diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix
index c9548b2..0e419bc 100644
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@@ -11,10 +11,17 @@
             addr = "0.0.0.0";
             port = 80;
           }
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
           {
             addr = "0.0.0.0";
             port = 8448;
             ssl = true;
+            proxyProtocol = true;
           }
         ];
         locations = {
@@ -49,8 +56,6 @@
           };
         };
         extraConfig = ''
-          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-
           set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
           set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
           real_ip_header proxy_protocol;
@@ -64,6 +69,12 @@
             addr = "0.0.0.0";
             port = 80;
           }
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
         ];
         locations = {
           "/" = {
@@ -79,8 +90,6 @@
           };
         };
         extraConfig = ''
-          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-
           set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
           set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
           real_ip_header proxy_protocol;
@@ -94,6 +103,12 @@
             addr = "0.0.0.0";
             port = 80;
           }
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
         ];
         locations."^~ /livekit/jwt/" = {
           proxyPass = "http://localhost:8082/";
@@ -103,8 +118,6 @@
           proxyWebsockets = true;
         };
         extraConfig = ''
-          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-
           set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
           set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
           real_ip_header proxy_protocol;
diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix
index aca6e04..e581f8c 100644
--- a/config/hosts/valkyrie/configuration.nix
+++ b/config/hosts/valkyrie/configuration.nix
@@ -7,7 +7,7 @@
     nftables.enable = true;
     firewall = {
       enable = true;
-      allowedTCPPorts = [ 80 443 ];
+      allowedTCPPorts = [ 80 443 8448 ];
       allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ];
     };
     wireguard = {
diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix
index dae48ad..ab96419 100644
--- a/config/hosts/valkyrie/nginx.nix
+++ b/config/hosts/valkyrie/nginx.nix
@@ -58,6 +58,11 @@
         ssl_preread on;
         proxy_protocol on;
       }
+      server {
+        listen [::]:8448;
+        proxy_pass 10.202.41.112:8448; # matrix federation port
+        proxy_protocol on;
+      }
     '';
   };
 }
diff --git a/config/hosts/web-public-2/configuration.nix b/config/hosts/web-public-2/configuration.nix
index 94e74b6..e942787 100644
--- a/config/hosts/web-public-2/configuration.nix
+++ b/config/hosts/web-public-2/configuration.nix
@@ -21,7 +21,7 @@
     hostName = "web-public-2";
     firewall = {
       enable = true;
-      allowedTCPPorts = [ 80 443 5000 8448 ];
+      allowedTCPPorts = [ 80 443 5000 8443 8448 ];
     };
   };
 
diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix
index 1e51d61..3217be8 100644
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
@@ -17,8 +17,8 @@
       stream {
         map $ssl_preread_server_name $address {
           cloud.nekover.se 10.202.41.122:8443;
-          element.nekover.se 127.0.0.1:8443;
-          element-admin.nekover.se 127.0.0.1:8443;
+          element.nekover.se 10.202.41.100:8443;
+          element-admin.nekover.se 10.202.41.100:8443;
           fi.nekover.se 10.202.41.125:8443;
           git.nekover.se 10.202.41.106:8443;
           hydra.nekover.se 10.202.41.121:8443;
@@ -26,7 +26,7 @@
           mas.nekover.se 10.202.41.112:8443;
           matrix.nekover.se 10.202.41.112:8443;
           matrix-rtc.nekover.se 10.202.41.112:8443;
-          nekover.se 127.0.0.1:8443;
+          nekover.se 10.202.41.100:8443;
           mesh.nekover.se 10.202.41.126:8443;
           nix-cache.nekover.se 10.202.41.121:8443;
           searx.nekover.se 10.202.41.105:8443;
@@ -38,6 +38,11 @@
           ssl_preread on;
           proxy_protocol on;
         }
+        server {
+          listen 0.0.0.0:8448;
+          proxy_pass 10.202.41.112:8448; # matrix federation port
+          proxy_protocol on;
+        }
       }
     '';
 
diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
index 233a49c..4629365 100644
--- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
@@ -4,7 +4,7 @@
     forceSSL = true;
     enableACME = true;
     listen = [{
-      addr = "localhost";
+      addr = "0.0.0.0";
       port = 8443;
       ssl = true;
       extraParameters = ["proxy_protocol"];