diff --git a/hetzner-vpn1.nix b/hetzner-vpn1.nix
index c534929..7889803 100644
--- a/hetzner-vpn1.nix
+++ b/hetzner-vpn1.nix
@@ -37,10 +37,9 @@
           enableACME = true;
           locations."/" = {
             extraConfig = ''
-              #proxy_set_header Host vinzenz-lpt2.donkey-pentatonic.ts.net;
-              proxy_ssl_verify = false;
+              proxy_bind 100.88.118.60;
             '';
-            proxyPass = "https://vinzenz-lpt2.donkey-pentatonic.ts.net:8542/";
+            proxyPass = "http://vinzenz-lpt2:8542/";
             proxyWebsockets = true;
           };
         };
diff --git a/vinzenz-lpt2.nix b/vinzenz-lpt2.nix
index cc9fe02..b52771d 100644
--- a/vinzenz-lpt2.nix
+++ b/vinzenz-lpt2.nix
@@ -43,95 +43,17 @@
       ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALWKm+d6KL6Vl3grPOcGouiNTkvdhXuWJmcrdEBY2nw ssh-host-key''
     ];
 
-    # TODO: move to own module
     services.openvscode-server = {
       enable = true;
       telemetryLevel = "off";
       port = 8542;
-      host = "127.0.0.1";
+      host = "100.103.93.126"; # tailscale
       extraPackages = with pkgs; [nodejs];
     };
 
-    services.nginx = {
-      enable = true;
-      virtualHosts = {
-        "vscode" = {
-          serverName = "vinzenz-lpt2";
-          locations = {
-            "/" = {
-              proxyPass = "http://127.0.0.1:8542";
-              extraConfig = ''
-                proxy_http_version 1.1;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "Upgrade";
-                proxy_set_header Host $host;
-              '';
-            };
-          };
-
-          listen = [
-            {
-              addr = "0.0.0.0";
-              port = 5000;
-              ssl = true;
-            }
-          ];
-
-          serverAliases = ["localhost" "vinzenz-lpt2.lan"];
-          addSSL = true;
-          sslCertificateKey = "/etc/nginx-secrets/nginx-selfsigned.key";
-          sslCertificate = "/etc/nginx-secrets/nginx-selfsigned.crt";
-        };
-        "app" = {
-          serverName = "vinzenz-lpt2";
-          locations = {
-            "/" = {
-              proxyPass = "http://127.0.0.1:3000/";
-            };
-          };
-
-          listen = [
-            {
-              addr = "0.0.0.0";
-              port = 5001;
-              ssl = true;
-            }
-          ];
-
-          serverAliases = ["localhost" "vinzenz-lpt2.lan"];
-          addSSL = true;
-          sslCertificateKey = "/etc/nginx-secrets/nginx-selfsigned.key";
-          sslCertificate = "/etc/nginx-secrets/nginx-selfsigned.crt";
-        };
-        "api" = {
-          serverName = "vinzenz-lpt2";
-          locations = {
-            "/" = {
-              proxyPass = "http://127.0.0.1:3002/";
-            };
-          };
-
-          listen = [
-            {
-              addr = "0.0.0.0";
-              port = 5002;
-              ssl = true;
-            }
-          ];
-
-          serverAliases = ["localhost" "vinzenz-lpt2.lan"];
-          addSSL = true;
-          sslCertificateKey = "/etc/nginx-secrets/nginx-selfsigned.key";
-          sslCertificate = "/etc/nginx-secrets/nginx-selfsigned.crt";
-        };
-      };
+    networking.firewall = {
+      checkReversePath = "loose";
+      allowedTCPPorts = [8542];
     };
-
-    networking.firewall.allowedTCPPortRanges = [
-      {
-        from = 5000;
-        to = 5005;
-      }
-    ];
   };
 }