diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix
index 3a37cbb..00100be 100644
--- a/configurations/nixos/defiant/configuration.nix
+++ b/configurations/nixos/defiant/configuration.nix
@@ -67,6 +67,14 @@
         directories = ["leyla" "eve"];
       };
     };
+    reverse_proxy = {
+      enable = true;
+      hostname = "jan-leila.com";
+    };
+    jellyfin = {
+      enable = true;
+      subdomain = "media";
+    };
   };
   networking = {
     hostId = "c51763d6";
diff --git a/modules/nixos-modules/server/jellyfin.nix b/modules/nixos-modules/server/jellyfin.nix
index a582eda..57a9cde 100644
--- a/modules/nixos-modules/server/jellyfin.nix
+++ b/modules/nixos-modules/server/jellyfin.nix
@@ -51,20 +51,20 @@ in {
           ];
         };
 
-        host.storage.pool.extraDatasets = [
-          {
-            # sops age key needs to be available to pre persist for user generation
-            "persist/system/jellyfin" = {
-              type = "zfs_fs";
-              mountpoint = "/persist/system/jellyfin";
-              options = {
-                atime = "off";
-                relatime = "off";
-                canmount = "on";
-              };
+        fileSystems."/persist/system/jellyfin".neededForBoot = true;
+
+        host.storage.pool.extraDatasets = {
+          # sops age key needs to be available to pre persist for user generation
+          "persist/system/jellyfin" = {
+            type = "zfs_fs";
+            mountpoint = "/persist/system/jellyfin";
+            options = {
+              atime = "off";
+              relatime = "off";
+              canmount = "on";
             };
-          }
-        ];
+          };
+        };
       })
     ]
   );
diff --git a/modules/nixos-modules/server/reverse_proxy.nix b/modules/nixos-modules/server/reverse_proxy.nix
index 664b3c3..311724b 100644
--- a/modules/nixos-modules/server/reverse_proxy.nix
+++ b/modules/nixos-modules/server/reverse_proxy.nix
@@ -6,16 +6,16 @@
   options.host.reverse_proxy = {
     enable = lib.mkEnableOption "turn on the reverse proxy";
     hostname = lib.mkOption {
-      type = lib.type.string;
+      type = lib.types.string;
       description = "what host name are we going to be proxying from";
     };
     forceSSL = lib.mkOption {
-      type = lib.type.boolean;
+      type = lib.types.bool;
       description = "force connections to use https";
       default = true;
     };
     enableACME = lib.mkOption {
-      type = lib.type.boolean;
+      type = lib.types.bool;
       description = "auto renew certificates";
       default = true;
     };
@@ -34,12 +34,17 @@
 
   # TODO: impermanence for ACME keys
   config = {
+    security.acme = lib.mkIf config.host.reverse_proxy.enableACME {
+      acceptTerms = true;
+      defaults.email = "jan-leila@protonmail.com";
+    };
+
     services.nginx = {
       enable = config.host.reverse_proxy.enable;
       virtualHosts = lib.attrsets.mapAttrs' (name: value:
-        lib.attrsets.nameValuePair "${name}.${config.home.reverse_proxy.hostname}" {
-          forceSSL = config.home.reverse_proxy.forceSSL;
-          enableACME = config.home.reverse_proxy.enableACME;
+        lib.attrsets.nameValuePair "${name}.${config.host.reverse_proxy.hostname}" {
+          forceSSL = config.host.reverse_proxy.forceSSL;
+          enableACME = config.host.reverse_proxy.enableACME;
           locations."/" = {
             proxyPass = value.target;
             proxyWebsockets = value.websockets;