diff --git a/hosts/nachtigall/apps/nginx-website.nix b/hosts/nachtigall/apps/nginx-website.nix
index aa458e4..44afe37 100644
--- a/hosts/nachtigall/apps/nginx-website.nix
+++ b/hosts/nachtigall/apps/nginx-website.nix
@@ -1,12 +1,25 @@
 { ... }:
 
 {
+  systemd.tmpfiles.rules = [
+    "d '/srv/www/pub.solar' 0750 hakkonaut hakkonaut - -"
+  ];
+
   services.nginx.virtualHosts = {
-    "www.pub.solar".locations."/".extraConfig = "return 301 https://pub.solar$request_uri";
+    "www.pub.solar" = {
+      enableACME = true;
+      addSSL = true;
+      locations."/" = {
+        extraConfig = ''
+          return 301 https://pub.solar$request_uri;
+        '';
+      };
+    };
 
     "pub.solar" = {
       default = true;
       enableACME = true;
+      forceSSL = true;
 
       locations = {
 # serve base domain pub.solar for mastodon.pub.solar
@@ -21,7 +34,7 @@
         "/.well-known/webfinger" = {
 # Redirect requests that match /.well-known/webfinger?resource=* to Mastodon
           extraConfig = ''
-            if ($arg_resource) = {
+            if ($arg_resource) {
               return 301 https://mastodon.pub.solar$request_uri;
             }
 
@@ -32,14 +45,14 @@
 
         "/satzung" = {
           extraConfig = ''
-            return 302 /satzung https://cloud.pub.solar/s/2tRCP9aZFCiWxQy;
+            return 302 https://cloud.pub.solar/s/2tRCP9aZFCiWxQy;
           '';
         };
 
         "/" = {
           root = "/srv/www/pub.solar";
           index = "index.html";
-          tryFiles = "$uri $uri/";
+          tryFiles = "$uri $uri/ =404";
         };
       };
     };
diff --git a/hosts/nachtigall/apps/nginx.nix b/hosts/nachtigall/apps/nginx.nix
index 6a7bd66..37943f0 100644
--- a/hosts/nachtigall/apps/nginx.nix
+++ b/hosts/nachtigall/apps/nginx.nix
@@ -20,8 +20,4 @@ in {
   };
 
   networking.firewall.allowedTCPPorts = [80 443];
-
-  systemd.tmpfiles.rules = [
-    "d '/srv/www/pub.solar' 0750 hakkonaut hakkonaut - -"
-  ];
 }
diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix
index 85e2152..ea1b774 100644
--- a/hosts/nachtigall/configuration.nix
+++ b/hosts/nachtigall/configuration.nix
@@ -41,7 +41,8 @@
 
   users.users.hakkonaut = {
     description = "CI and automation user";
-    home = "/var/nix/iso-cache";
+    home = "/home/hakkonaut";
+    createHome = true;
     useDefaultShell = true;
     uid = 998;
     group = "hakkonaut";