diff --git a/hosts/nachtigall/apps/nginx-mastodon.nix b/hosts/nachtigall/apps/nginx-mastodon.nix
index 4712a59..668c296 100644
--- a/hosts/nachtigall/apps/nginx-mastodon.nix
+++ b/hosts/nachtigall/apps/nginx-mastodon.nix
@@ -3,40 +3,53 @@ let
   cfg = config.services.mastodon;
 in
 {
-  services.nginx.virtualHosts = {
-    "mastodon.pub.solar" = {
-      root = "${cfg.package}/public/";
-      # mastodon only supports https, but you can override this if you offload tls elsewhere.
-      forceSSL = lib.mkDefault true;
-      enableACME = lib.mkDefault true;
+  services.nginx = {
+    virtualHosts = {
+      "mastodon.pub.solar" = {
+        root = "${cfg.package}/public/";
+        # mastodon only supports https, but you can override this if you offload tls elsewhere.
+        forceSSL = lib.mkDefault true;
+        enableACME = lib.mkDefault true;
 
-      locations."/system/".alias = "/var/lib/mastodon/public-system/";
+        locations."/auth/sign_up".extraConfig = ''
+          return 302 /auth/sign_in;
+        '';
 
-      locations."/" = {
-        tryFiles = "$uri @proxy";
+        locations."/auth/confirmation/new".extraConfig = ''
+          return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
+        '';
+
+        locations."/auth/password/new".extraConfig = ''
+          return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
+        '';
+
+        locations."/system/".alias = "/var/lib/mastodon/public-system/";
+
+        locations."/" = {
+          tryFiles = "$uri @proxy";
+        };
+
+        locations."@proxy" = {
+          proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(cfg.webPort)}");
+          proxyWebsockets = true;
+        };
+
+        locations."/api/v1/streaming/" = {
+          proxyPass = "http://mastodon-streaming";
+          proxyWebsockets = true;
+        };
       };
+    };
 
-      locations."/auth/sign_up".extraConfig = ''
-        return 302 /auth/sign_in;
+    upstreams.mastodon-streaming = {
+      extraConfig = ''
+        least_conn;
       '';
-
-      locations."/auth/confirmation/new".extraConfig = ''
-        return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
-      '';
-
-      locations."/auth/password/new".extraConfig = ''
-        return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
-      '';
-
-      locations."@proxy" = {
-        proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(cfg.webPort)}");
-        proxyWebsockets = true;
-      };
-
-      locations."/api/v1/streaming/" = {
-        proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-streaming/streaming.socket" else "http://127.0.0.1:${toString(cfg.streamingPort)}/");
-        proxyWebsockets = true;
-      };
+      servers = builtins.listToAttrs
+        (map (i: {
+          name = "unix:/run/mastodon-streaming/streaming-${toString i}.socket";
+          value = { };
+        }) (lib.range 1 cfg.streamingProcesses));
     };
   };
 }
diff --git a/hosts/nachtigall/apps/nginx.nix b/hosts/nachtigall/apps/nginx.nix
index 5dd659c..d1f5a3f 100644
--- a/hosts/nachtigall/apps/nginx.nix
+++ b/hosts/nachtigall/apps/nginx.nix
@@ -20,8 +20,8 @@ in {
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
     appendHttpConfig = ''
-      # https://nginx.org/en/docs/hash.html
-      proxy_headers_hash_max_size 1024;
+      # https://my.f5.com/manage/s/article/K51798430
+      proxy_headers_hash_bucket_size 128;
     '';
   };