diff --git a/flake.lock b/flake.lock
index 2410f06a..18e4fdcf 100644
--- a/flake.lock
+++ b/flake.lock
@@ -776,7 +776,8 @@
         "pre-commit-hooks": "pre-commit-hooks",
         "schizofox": "schizofox",
         "sioodmy-dev": "sioodmy-dev",
-        "treefmt-nix": "treefmt-nix"
+        "treefmt-nix": "treefmt-nix",
+        "website": "website"
       }
     },
     "rust-analyzer-src": {
@@ -1083,6 +1084,22 @@
         "repo": "treefmt-nix",
         "type": "github"
       }
+    },
+    "website": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1714517902,
+        "narHash": "sha256-eZ5HG1cxq32SCegfVTPhbeO0I1bR5fwXbHVkkqtIm78=",
+        "owner": "sioodmy",
+        "repo": "website",
+        "rev": "1347dcb0c450690161a6bcdbe3edbfcafef848e6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "sioodmy",
+        "repo": "website",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index 2f2f359c..01585cb6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -170,6 +170,10 @@
       url = "github:lighttigerXIV/catppuccinifier";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    website = {
+      url = "github:sioodmy/website";
+      flake = false;
+    };
   };
 }
 # see also:
diff --git a/home/rice/niri/config.nix b/home/rice/niri/config.nix
index 12eb7f7c..75733e85 100644
--- a/home/rice/niri/config.nix
+++ b/home/rice/niri/config.nix
@@ -22,6 +22,7 @@ with theme.colors; ''
 
       warp-mouse-to-focus
       focus-follows-mouse
+      workspace-auto-back-and-forth
   }
 
   output "eDP-1" {
diff --git a/system/server/default.nix b/system/server/default.nix
index cc81a1cc..8fd05836 100644
--- a/system/server/default.nix
+++ b/system/server/default.nix
@@ -8,16 +8,38 @@
   services.nginx = {
     enable = true;
     # package = pkgs.nginx.override {openssl = pkgs.libressl;};
-    package = pkgs.angieQuic;
+    package = pkgs.angieQuic.override {openssl = pkgs.libressl;};
 
-    # # lets be more picky on our ciphers and protocols
-    # sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
-    # sslProtocols = "TLSv1.3 TLSv1.2";
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    recommendedZstdSettings = true;
+
+    # lets be more picky on our ciphers and protocols
+    sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
+    sslProtocols = "TLSv1.3 TLSv1.2";
+
+        commonHttpConfig = ''
+      #real_ip_header CF-Connecting-IP;
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+      add_header X-Frame-Options DENY;
+      add_header X-Content-Type-Options nosniff;
+    '';
 
     virtualHosts = {
       "sioodmy.dev" = {
-        root = "${inputs.sioodmy-dev.packages.${pkgs.system}.website}/";
+        root = inputs.website;
         enableACME = true;
+        locations."/" = {
+        tryFiles = "$uri $uri.html $uri/ =404";
+        extraConfig = ''
+          if ($request_uri ~ ^/(.*)\.html$) {
+            return 302 /$1;
+          }
+        '';
+        };
+        
         forceSSL = true;
       };
       "search.sioodmy.dev" = {
@@ -37,7 +59,6 @@
   };
 
   networking.firewall = {
-    allowedUDPPorts = [51820 5232];
-    allowedTCPPorts = [5232 80 3000];
+    allowedTCPPorts = [80 443];
   };
 }