diff --git a/hosts/hyrule/default.nix b/hosts/hyrule/default.nix
index 85dad4f..118c754 100755
--- a/hosts/hyrule/default.nix
+++ b/hosts/hyrule/default.nix
@@ -116,64 +116,61 @@ in {
     #       and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
     nginx = {
       enable = true;
-
       # in wake of CVE-2022-3602/CVE-2022-3786
       package = pkgs.nginxStable.override {openssl = pkgs.libressl;};
 
-      #virtualHosts."imbored.dev".locations."/" = {
-      virtualHosts = {
-        "imbored.dev" = {
-          # "http:imbored.dev" = {
-          default = true;
-          # serverName = "imbored.dev";
-          # listenAddresses = ["imbored.dev"];
+      recommendedGzipSettings = true;
+      recommendedZstdSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      # streamConfig = ''
+      #   server {
+      #     listen 127.0.0.1:53 udp reuseport;
+      #     proxy_timeout 20s;
+      #     proxy_pass 192.168.0.1:53535;
+      #   }
+      # '';
+
+      virtualHosts = let
+        localhost = "http://127.0.0.1";
+        std = {
+          # TODO: should I run over QUIC+HTTP3? (experimental)
+          # quic = true;
+          # http3 = true;
           enableACME = true;
-          addSSL = true; # forceSSL = true;
-          root = "/var/www/imbored";
-          #index = "index.html";
-          #root = pkgs.writeTextDir "index.html" ''
-          #  <html>
-          #  <body>
-          #  Give me your mittens!
-          #  </body>
-          #  </html>
-          #'';
+          # kTLS = true; # offload TLS to the linux kernel
         };
-        # "ssh:imbored.dev" = {
-        #   serverName = "imbored.dev";
-        #   listen = [{
-        #     addr = "imbored.dev";
-        #     port= 22;
-        #   }];
-        #   locations."/".proxyPass = "ssh://127.0.0.1:2222";
-        # };
+      in {
+        "imbored.dev" =
+          {
+            default = true;
+            addSSL = true; # not strictly enforced <3
+            root = "/var/www/imbored";
+            # extraConfig = ''
+            #   error_page 404 /custom_404.html;
+            # '';
+          }
+          // std;
         # Route "vault" subdomain to vaultwarden
-        "vault.imbored.dev" = {
-          enableACME = true;
-          forceSSL = true;
-          locations."/".proxyPass = "http://127.0.0.1:8222";
-        };
+        "vault.imbored.dev" =
+          {
+            forceSSL = true;
+            locations."/".proxyPass = "${localhost}:8222";
+          }
+          // std;
         # Route "forge" subdomain to forgejo
-        "forge.imbored.dev" = {
-          # "https:forge.imbored.dev" = {
-          #serverName = "forge.imbored.dev";
-          #listenAddresses = ["forge.imbored.dev"]; # NOTE: I think this is wrong
-          enableACME = true; # TODO: maybe use `forgejo.settings.server.ENABLE_ACME` instead?
-          forceSSL = true;
-          extraConfig = ''
-            client_max_body_size 512M;
-          '';
-          locations."/".proxyPass = "http://127.0.0.1:3000";
-        };
-        # NOTE: would it work if I used "ssh://forge.imbored.dev" and "https://forge.imbored.dev" instead?
-        # "ssh:forge.imbored.dev" = {
-        #   serverName = "forge.imbored.dev";
-        #   listen = [{
-        #     addr = "forge.imbored.dev";
-        #     port = 22;
-        #   }];
-        #   locations."/".proxyPass = "ssh://127.0.0.2:22";
-        # };
+        # TODO: use `forgejo.settings.server.ENABLE_ACME` instead?
+        "forge.imbored.dev" =
+          {
+            forceSSL = true;
+            extraConfig = ''
+              client_max_body_size 512M;
+            '';
+            locations."/".proxyPass = "${localhost}:3000";
+          }
+          // std;
       };
     };