diff --git a/machines/deneb/configuration.nix b/machines/deneb/configuration.nix
index 2374b2c..72df8fc 100644
--- a/machines/deneb/configuration.nix
+++ b/machines/deneb/configuration.nix
@@ -10,11 +10,10 @@ in
 {
   imports = [ inputs.frappix.nixosModules.x86_64-linux.frappix ];
   nixpkgs.overlays = [
-    inputs.self.overlays.frappeOverlay
-    inputs.self.overlays.pythonOverlay
-    inputs.self.overlays.libsOverlay
-    inputs.self.overlays.toolsOverlay
-    inputs.self.overlays.frappePythonPkgsOverlay
+    inputs.frappix.overlays.frappeOverlay
+    inputs.frappix.overlays.pythonOverlay
+    inputs.frappix.overlays.libsOverlay
+    inputs.frappix.overlays.toolsOverlay
   ];
 
   clan.core.vars.generators.frappix = {
@@ -52,4 +51,47 @@ in
     sslCertificate = config.clan.core.vars.generators.frappix.files.sslCertificate.path;
     sslCertificateKey = config.clan.core.vars.generators.frappix.files.sslCertificateKey.path;
   };
+
+  nixpkgs.hostPlatform = {
+    system = "x86_64-linux";
+  };
+
+  clan.core.vars.generators.nginx = {
+    files = {
+      sslCert = {
+        owner = "nginx";
+        group = "nginx";
+        secret = true;
+      };
+      sslKey = {
+        owner = "nginx";
+        group = "nginx";
+        secret = true;
+      };
+    };
+
+    runtimeInputs = [
+      pkgs.openssl
+    ];
+    script = ''
+      openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
+        -keyout $out/sslKey \
+        -out $out/sslCert \
+        -subj "/CN=localhost"
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  # services.nginx.virtualHosts."${domain}" = {
+  #   forceSSL = true;
+  #   sslCertificate = config.clan.core.vars.generators.nginx.files.sslCert.path;
+  #   sslCertificateKey = config.clan.core.vars.generators.nginx.files.sslKey.path;
+  # };
+
+  system.stateVersion = "25.11";
+  clan.core.sops.defaultGroups = [ "admins" ];
 }