diff --git a/hosts/zackbiene/esphome.nix b/hosts/zackbiene/esphome.nix
index 103cd7e..c117b12 100644
--- a/hosts/zackbiene/esphome.nix
+++ b/hosts/zackbiene/esphome.nix
@@ -21,11 +21,12 @@ in {
 
       # Hardening
       CapabilityBoundingSet = "";
-      DevicePolicy = "closed";
       LockPersonality = true;
-      MemoryDenyWriteExecute = false; # NodeJs-JIT :/
+      MemoryDenyWriteExecute = true;
+      DevicePolicy = "closed";
+      DeviceAllow = "/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0";
+      SupplementaryGroups = ["dialout"];
       NoNewPrivileges = true;
-      PrivateDevices = true;
       PrivateUsers = true;
       PrivateTmp = true;
       ProtectClock = true;
@@ -41,11 +42,15 @@ in {
       ReadWritePaths = dataDir;
       RemoveIPC = true;
       RestrictAddressFamilies = ["AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6"];
-      RestrictNamespaces = true;
+      RestrictNamespaces = false; # Required by platformio for chroot
       RestrictRealtime = true;
       RestrictSUIDSGID = true;
       SystemCallArchitectures = "native";
-      SystemCallFilter = ["@system-service" "~@privileged"];
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+        "@mount" # Required by platformio for chroot
+      ];
       UMask = "0077";
     };
   };
@@ -58,4 +63,25 @@ in {
   };
 
   users.groups.esphome.gid = 316;
+
+  services.nginx.upstreams = {
+    "esphome" = {
+      servers = {"unix:/run/esphome/esphome.sock" = {};};
+      extraConfig = ''
+        zone esphome 64k;
+        keepalive 2;
+      '';
+    };
+  };
+  services.nginx.virtualHosts = {
+    #"${nodeSecrets.esphome.domain}" = {
+    #  forceSSL = true;
+    #  enableACME = true;
+    "192.168.1.22" = {
+      locations."/" = {
+        proxyPass = "http://esphome";
+        proxyWebsockets = true;
+      };
+    };
+  };
 }
diff --git a/hosts/zackbiene/hostapd.nix b/hosts/zackbiene/hostapd.nix
index 1d6e6c7..e576088 100644
--- a/hosts/zackbiene/hostapd.nix
+++ b/hosts/zackbiene/hostapd.nix
@@ -11,8 +11,8 @@
     wpa = false;
     # Use 2.4GHz, this network is ment for dumb embedded devices
     hwMode = "g";
-    # Automatically select channel at runtime using acs_survey
-    channel = 0;
+    # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u.
+    channel = 13;
     # Respect the local regulations
     countryCode = "DE";
 
@@ -28,16 +28,14 @@
       # Ensure TX Power and frequencies compliance with local regulatory requirements
       ieee80211h=1
 
-      # IEEE 802.11ac (WiFi 4)
-      # MIMO and channel bonding support
+      # IEEE 802.11ac (WiFi 4) - MIMO and channel bonding support
       ieee80211n=1
-      # Add wider channel-width support and MU-MIMO (multi user MIMO)
+      ht_capab=[LDPC][HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1]
 
-      # IEEE 802.11ac (WiFi 5)
+      # IEEE 802.11ac (WiFi 5) - adds wider channel-width support and MU-MIMO (multi user MIMO)
       ieee80211ac=1
-      ht_capab=[HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40]
-      vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]
-      vht_oper_chwidth=1
+      #vht_capab=[SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]
+      #vht_oper_chwidth=1
 
       # WPA3
       wpa=2
@@ -53,7 +51,7 @@
       # Derive PWE using both hunting-and-pecking loop and hash-to-element
       sae_pwe=2
       # SAE can also use wpa_psk, which allows us to use a separate file,
-      # but it restricts the password length to [2,63] which is ok.
+      # but it restricts the password length to [8,63] which is ok.
       # This conatins a list of passwords for each client MAC.
       wpa_psk_file=${config.rekey.secrets.wifi-clients.path}
 
@@ -62,11 +60,12 @@
       accept_mac_file=/run/hostapd/client-macs
 
       # Hide network and require devices to know the ssid in advance
-      ignore_broadcast_ssid=1
+      #ignore_broadcast_ssid=1
       # Don't allow clients to communicate with each other
       ap_isolate=1
     '';
   };
+  # TODO dont adverttise!
 
   # Associates each known client to a unique password
   rekey.secrets.wifi-clients.file = ./secrets/wifi-clients.age;
@@ -80,25 +79,25 @@
     serviceConfig = {
       ExecReload = "/bin/kill -HUP $MAINPID";
       RuntimeDirectory = "hostapd";
+      DeviceAllow = "/dev/rfkill rw";
 
       # Hardening
       LockPersonality = true;
       MemoryDenyWriteExecute = true;
       NoNewPrivileges = true;
-      PrivateDevices = false; # Needs /dev/rfkill
-      PrivateUsers = true;
+      PrivateDevices = true;
+      PrivateUsers = false; # hostapd requires real system root access.
       PrivateTmp = true;
       ProtectClock = true;
-      ProtectControlGroups = false; # Needs write-access to /sys/class/net/...
+      ProtectControlGroups = true;
       ProtectHome = true;
       ProtectHostname = true;
       ProtectKernelLogs = true;
       ProtectKernelModules = true;
-      ProtectKernelTunables = false;
+      ProtectKernelTunables = true;
       ProtectProc = "invisible";
       ProcSubset = "pid";
       ProtectSystem = "strict";
-      RemoveIPC = true;
       RestrictAddressFamilies = ["AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6"];
       RestrictNamespaces = true;
       RestrictRealtime = true;
diff --git a/hosts/zackbiene/net.nix b/hosts/zackbiene/net.nix
index 7ab4b7f..85fbb1f 100644
--- a/hosts/zackbiene/net.nix
+++ b/hosts/zackbiene/net.nix
@@ -14,7 +14,6 @@
       matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac;
       networkConfig = {
         Address = "10.90.0.1/24";
-        Gateway = "10.90.0.1";
       };
     };
   };
diff --git a/hosts/zackbiene/nginx.nix b/hosts/zackbiene/nginx.nix
index 2e4307c..b41df56 100644
--- a/hosts/zackbiene/nginx.nix
+++ b/hosts/zackbiene/nginx.nix
@@ -40,4 +40,6 @@
       };
     };
   };
+
+  networking.firewall.allowedTCPPorts = [80 443];
 }
diff --git a/hosts/zackbiene/secrets/wifi-clients.age b/hosts/zackbiene/secrets/wifi-clients.age
index 001b19e..e12e384 100644
--- a/hosts/zackbiene/secrets/wifi-clients.age
+++ b/hosts/zackbiene/secrets/wifi-clients.age
@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> X25519 hassPBEEk/UBxKCHkOhG+xCVBRqjLzzIzx+YNxMI1XY
-yUPfWO27Ou9Kr/9+9H/QCx/s8z+xaqBknozANAUuRAY
--> piv-p256 xqSe8Q A+Mah3ymwlgxCgF/hqioFnV4dLIs7gIlCi+5Y9hGThUy
-/1ILkEDSDzuP1TNm0eAGExBAGP6GvryPwkYN/44stZI
--> yazz-grease 4O
-ELmoh/Qew+/mdgIaGxnpR9eTPGHvAEO8Y22uH/tlpwBmlVMZNHa91PQ/dksjMKA8
-7hYCLWcfWtEEF4gVUnCOokyYm3XAZyQ9Lauiw2n4JTvYSKJhmAquXW8Jmto
---- 6650BuMK5X5Z56QmkfgIZdbB6cg8+l2GG05XDZkgK4Q
-“bæziÉPeñ3Ð8P ³‹ÿ!ÇOu3’r*	¸þ5‡Ä{íâŠåcKÁâöTíßB1šGþçm&#`Ò€7ÞÖ¿‘ O
\ No newline at end of file
+-> X25519 J0OVJ0jJkIkBk0nFoeZ7QhFoH2KZtVNEaqVrPAPOMkU
+gPL8EodGaHRmGU7SjCi0A+VSHX0Jki4QTSQJqKakOmc
+-> piv-p256 xqSe8Q ApYjO1OYkLa5P5y/CUcreVv1D+XIuzmvL22b8xOn4KCo
+zXbQ2bBEoNfRBccduRzhezOHir1NoFgSaNpB2Kz9iLM
+-> 3}-b-grease vM C
+9zBNWTL08GkY4ZkDLmiQQqc2Di2oFiHko39JdKAzdF53kRcEkpojS0MwOhii5673
+Pg0s035+WayZNZkpKHelA27aA7Yo+u6kGZ0xLP2N0ZxxjgZabYau
+--- CkGhrXo9Gfpf5A1h9A4ZVRtdr3KOlE78J7wXOUyMJjI
+B6úµÖùÆ^áaµÒ@VÇˆhÊ¹¹#G7›&…•êõkË~ #¶_k™Hž™`òxcèÈÝk•ÕºËJýwú¶ó±¸ÆÐ ‰hF¦®ž[HéÃêÞ¦—!¿}UR>•g’ÔºðÍBo¨ôˆ5ÂÐ9V¼$ø’‡©À½AÛob“g ,š/
\ No newline at end of file