diff --git a/nixos/boxes/bolty/home-assistant.nix b/nixos/boxes/bolty/home-assistant.nix
index 62831e76..f53fa413 100644
--- a/nixos/boxes/bolty/home-assistant.nix
+++ b/nixos/boxes/bolty/home-assistant.nix
@@ -1,8 +1,49 @@
 { config, pkgs, inputs, lib, ... }:
-let port = 8123;
+let
+  port = 8123;
+  path = "/data/nginx";
+  certPath = "${path}/cert.pem";
+  keyPath = "${path}/key.pem";
 in {
-  imports = [ ./virtualisation.nix ];
+  imports = [ ../nginx.nix ./virtualisation.nix ];
 
   networking.firewall.allowedTCPPorts = [ port ];
 
+  services.nginx = {
+    virtualHosts = {
+      "bolty.raptor-carp.ts.net" = {
+        forceSSL = true;
+        enableACME = false;
+        locations."/" = {
+          proxyPass = "http://10.0.0.244:8123";
+          proxyWebsockets = true;
+        };
+        sslCertificateKey = keyPath;
+        sslCertificate = certPath;
+      };
+    };
+  };
+
+  systemd.services.nginx-tailscale-certs = {
+    script = ''
+      mkdir -p ${path}
+      cp -rv /var/lib/tailscale-certs/cert.pem ${certPath}
+      cp -rv /var/lib/tailscale-certs/key.pem ${keyPath}
+      chown -Rv nginx:nginx ${path}
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      ReloadPropagatedFrom = "tailscale-cert.service";
+    };
+    before = [ "nginx.service" ];
+    wantedBy = [ "multi-user.target" ];
+    after = [
+      "network.target"
+      "network-online.target"
+      "tailscaled.service"
+      "tailscale-cert.service"
+    ];
+    wants = [ "tailscale-cert.service" ];
+  };
+
 }
diff --git a/nixos/boxes/bolty/networking.nix b/nixos/boxes/bolty/networking.nix
index 829c4985..133adfa1 100644
--- a/nixos/boxes/bolty/networking.nix
+++ b/nixos/boxes/bolty/networking.nix
@@ -11,6 +11,7 @@
     address = [ "10.0.0.8/24" ];
     gateway = [ "10.0.0.1" ];
     DHCP = "no";
+    dns = [ "100.100.100.100" "9.9.9.9" ];
   };
 
   systemd.network.networks."eth" = {
diff --git a/nixos/boxes/bolty/tailscale-cert.nix b/nixos/boxes/bolty/tailscale-cert.nix
index 3e1b3204..1b9f1c10 100644
--- a/nixos/boxes/bolty/tailscale-cert.nix
+++ b/nixos/boxes/bolty/tailscale-cert.nix
@@ -6,10 +6,6 @@ let
   certPath = "${basePath}/cert.pem";
 in {
   imports = [ ];
-  services.nginx.virtualHosts."${fqdn}" = {
-    sslCertificateKey = keyPath;
-    sslCertificate = certPath;
-  };
 
   systemd.services.tailscale-cert-make-path = {
     script = ''
diff --git a/nixos/boxes/bolty/woodpecker-agent.nix b/nixos/boxes/bolty/woodpecker-agent.nix
index 2dd99524..4396718e 100644
--- a/nixos/boxes/bolty/woodpecker-agent.nix
+++ b/nixos/boxes/bolty/woodpecker-agent.nix
@@ -72,8 +72,6 @@ let
     };
   };
 in {
-  imports = [ ../nginx.nix ];
-
   users = {
     users."${systemUserName}" = {
       inherit uid;
diff --git a/nixos/server-common.nix b/nixos/server-common.nix
index b907badd..a5f4dca6 100644
--- a/nixos/server-common.nix
+++ b/nixos/server-common.nix
@@ -1,7 +1,12 @@
 { config, pkgs, ... }: {
   imports = [ ./server-security.nix ./tailscale ];
-  networking.nameservers =
-    [ "9.9.9.9" "2620:fe::fe" "149.112.112.112" "2620:fe::9" ];
+  networking.nameservers = [
+    "100.100.100.100"
+    "9.9.9.9"
+    "2620:fe::fe"
+    "149.112.112.112"
+    "2620:fe::9"
+  ];
   services.nscd = {
     enable = true;
     enableNsncd = true;