diff --git a/machines/compute01/kanidm/default.nix b/machines/compute01/kanidm/default.nix
index f88d070..ad2ab6b 100644
--- a/machines/compute01/kanidm/default.nix
+++ b/machines/compute01/kanidm/default.nix
@@ -8,9 +8,8 @@
 let
   inherit (lib) escapeRegex concatStringsSep;
 
-  host = "sso.dgnum.eu";
+  domain = "sso.dgnum.eu";
   port = 8443;
-  domain = host;
 
   cert = config.security.acme.certs.${domain};
 
@@ -41,7 +40,7 @@ in
 
       origin = "https://${domain}";
 
-      bindaddress = "127.0.0.1:8443";
+      bindaddress = "127.0.0.1:${builtins.toString port}";
       ldapbindaddress = "0.0.0.0:636";
 
       trust_x_forward_for = true;
@@ -53,40 +52,51 @@ in
 
   users.users.kanidm.extraGroups = [ cert.group ];
 
-  dgn-web.simpleProxies.kanidm = {
-    inherit host port;
-    vhostConfig.locations."/".extraConfig = ''
-      if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
-          return 444;
-      }
+  dgn-web.internalPorts.kanidm = port;
 
-      set $origin $http_origin;
+  services.nginx = {
+    enable = true;
 
-      if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
-          set $origin 'https://${domain}';
-      }
+    virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "https://127.0.0.1:${builtins.toString port}";
 
-      proxy_hide_header Access-Control-Allow-Origin;
+        extraConfig = ''
+          if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
+              return 444;
+          }
 
-      if ($request_method = 'OPTIONS') {
-          add_header 'Access-Control-Allow-Origin' "$origin" always;
-          add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
-          add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
-          add_header 'Access-Control-Allow-Credentials' 'true' always;
+          set $origin $http_origin;
 
-          add_header Access-Control-Max-Age 1728000;
-          add_header Content-Type 'text/plain charset=UTF-8';
-          add_header Content-Length 0;
-          return 204;
-      }
+          if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
+              set $origin 'https://${domain}';
+          }
 
-      if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
-          add_header Access-Control-Allow-Origin "$origin" always;
-          add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
-          add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
-          add_header Access-Control-Allow-Credentials true always;
-      }
-    '';
+          proxy_hide_header Access-Control-Allow-Origin;
+
+          if ($request_method = 'OPTIONS') {
+              add_header 'Access-Control-Allow-Origin' "$origin" always;
+              add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
+              add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
+              add_header 'Access-Control-Allow-Credentials' 'true' always;
+
+              add_header Access-Control-Max-Age 1728000;
+              add_header Content-Type 'text/plain charset=UTF-8';
+              add_header Content-Length 0;
+              return 204;
+          }
+
+          if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
+              add_header Access-Control-Allow-Origin "$origin" always;
+              add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
+              add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
+              add_header Access-Control-Allow-Credentials true always;
+          }
+        '';
+      };
+    };
   };
 
   networking.firewall.allowedTCPPorts = [ 636 ];