diff --git a/global/utils.nix b/global/utils.nix
index 4981e97..d89af09 100644
--- a/global/utils.nix
+++ b/global/utils.nix
@@ -84,4 +84,16 @@
 
       systemd.services."${backend}-mc-${name}".serviceConfig.TimeoutSec = "300";
     };
+
+  mkFrpPassthrough = name: port: {
+    services.frp.settings.proxies = [
+      {
+        inherit name;
+        type = "tcp";
+        localIp = "localhost";
+        localPort = port;
+        remotePort = port;
+      }
+    ];
+  };
 }
diff --git a/systems/etna/immich.nix b/systems/etna/immich.nix
index 7063a31..ececb10 100644
--- a/systems/etna/immich.nix
+++ b/systems/etna/immich.nix
@@ -1,6 +1,9 @@
-{ config, ... }:
+{ config, _utils, ... }:
+let
+  frp = _utils.mkFrpPassthrough "immich" config.services.immich.port;
+in
 {
-  cfTunnels."im.uku.moe" = "http://localhost:${builtins.toString config.services.immich.port}";
+  imports = [ frp ];
 
   services.immich = {
     enable = true;
diff --git a/systems/vesuvio/certificates.nix b/systems/vesuvio/certificates.nix
new file mode 100644
index 0000000..dce62e8
--- /dev/null
+++ b/systems/vesuvio/certificates.nix
@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "acme@uku.moe";
+      webroot = "/var/lib/acme/acme-challenge";
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "acme.uku3lig.net" = {
+      serverAliases = [
+        "*.uku3lig.net"
+        "*.uku.moe"
+      ];
+
+      locations."/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
+    };
+  };
+
+  # /var/lib/acme/acme-challenge must be writable by the ACME user and readable by the Nginx user.
+  # The easiest way to achieve this is to add the Nginx user to the ACME group.
+  users.users.nginx.extraGroups = [ "acme" ];
+}
diff --git a/systems/vesuvio/default.nix b/systems/vesuvio/default.nix
index 46a7b3d..3ebeff1 100644
--- a/systems/vesuvio/default.nix
+++ b/systems/vesuvio/default.nix
@@ -1,8 +1,10 @@
 { pkgs, ... }:
 {
   imports = [
+    ./certificates.nix
     ./frp.nix
     ./hetzner.nix
+    ./nginx.nix
   ];
 
   environment.systemPackages = with pkgs; [
@@ -10,8 +12,16 @@
     traceroute
   ];
 
-  services.openssh = {
-    ports = [ 4269 ];
-    openFirewall = true;
+  services = {
+    nginx.enable = true;
+    openssh = {
+      ports = [ 4269 ];
+      openFirewall = true;
+    };
   };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
 }
diff --git a/systems/vesuvio/nginx.nix b/systems/vesuvio/nginx.nix
new file mode 100644
index 0000000..8b0f506
--- /dev/null
+++ b/systems/vesuvio/nginx.nix
@@ -0,0 +1,20 @@
+{
+  services.nginx.virtualHosts = {
+    # immich
+    "im.uku.moe" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:2283";
+        proxyWebsockets = true;
+      };
+
+      extraConfig = ''
+        client_max_body_size 5000M;
+        proxy_read_timeout 600s;
+        proxy_send_timeout 600s;
+        send_timeout 600s;
+      '';
+    };
+  };
+}