/mattermost.nix b/profiles/http/services/mattermost.nix
index 62250f4..6815b0a 100644
--- a/profiles/http/services/mattermost.nix
+++ b/profiles/http/services/mattermost.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Mattermost
   # Open-source, self-hosted Slack-alternative
diff --git a/profiles/http/services/navidrome.nix b/profiles/http/services/navidrome.nix
index 5b79c3c..cdc67f4 100644
--- a/profiles/http/services/navidrome.nix
+++ b/profiles/http/services/navidrome.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 
 # don't mount if local VM
 lib.mkIf (!config.virtualisation.isVmVariant)
diff --git a/profiles/http/services/netdata.nix b/profiles/http/services/netdata.nix
index d3600a0..1b85e82 100644
--- a/profiles/http/services/netdata.nix
+++ b/profiles/http/services/netdata.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Netdata
   # Real-time performance monitoring tool
diff --git a/profiles/http/services/nitter.nix b/profiles/http/services/nitter.nix
index aa7263a..3147464 100644
--- a/profiles/http/services/nitter.nix
+++ b/profiles/http/services/nitter.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Nitter
   # Alternative Twitter front-end
diff --git a/profiles/http/services/ntopng.nix b/profiles/http/services/ntopng.nix
index 8af8fd5..88828c2 100644
--- a/profiles/http/services/ntopng.nix
+++ b/profiles/http/services/ntopng.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # ntopng
   # High-speed web-based traffic analysis and flow collection tool
diff --git a/profiles/http/services/openspeedtest.nix b/profiles/http/services/openspeedtest.nix
index d1e5a82..d51d550 100644
--- a/profiles/http/services/openspeedtest.nix
+++ b/profiles/http/services/openspeedtest.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # OpenSpeedtTest
   # Pure HTML5 Network Performance Estimation Tool
diff --git a/profiles/http/services/owncast.nix b/profiles/http/services/owncast.nix
index b955d7f..9dee9c7 100644
--- a/profiles/http/services/owncast.nix
+++ b/profiles/http/services/owncast.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
 
   # OwnCast
diff --git a/profiles/http/services/paperless.nix b/profiles/http/services/paperless.nix
index 0291c7e..787b48c 100644
--- a/profiles/http/services/paperless.nix
+++ b/profiles/http/services/paperless.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # paperless-ngx
   # A supercharged version of paperless: scan, index, and archive all of your physical documents
diff --git a/profiles/http/services/plex.nix b/profiles/http/services/plex.nix
index e85d14c..b97cf5c 100644
--- a/profiles/http/services/plex.nix
+++ b/profiles/http/services/plex.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, inputs, mkDomain, ... }:
+{ config, pkgs, lib, inputs, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 
 # don't mount if local VM
 lib.mkIf (!config.virtualisation.isVmVariant)
diff --git a/profiles/http/services/polaris.nix b/profiles/http/services/polaris.nix
index 0327192..8733bfb 100644
--- a/profiles/http/services/polaris.nix
+++ b/profiles/http/services/polaris.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Polaris
   # Self-host your music collection, and access it from any computer and mobile device
diff --git a/profiles/http/services/redlib.nix b/profiles/http/services/redlib.nix
index 17b0cd9..9d150ce 100644
--- a/profiles/http/services/redlib.nix
+++ b/profiles/http/services/redlib.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # redlib, previously libreddit
   # Private front-end for Reddit
diff --git a/profiles/http/services/resilio.nix b/profiles/http/services/resilio.nix
index ea3b91d..0c1cfeb 100644
--- a/profiles/http/services/resilio.nix
+++ b/profiles/http/services/resilio.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 
 # don't mount if local VM
 lib.mkIf (!config.virtualisation.isVmVariant)
diff --git a/profiles/http/services/roundcube.nix b/profiles/http/services/roundcube.nix
index dfcd5c9..8fe8814 100644
--- a/profiles/http/services/roundcube.nix
+++ b/profiles/http/services/roundcube.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Roundcube
   # Open Source Webmail Software
diff --git a/profiles/http/services/shlink.nix b/profiles/http/services/shlink.nix
index c477804..692eea9 100644
--- a/profiles/http/services/shlink.nix
+++ b/profiles/http/services/shlink.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Shlink
   # URL shortener with REST API and command line interface
diff --git a/profiles/http/services/snappymail.nix b/profiles/http/services/snappymail.nix
index cd602e6..505bed9 100644
--- a/profiles/http/services/snappymail.nix
+++ b/profiles/http/services/snappymail.nix
@@ -1,7 +1,8 @@
 # adapted from https://github.com/samrose/dotfiles-1/blob/8887ca3b01edecd83c2e95f01e42885ce26f76c5/nixos/eve/modules/snappymail.nix#L55
-{ pkgs, config, lib, mkDomain, ... }:
-
+{ pkgs, config, lib, ... }:
 let
+  inherit (config.pbsds.nginx) mkDomain;
+
   maxUploadSize = "256M";
   toKeyValue = lib.generators.toKeyValue {
     mkKeyValue = lib.generators.mkKeyValueDefault {} " = ";
diff --git a/profiles/http/services/sourcegraph.nix b/profiles/http/services/sourcegraph.nix
index 9cdcf3d..538d378 100644
--- a/profiles/http/services/sourcegraph.nix
+++ b/profiles/http/services/sourcegraph.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # Sourcegraph
   # Understand, fix, and automate across your codebase with this code intelligence platform
diff --git a/profiles/http/services/stickers.nix b/profiles/http/services/stickers.nix
index c631e88..6cebcbd 100644
--- a/profiles/http/services/stickers.nix
+++ b/profiles/http/services/stickers.nix
@@ -1,6 +1,9 @@
-{ config, lib, mkDomain, inputs, ... }:
+{ config, lib, inputs, ... }:
 
 let
+
+  inherit (config.pbsds.nginx) mkDomain;
+
   myStickerPicker = inputs.maunium-stickerpicker-nix.createStickerPicker {
     #homeserver = "https://matrix.pvv.ntnu.no";
     #userId = "@stickerbot:my.matrix.server";
diff --git a/profiles/http/services/tautulli.nix b/profiles/http/services/tautulli.nix
index d8ac8dd..2dfca99 100644
--- a/profiles/http/services/tautulli.nix
+++ b/profiles/http/services/tautulli.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, inputs, mkDomain, ... }:
+{ config, pkgs, lib, inputs, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
 
   # plex admin web ui
diff --git a/profiles/http/services/thelounge.nix b/profiles/http/services/thelounge.nix
index b2cfc84..b5d483c 100644
--- a/profiles/http/services/thelounge.nix
+++ b/profiles/http/services/thelounge.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # thelunge
   # The self-hosted Web IRC client
diff --git a/profiles/http/services/trivial-gradios/default.nix b/profiles/http/services/trivial-gradios/default.nix
index 160d013..d258329 100644
--- a/profiles/http/services/trivial-gradios/default.nix
+++ b/profiles/http/services/trivial-gradios/default.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # trivial gradios
 
diff --git a/profiles/http/services/vaultwarden.nix b/profiles/http/services/vaultwarden.nix
index 2d4896d..631ecb7 100644
--- a/profiles/http/services/vaultwarden.nix
+++ b/profiles/http/services/vaultwarden.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # vaultwarden
   # Unofficial Bitwarden compatible server written in Rust
diff --git a/profiles/http/services/webdav-zotero.nix b/profiles/http/services/webdav-zotero.nix
index 09cc607..1fc5fff 100644
--- a/profiles/http/services/webdav-zotero.nix
+++ b/profiles/http/services/webdav-zotero.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
 
   # webdav
diff --git a/profiles/http/sites/kuklefse.nix b/profiles/http/sites/kuklefse.nix
index db5674d..2b9a663 100644
--- a/profiles/http/sites/kuklefse.nix
+++ b/profiles/http/sites/kuklefse.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   services.nginx.virtualHosts."kuklef.se" = {
     forceSSL = true; # addSSL = true;
diff --git a/profiles/http/sites/linktree-pbsds.nix b/profiles/http/sites/linktree-pbsds.nix
index 6565baa..414c520 100644
--- a/profiles/http/sites/linktree-pbsds.nix
+++ b/profiles/http/sites/linktree-pbsds.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, mkDomain, ... }:
+{ config, pkgs, lib, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # links.pbsds.net
 
diff --git a/profiles/http/sites/refleksjon-no.nix b/profiles/http/sites/refleksjon-no.nix
index 68b6e3c..01e0f2d 100644
--- a/profiles/http/sites/refleksjon-no.nix
+++ b/profiles/http/sites/refleksjon-no.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, inputs, mkDomain, ... }:
+{ config, pkgs, lib, inputs, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # refleksjon.no
 
diff --git a/profiles/http/sites/roroslyd-no.nix b/profiles/http/sites/roroslyd-no.nix
index 9beaa1c..4d8a5fe 100644
--- a/profiles/http/sites/roroslyd-no.nix
+++ b/profiles/http/sites/roroslyd-no.nix
@@ -1,4 +1,7 @@
-{ config, pkgs, lib, inputs, mkDomain, ... }:
+{ config, pkgs, lib, inputs, ... }:
+let
+  inherit (config.pbsds.nginx) mkDomain;
+in
 {
   # roroslyd.no