diff --git a/hetzner-vpn1.nix b/hetzner-vpn1.nix
index f31a445..b6a9e56 100644
--- a/hetzner-vpn1.nix
+++ b/hetzner-vpn1.nix
@@ -19,5 +19,60 @@
       ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2 home roaming''
       ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2-roaming''
     ];
+
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "acme@zerforschen.plus";
+    };
+
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+
+      virtualHosts = {
+        "vscode.services.zerforschen.plus" = {
+          addSSL = true;
+          enableACME = true;
+          locations."/" = {
+            extraConfig = ''
+              #proxy_set_header Host vinzenz-lpt2.donkey-pentatonic.ts.net;
+              proxy_ssl_verify = false;
+            '';
+            proxyPass = "https://vinzenz-lpt2.donkey-pentatonic.ts.net:8542/";
+            proxyWebsockets = true;
+          };
+        };
+
+        "preon-app.services.zerforschen.plus" = {
+          enableACME = true;
+          addSSL = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:3000/";
+          };
+        };
+
+        "preon-api.services.zerforschen.plus" = {
+          enableACME = true;
+          addSSL = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:3002/";
+          };
+        };
+      };
+    };
+
+    networking.firewall = {
+      checkReversePath = "loose";
+      allowedTCPPortRanges = [
+        {
+          from = 5000;
+          to = 5005;
+        }
+      ];
+      allowedTCPPorts = [80 443];
+    };
   };
 }