diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix
index 0e419bc..c9548b2 100644
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@@ -11,17 +11,10 @@
             addr = "0.0.0.0";
             port = 80;
           }
-          {
-            addr = "0.0.0.0";
-            port = 8443;
-            ssl = true;
-            proxyProtocol = true;
-          }
           {
             addr = "0.0.0.0";
             port = 8448;
             ssl = true;
-            proxyProtocol = true;
           }
         ];
         locations = {
@@ -56,6 +49,8 @@
           };
         };
         extraConfig = ''
+          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
+
           set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
           set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
           real_ip_header proxy_protocol;
@@ -69,12 +64,6 @@
             addr = "0.0.0.0";
             port = 80;
           }
-          {
-            addr = "0.0.0.0";
-            port = 8443;
-            ssl = true;
-            proxyProtocol = true;
-          }
         ];
         locations = {
           "/" = {
@@ -90,6 +79,8 @@
           };
         };
         extraConfig = ''
+          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
+
           set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
           set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
           real_ip_header proxy_protocol;
@@ -103,12 +94,6 @@
             addr = "0.0.0.0";
             port = 80;
           }
-          {
-            addr = "0.0.0.0";
-            port = 8443;
-            ssl = true;
-            proxyProtocol = true;
-          }
         ];
         locations."^~ /livekit/jwt/" = {
           proxyPass = "http://localhost:8082/";
@@ -118,6 +103,8 @@
           proxyWebsockets = true;
         };
         extraConfig = ''
+          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
+
           set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
           set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
           real_ip_header proxy_protocol;
diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix
index e581f8c..aca6e04 100644
--- a/config/hosts/valkyrie/configuration.nix
+++ b/config/hosts/valkyrie/configuration.nix
@@ -7,7 +7,7 @@
     nftables.enable = true;
     firewall = {
       enable = true;
-      allowedTCPPorts = [ 80 443 8448 ];
+      allowedTCPPorts = [ 80 443 ];
       allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ];
     };
     wireguard = {
diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix
index ab96419..dae48ad 100644
--- a/config/hosts/valkyrie/nginx.nix
+++ b/config/hosts/valkyrie/nginx.nix
@@ -58,11 +58,6 @@
         ssl_preread on;
         proxy_protocol on;
       }
-      server {
-        listen [::]:8448;
-        proxy_pass 10.202.41.112:8448; # matrix federation port
-        proxy_protocol on;
-      }
     '';
   };
 }
diff --git a/config/hosts/web-public-2/configuration.nix b/config/hosts/web-public-2/configuration.nix
index e942787..94e74b6 100644
--- a/config/hosts/web-public-2/configuration.nix
+++ b/config/hosts/web-public-2/configuration.nix
@@ -21,7 +21,7 @@
     hostName = "web-public-2";
     firewall = {
       enable = true;
-      allowedTCPPorts = [ 80 443 5000 8443 8448 ];
+      allowedTCPPorts = [ 80 443 5000 8448 ];
     };
   };
 
diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix
index 3217be8..1e51d61 100644
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
@@ -17,8 +17,8 @@
       stream {
         map $ssl_preread_server_name $address {
           cloud.nekover.se 10.202.41.122:8443;
-          element.nekover.se 10.202.41.100:8443;
-          element-admin.nekover.se 10.202.41.100:8443;
+          element.nekover.se 127.0.0.1:8443;
+          element-admin.nekover.se 127.0.0.1:8443;
           fi.nekover.se 10.202.41.125:8443;
           git.nekover.se 10.202.41.106:8443;
           hydra.nekover.se 10.202.41.121:8443;
@@ -26,7 +26,7 @@
           mas.nekover.se 10.202.41.112:8443;
           matrix.nekover.se 10.202.41.112:8443;
           matrix-rtc.nekover.se 10.202.41.112:8443;
-          nekover.se 10.202.41.100:8443;
+          nekover.se 127.0.0.1:8443;
           mesh.nekover.se 10.202.41.126:8443;
           nix-cache.nekover.se 10.202.41.121:8443;
           searx.nekover.se 10.202.41.105:8443;
@@ -38,11 +38,6 @@
           ssl_preread on;
           proxy_protocol on;
         }
-        server {
-          listen 0.0.0.0:8448;
-          proxy_pass 10.202.41.112:8448; # matrix federation port
-          proxy_protocol on;
-        }
       }
     '';
 
diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
index 4629365..233a49c 100644
--- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
@@ -4,7 +4,7 @@
     forceSSL = true;
     enableACME = true;
     listen = [{
-      addr = "0.0.0.0";
+      addr = "localhost";
       port = 8443;
       ssl = true;
       extraParameters = ["proxy_protocol"];