diff --git a/flake.nix b/flake.nix
index 8f54f2b..7ba4625 100644
--- a/flake.nix
+++ b/flake.nix
@@ -49,7 +49,7 @@
             ./modules/base-stuff.nix
             ./modules/proxy.nix
             ./modules/postgres.nix
-            # ./modules/jitsi.nix
+            ./modules/jitsi.nix
             ./modules/containers
             ./modules/conduit.nix
             ./modules/keycloak.nix
diff --git a/modules/jitsi.nix b/modules/jitsi.nix
index 6927c35..2dbf38f 100644
--- a/modules/jitsi.nix
+++ b/modules/jitsi.nix
@@ -1,5 +1,7 @@
 { pkgs, ... }: 
 {
+  # Jitsi for some reason needs 127.0.0.1:8080, and will fail if it can't get it
+  # what the fuck is this service...
   services.jitsi-meet = {
     enable = true;
     hostName = "meet.katzen.cafe";
diff --git a/modules/keycloak.nix b/modules/keycloak.nix
index 373ebf2..45497e1 100644
--- a/modules/keycloak.nix
+++ b/modules/keycloak.nix
@@ -5,7 +5,7 @@
 
     settings = {
       http-port = 8080;
-      http-host = "127.0.0.1";
+      http-host = "127.0.0.3";
       http-enabled = true;
       https-port = 8443;
 
diff --git a/modules/proxy.nix b/modules/proxy.nix
index 227b096..3711d4c 100644
--- a/modules/proxy.nix
+++ b/modules/proxy.nix
@@ -35,10 +35,10 @@
         group = "nginx";
         keyType = "rsa4096";
       };
-      # "mumble.katzen.cafe" = {
-      #   group = "murmur";
-      #   keyType = "rsa4096";
-      # };
+      "mumble.katzen.cafe" = {
+        group = "murmur";
+        keyType = "rsa4096";
+      };
       "hc-vault.katzen.cafe" = {
         group = "nginx";
         keyType = "rsa4096";
@@ -57,6 +57,8 @@
       # };
     };
   };
+  
+  users.users.nginx.extraGroups = [ "acme" ];
   services.nginx = {
     enable = true;
     
@@ -68,6 +70,16 @@
     statusPage = true;
 
     virtualHosts = {
+      "_.katzen.cafe" = {
+        # Catchall vhost, will redirect users to HTTPS for all vhosts
+        serverAliases = [ "*.katzen.cafe" ];
+        locations."/.well-known/acme-challenge" = {
+          root = "/var/lib/acme/acme-challenge";
+        };
+        locations."/" = {
+          return = "301 https://$host$request_uri";
+        };
+      };      
       "grafana.katzen.cafe" = {
         forceSSL = true;
         enableACME = true;
@@ -102,7 +114,7 @@
         forceSSL = true;
         enableACME = true;
         locations."/" = {
-          proxyPass = "http://127.0.0.1:8080";
+          proxyPass = "http://127.0.0.3:8080";
               # proxy_set_header Host $host;
           extraConfig = ''
               proxy_buffers 4 256k;