diff --git a/configs/client.nix b/configs/client.nix
index 6a7a098..730791d 100644
--- a/configs/client.nix
+++ b/configs/client.nix
@@ -1,4 +1,4 @@
-{ pkgs, config, ... }:
+{ lib, pkgs, ... }:
 {
   imports = [
     ./common.nix
@@ -15,8 +15,7 @@
       nixd
     ];
 
-    # fix for wsl, `prefer` does not work if your SSH_ASKPASS is empty/unset
-    variables.SSH_ASKPASS_REQUIRE = if config.programs.ssh.enableAskPassword then "prefer" else "never";
+    variables.SSH_ASKPASS_REQUIRE = "prefer";
   };
 
   networking = {
@@ -30,7 +29,11 @@
 
   programs = {
     nix-ld.enable = true;
-    ssh.startAgent = true;
+    ssh = {
+      startAgent = true;
+      enableAskPassword = true;
+      askPassword = lib.mkDefault "${pkgs.curses-ssh-askpass}"; # see exprs/curses-ssh-askpass.nix
+    };
   };
 
   virtualisation.docker.enable = true;
diff --git a/exprs/curses-ssh-askpass.nix b/exprs/curses-ssh-askpass.nix
new file mode 100644
index 0000000..653500b
--- /dev/null
+++ b/exprs/curses-ssh-askpass.nix
@@ -0,0 +1,15 @@
+{
+  lib,
+  pinentry-curses,
+  writeShellScript,
+}:
+writeShellScript "curses-ssh-askpass" ''
+  if [ -z ''${1+x} ]; then
+    prompt="GETPIN"
+  else
+    prompt="SETDESC $1\nGETPIN"
+  fi
+
+  pin=$(echo -e "$prompt" | ${lib.getExe pinentry-curses} -T /dev/pts/0 | grep D | tr -d '\n')
+  echo "''${pin:2}"
+''
diff --git a/exprs/overlay.nix b/exprs/overlay.nix
index f961905..1d457c2 100644
--- a/exprs/overlay.nix
+++ b/exprs/overlay.nix
@@ -1,5 +1,6 @@
 inputs: final: prev: {
   idea-ultimate-fixed = prev.callPackage ./idea-fixed.nix { };
+  curses-ssh-askpass = prev.callPackage ./curses-ssh-askpass.nix { };
 
   vencord = prev.vencord.overrideAttrs (old: rec {
     version = "${old.version}+git.${inputs.vencord.shortRev}";
diff --git a/global/utils.nix b/global/utils.nix
index 4981e97..d89af09 100644
--- a/global/utils.nix
+++ b/global/utils.nix
@@ -84,4 +84,16 @@
 
       systemd.services."${backend}-mc-${name}".serviceConfig.TimeoutSec = "300";
     };
+
+  mkFrpPassthrough = name: port: {
+    services.frp.settings.proxies = [
+      {
+        inherit name;
+        type = "tcp";
+        localIp = "localhost";
+        localPort = port;
+        remotePort = port;
+      }
+    ];
+  };
 }
diff --git a/systems/etna/immich.nix b/systems/etna/immich.nix
index 7063a31..ececb10 100644
--- a/systems/etna/immich.nix
+++ b/systems/etna/immich.nix
@@ -1,6 +1,9 @@
-{ config, ... }:
+{ config, _utils, ... }:
+let
+  frp = _utils.mkFrpPassthrough "immich" config.services.immich.port;
+in
 {
-  cfTunnels."im.uku.moe" = "http://localhost:${builtins.toString config.services.immich.port}";
+  imports = [ frp ];
 
   services.immich = {
     enable = true;
diff --git a/systems/vesuvio/certificates.nix b/systems/vesuvio/certificates.nix
new file mode 100644
index 0000000..dce62e8
--- /dev/null
+++ b/systems/vesuvio/certificates.nix
@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "acme@uku.moe";
+      webroot = "/var/lib/acme/acme-challenge";
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "acme.uku3lig.net" = {
+      serverAliases = [
+        "*.uku3lig.net"
+        "*.uku.moe"
+      ];
+
+      locations."/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
+    };
+  };
+
+  # /var/lib/acme/acme-challenge must be writable by the ACME user and readable by the Nginx user.
+  # The easiest way to achieve this is to add the Nginx user to the ACME group.
+  users.users.nginx.extraGroups = [ "acme" ];
+}
diff --git a/systems/vesuvio/default.nix b/systems/vesuvio/default.nix
index 46a7b3d..3ebeff1 100644
--- a/systems/vesuvio/default.nix
+++ b/systems/vesuvio/default.nix
@@ -1,8 +1,10 @@
 { pkgs, ... }:
 {
   imports = [
+    ./certificates.nix
     ./frp.nix
     ./hetzner.nix
+    ./nginx.nix
   ];
 
   environment.systemPackages = with pkgs; [
@@ -10,8 +12,16 @@
     traceroute
   ];
 
-  services.openssh = {
-    ports = [ 4269 ];
-    openFirewall = true;
+  services = {
+    nginx.enable = true;
+    openssh = {
+      ports = [ 4269 ];
+      openFirewall = true;
+    };
   };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
 }
diff --git a/systems/vesuvio/mail.nix b/systems/vesuvio/mail.nix
new file mode 100644
index 0000000..7d40abd
--- /dev/null
+++ b/systems/vesuvio/mail.nix
@@ -0,0 +1,35 @@
+{ config, ... }:
+let
+  certName = "mail.c.uku3lig.net";
+  certLocation = config.security.acme.certs.${certName}.directory;
+in
+{
+  security.acme.certs.${certName} = {
+    group = config.services.maddy.group;
+    extraLegoRenewFlags = [ "--reuse-key" ]; # soopyc said its more secure
+  };
+
+  services.maddy = {
+    enable = true;
+    hostname = "mx1.uku3lig.net";
+    primaryDomain = "uku3lig.net";
+    localDomains = [
+      "$(primary_domain)"
+      "uku.moe"
+    ];
+
+    tls = {
+      loader = "file";
+      certificates = [
+        {
+          certPath = "${certLocation}/fullchain.pem";
+          keyPath = "${certLocation}/key.pem";
+        }
+      ];
+    };
+
+    config = ''
+
+    '';
+  };
+}
diff --git a/systems/vesuvio/nginx.nix b/systems/vesuvio/nginx.nix
new file mode 100644
index 0000000..8b0f506
--- /dev/null
+++ b/systems/vesuvio/nginx.nix
@@ -0,0 +1,20 @@
+{
+  services.nginx.virtualHosts = {
+    # immich
+    "im.uku.moe" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:2283";
+        proxyWebsockets = true;
+      };
+
+      extraConfig = ''
+        client_max_body_size 5000M;
+        proxy_read_timeout 600s;
+        proxy_send_timeout 600s;
+        send_timeout 600s;
+      '';
+    };
+  };
+}