diff --git a/modules/server/authentik/default.nix b/modules/server/authentik/default.nix
index 281cc80e..f0539981 100644
--- a/modules/server/authentik/default.nix
+++ b/modules/server/authentik/default.nix
@@ -99,7 +99,7 @@ in {
             middlewares = {
               authentik = {
                 forwardAuth = {
-                  tls.insecureSkipVerify = true;
+                  # tls.insecureSkipVerify = true;
                   address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik";
                   trustForwardHeader = true;
                   authResponseHeaders = [
@@ -130,7 +130,7 @@ in {
             routers = {
               auth = {
                 entryPoints = ["websecure"];
-                rule = "Host(`${cfg.url}`) || HostRegexp(`{subdomain:[a-z0-9]+}.${srv.www.url}`) && PathPrefix(`/outpost.goauthentik.io/`)";
+                rule = "Host(`${cfg.url}`) && PathPrefix(`/outpost.goauthentik.io/`)";
                 service = "auth";
                 tls.certResolver = "letsencrypt";
               };
diff --git a/modules/server/jellyfin/default.nix b/modules/server/jellyfin/default.nix
index 453b3ae2..3b7edb0d 100644
--- a/modules/server/jellyfin/default.nix
+++ b/modules/server/jellyfin/default.nix
@@ -18,7 +18,7 @@ in {
     };
     url = lib.mkOption {
       type = lib.types.str;
-      default = "sobotka.taila7448a.ts.net";
+      default = "fin.${srv.tailscale.url}";
     };
     homepage.name = lib.mkOption {
       type = lib.types.str;
@@ -49,13 +49,13 @@ in {
     services.traefik = {
       dynamicConfigOptions = {
         http = {
-          services.${unit}.loadBalancer.servers = [{url = "http://127.0.0.1:8096";}];
+          services.${unit}.loadBalancer.servers = [{url = "http://localhost:8096";}];
           routers = {
             jellyfinRouter = {
               entryPoints = ["websecure"];
               rule = "Host(`${cfg.url}`)";
               service = "${unit}";
-              tls.certResolver = "vpn";
+              tls.certResolver = "letsencrypt";
             };
           };
         };
diff --git a/modules/server/tailscale/default.nix b/modules/server/tailscale/default.nix
index 0b19feff..8ed32a8b 100644
--- a/modules/server/tailscale/default.nix
+++ b/modules/server/tailscale/default.nix
@@ -9,6 +9,10 @@ with lib; let
 in {
   options.server.tailscale = {
     enable = mkEnableOption "Enable tailscale server configuration";
+    url = lib.mkOption {
+      type = lib.types.str;
+      default = "ts.cnst.dev";
+    };
   };
 
   config = mkIf cfg.enable {
@@ -21,7 +25,6 @@ in {
       authKeyFile = config.age.secrets.sobotkaTsAuth.path;
       extraSetFlags = [
         "--advertise-exit-node"
-        "--advertise-routes=192.168.88.0/24"
       ];
     };
   };
diff --git a/modules/server/traefik/default.nix b/modules/server/traefik/default.nix
index 2ec376b7..1f0add66 100644
--- a/modules/server/traefik/default.nix
+++ b/modules/server/traefik/default.nix
@@ -23,7 +23,7 @@ in {
     age.secrets.traefikEnv = {
       file = "${self}/secrets/traefikEnv.age";
       mode = "640";
-      owner = "root";
+      owner = "traefik";
       group = "traefik";
     };
 
@@ -89,6 +89,10 @@ in {
                     main = "cnix.dev";
                     sans = ["*.cnix.dev"];
                   }
+                  {
+                    main = "ts.cnst.dev";
+                    sans = ["*ts.cnst.dev"];
+                  }
                 ];
               };
             };
diff --git a/secrets/traefikEnv.age b/secrets/traefikEnv.age
index c256c341..a32555f4 100644
Binary files a/secrets/traefikEnv.age and b/secrets/traefikEnv.age differ