diff --git a/hosts/ports.nix b/hosts/ports.nix
index e3ca744..215d18f 100644
--- a/hosts/ports.nix
+++ b/hosts/ports.nix
@@ -17,7 +17,6 @@
       chat = 3008;
       # dash = 3009;
       ntfy = 3010;
-      lemmy = 3011;
 
       search = 8081;
       videos = 8082;
@@ -26,7 +25,8 @@
     mods.server.local.ports = {
       # grav = 5001
       lemmy-api = 5002;
-      pict-rs = 5003;
+      lemmy-ui = 5003;
+      pict-rs = 5004;
     };
   };
 }
diff --git a/modules/nixos/server/lemmy.nix b/modules/nixos/server/lemmy.nix
index 2dc56b2..dc50e3c 100644
--- a/modules/nixos/server/lemmy.nix
+++ b/modules/nixos/server/lemmy.nix
@@ -3,7 +3,7 @@ let
   inherit (lib) mkEnableOption;
   cfg = config.mods.server.lemmy;
   port = config.mods.server.local.ports.lemmy-api;
-  port-ui = config.mods.server.nginx.ports.lemmy;
+  port-ui = config.mods.server.local.ports.lemmy-ui;
   port-pict = config.mods.server.local.ports.pict-rs;
   hostname = "lemmy.muon.host";
   bind = "0.0.0.0";
@@ -42,40 +42,44 @@ in {
       address = "0.0.0.0";
     };
 
-    services.nginx.virtualHosts."${hostname}".locations = let
+    services.nginx.virtualHosts."${hostname}" = let
       ui = "http://10.0.0.3:${toString port-ui}";
       backend = "http://10.0.0.3:${toString port}";
     in lib.mkIf config.mods.server.nginx.enable {
-      "~ ^/(api|pictrs|feeds|nodeinfo|.well-known)" = {
-        # backend requests
-        proxyPass = backend;
-        proxyWebsockets = true;
-        recommendedProxySettings = true;
-      };
-      "/" = {
-        # mixed frontend and backend requests, based on the request headers
-        extraConfig = ''
-          set $proxpass "${ui}";
-          if ($http_accept = "application/activity+json") {
-            set $proxpass "${backend}";
-          }
-          if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
-            set $proxpass "${backend}";
-          }
-          if ($request_method = POST) {
-            set $proxpass "${backend}";
-          }
+      forceSSL = true;
+      enableACME = true;
+      locations = {
+        "~ ^/(api|pictrs|feeds|nodeinfo|.well-known)" = {
+          # backend requests
+          proxyPass = backend;
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+        };
+        "/" = {
+          # mixed frontend and backend requests, based on the request headers
+          extraConfig = ''
+            set $proxpass "${ui}";
+            if ($http_accept = "application/activity+json") {
+              set $proxpass "${backend}";
+            }
+            if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
+              set $proxpass "${backend}";
+            }
+            if ($request_method = POST) {
+              set $proxpass "${backend}";
+            }
 
-          # Cuts off the trailing slash on URLs to make them valid
-          rewrite ^(.+)/+$ $1 permanent;
+            # Cuts off the trailing slash on URLs to make them valid
+            rewrite ^(.+)/+$ $1 permanent;
 
-          proxy_pass $proxpass;
-          # Proxied `Host` header is required to validate ActivityPub HTTP signatures for incoming events.
-          # The other headers are optional, for the sake of better log data.
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header Host $host;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        '';
+            proxy_pass $proxpass;
+            # Proxied `Host` header is required to validate ActivityPub HTTP signatures for incoming events.
+            # The other headers are optional, for the sake of better log data.
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          '';
+        };
       };
     };
   };