diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix
index bdb86ce..d9ce6e5 100644
--- a/machines/public-cof/configuration.nix
+++ b/machines/public-cof/configuration.nix
@@ -13,7 +13,7 @@
       ./nur.nix
       # ./factorio.nix # TODO
       ./nginx.nix
-      # ./cryptpad.nix
+      ./cryptpad.nix
       ./hedgedoc.nix
       ./secrets
       # TODO monitoring
diff --git a/machines/public-cof/cryptpad.js b/machines/public-cof/cryptpad.js
index b08412f..de93779 100644
--- a/machines/public-cof/cryptpad.js
+++ b/machines/public-cof/cryptpad.js
@@ -40,7 +40,7 @@ module.exports = {
  *  cryptpad/docs/example.nginx.conf (see the $main_domain variable)
  *
  */
-    httpUnsafeOrigin: 'http://localhost:3000/',
+    httpUnsafeOrigin: 'https://pads.beta.rz.ens.wtf/',
 
 /*  httpSafeOrigin is the URL that is used for the 'sandbox' described above.
  *  If you're testing or developing with CryptPad on your local machine then
@@ -58,7 +58,7 @@ module.exports = {
  *
  *  CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
  */
-    // httpSafeOrigin: "https://some-other-domain.xyz",
+    httpSafeOrigin: "https://sandbox.pads.beta.rz.ens.wtf",
 
 /*  httpAddress specifies the address on which the nodejs server
  *  should be accessible. By default it will listen on 127.0.0.1
@@ -102,11 +102,11 @@ module.exports = {
      *  which can be found on the settings page for registered users.
      *  Entries should be strings separated by a comma.
      */
-/*
+
     adminKeys: [
-        //"https://my.awesome.website/user/#/1/cryptpad-user1/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=",
+        "https://pads.beta.rz.ens.wtf/user/#/1/raito/W1vJY5Mq+8+5SveZAYe0wYRthS88jQIV-Fwf0s36uas="
     ],
-*/
+
 
     /*  CryptPad's administration panel includes a "support" tab
      *  wherein administrators with a secret key can view messages
@@ -154,7 +154,7 @@ module.exports = {
      *
      *  hint: 50MB is 50 * 1024 * 1024
      */
-    //defaultStorageLimit: 50 * 1024 * 1024,
+     defaultStorageLimit: 50 * 1024 * 1024,
 
 
     /* =====================
diff --git a/machines/public-cof/cryptpad.nix b/machines/public-cof/cryptpad.nix
index bcf6a6d..34ea287 100644
--- a/machines/public-cof/cryptpad.nix
+++ b/machines/public-cof/cryptpad.nix
@@ -1,10 +1,12 @@
-{ ... }:
+{ pkgs, ... }:
 let
   subZone = "beta.rz.ens.wtf";
-  main_domain = "pads." + subZone;
-  api_domain = "api." + main_domain;
-  files_domain = "files." + main_domain;
-  sandbox_domain = "sandbox." + main_domain;
+  main_domain = "pads.${subZone}";
+  sandbox_domain = "sandbox.${main_domain}";
+  # TODO: later
+  api_domain = "api.${main_domain}";
+  files_domain = "files.${main_domain}";
+  port = 3000;
 in
 {
   services.cryptpad = {
@@ -13,17 +15,21 @@ in
   };
   environment.etc."cryptpad/config.js".source = ./cryptpad.js;
 
+  systemd.services.nginx = {
+    serviceConfig.BindReadOnlyPaths = [
+      "/var/lib/private/cryptpad:/www/cryptpad"
+    ];
+  };
+
   services.nginx.virtualHosts = {
-    "pads.beta.rz.ens.wtf" = {
+    "${main_domain}" = {
       forceSSL = true;
       enableACME = true;
-      locations = {
-        "/" = {
-          proxyPass = "http://localhost:3000";
-        };
-      };
-      /*
+      serverAliases = [ sandbox_domain ];
       extraConfig = ''
+        root ${pkgs.cryptpad}/lib/node_modules/cryptpad;
+        index index.html;
+
         # CryptPad serves static assets over these two domains.
         # `main_domain` is what users will enter in their address bar.
         # Privileged computation such as key management is handled in this scope
@@ -42,27 +48,12 @@ in
         # if you find that a single machine cannot handle all of your users.
         # If you don't use dedicated domains, this can be the same as $main_domain
         # If you do, they'll be added as exceptions to any rules which block connections to remote domains.
-        set $api_domain ${api_domain};
-        set $files_domain ${files_domain};
+        set $api_domain ${main_domain};
+        set $files_domain ${main_domain};
 
 
         server_name ${main_domain} ${sandbox_domain};
 
-        # diffie-hellman parameters are used to negotiate keys for your session
-        # generate strong parameters using the following command
-        ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
-
-        # Speeds things up a little bit when resuming a session
-        ssl_session_timeout 5m;
-        ssl_session_cache shared:SSL:5m;
-
-        # You'll need nginx 1.13.0 or better to support TLSv1.3
-        ssl_protocols TLSv1.2 TLSv1.3;
-
-        # https://cipherli.st/
-        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
-        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
-
         # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain
         set $styleSrc   "'unsafe-inline' 'self' ${main_domain}";
 
@@ -112,7 +103,7 @@ in
         # We prefer to serve static content from nginx directly and to leave the API server to handle
         # the dynamic content that only it can manage. This is primarily an optimization
         location ^~ /cryptpad_websocket {
-            proxy_pass http://localhost:3000;
+            proxy_pass http://localhost:${toString port};
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header Host $host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -138,7 +129,7 @@ in
         # the caching variable which is applied to every other resource
         # which is loaded during that session.
         location = /api/config {
-            proxy_pass http://localhost:3000;
+            proxy_pass http://localhost:${toString port};
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header Host $host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -146,6 +137,7 @@ in
 
         # encrypted blobs are immutable and are thus cached for a year
         location ^~ /blob/ {
+            root /www/cryptpad;
             if ($request_method = 'OPTIONS') {
                 add_header 'Access-Control-Allow-Origin' '*';
                 add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
@@ -155,7 +147,6 @@ in
                 add_header 'Content-Length' 0;
                 return 204;
             }
-            add_header Cache-Control max-age=31536000;
             add_header 'Access-Control-Allow-Origin' '*';
             add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
             add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
@@ -167,6 +158,7 @@ in
         # these payloads are unlocked via login credentials. They are mutable
         # and are thus never cached. They're small enough that it doesn't matter, in any case.
         location ^~ /block/ {
+            root /www/cryptpad;
             add_header Cache-Control max-age=0;
             try_files $uri =404;
         }
@@ -189,9 +181,8 @@ in
         # Finally, serve anything the above exceptions don't govern.
         try_files /www/$uri /www/$uri/index.html /customize/$uri;
       '';
-      */
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ 433 80 ];
+  networking.firewall.allowedTCPPorts = [ 443 80 ];
 }