diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix
index c9548b2..0e419bc 100644
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@@ -11,10 +11,17 @@
             addr = "0.0.0.0";
             port = 80;
           }
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
           {
             addr = "0.0.0.0";
             port = 8448;
             ssl = true;
+            proxyProtocol = true;
           }
         ];
         locations = {
@@ -49,8 +56,6 @@
           };
         };
         extraConfig = ''
-          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-
           set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
           set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
           real_ip_header proxy_protocol;
@@ -64,6 +69,12 @@
             addr = "0.0.0.0";
             port = 80;
           }
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
         ];
         locations = {
           "/" = {
@@ -79,8 +90,6 @@
           };
         };
         extraConfig = ''
-          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-
           set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
           set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
           real_ip_header proxy_protocol;
@@ -94,6 +103,12 @@
             addr = "0.0.0.0";
             port = 80;
           }
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
         ];
         locations."^~ /livekit/jwt/" = {
           proxyPass = "http://localhost:8082/";
@@ -103,8 +118,6 @@
           proxyWebsockets = true;
         };
         extraConfig = ''
-          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-
           set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
           set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
           real_ip_header proxy_protocol;
diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix
index aca6e04..e581f8c 100644
--- a/config/hosts/valkyrie/configuration.nix
+++ b/config/hosts/valkyrie/configuration.nix
@@ -7,7 +7,7 @@
     nftables.enable = true;
     firewall = {
       enable = true;
-      allowedTCPPorts = [ 80 443 ];
+      allowedTCPPorts = [ 80 443 8448 ];
       allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ];
     };
     wireguard = {
diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix
index dae48ad..ab96419 100644
--- a/config/hosts/valkyrie/nginx.nix
+++ b/config/hosts/valkyrie/nginx.nix
@@ -58,6 +58,11 @@
         ssl_preread on;
         proxy_protocol on;
       }
+      server {
+        listen [::]:8448;
+        proxy_pass 10.202.41.112:8448; # matrix federation port
+        proxy_protocol on;
+      }
     '';
   };
 }
diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix
index 1e51d61..01d6fae 100644
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
@@ -38,6 +38,11 @@
           ssl_preread on;
           proxy_protocol on;
         }
+        server {
+          listen 0.0.0.0:8448;
+          proxy_pass 10.202.41.112:8448; # matrix federation port
+          proxy_protocol on;
+        }
       }
     '';