diff --git a/hosts/ward/guests/firefly.nix b/hosts/ward/guests/firefly.nix
index 7dbfded..65abdbd 100644
--- a/hosts/ward/guests/firefly.nix
+++ b/hosts/ward/guests/firefly.nix
@@ -37,7 +37,7 @@ in
     generator.script = _: ''
       echo "base64:$(head -c 32 /dev/urandom | base64)"
     '';
-    owner = "firefly-iii";
+    owner = "firefly-pico";
   };
 
   environment.persistence."/persist".directories = [
@@ -82,6 +82,25 @@ in
     };
   };
 
+  services.nginx.commonHttpConfig = ''
+    log_format json_combined escape=json '{'
+      '"time": $msec,'
+      '"remote_addr":"$remote_addr",'
+      '"status":$status,'
+      '"method":"$request_method",'
+      '"host":"$host",'
+      '"uri":"$request_uri",'
+      '"request_size":$request_length,'
+      '"response_size":$body_bytes_sent,'
+      '"response_time":$request_time,'
+      '"referrer":"$http_referer",'
+      '"user_agent":"$http_user_agent"'
+    '}';
+    error_log syslog:server=unix:/dev/log,nohostname;
+    access_log syslog:server=unix:/dev/log,nohostname json_combined;
+    ssl_ecdh_curve secp384r1;
+  '';
+
   nodes.ward-web-proxy = {
     services.nginx = {
       upstreams.firefly = {
@@ -102,11 +121,19 @@ in
           proxyPass = "http://firefly";
           proxyWebsockets = true;
         };
-        locations."/pico" = {
+        locations."= /pico".return = "302 /pico/";
+        locations."/pico/" = {
           proxyPass = "http://firefly/"; # Trailing slash matters! (remove location suffix)
           proxyWebsockets = true;
+
+          recommendedProxySettings = false; # We need to change Host without duplicating the header.
           extraConfig = ''
             proxy_set_header Host pico.internal;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host;
+            proxy_set_header X-Forwarded-Server pico.internal;
           '';
         };
         extraConfig = ''
diff --git a/modules/firefly-pico.nix b/modules/firefly-pico.nix
index aededec..2c6bc24 100644
--- a/modules/firefly-pico.nix
+++ b/modules/firefly-pico.nix
@@ -230,9 +230,9 @@ in
               else if cfg.settings.DB_CONNECTION == "mysql" then
                 "firefly-pico"
               else
-                cfg.dataDir + "storage/database/database.sqlite";
+                cfg.dataDir + "/storage/database/database.sqlite";
             defaultText = ''
-              `cfg.dataDir + "storage/database/database.sqlite` if DB_CONNECTION is "sqlite", `firefly-pico` if "mysql" or "pgsql"
+              `cfg.dataDir + "/storage/database/database.sqlite` if DB_CONNECTION is "sqlite", `firefly-pico` if "mysql" or "pgsql"
             '';
             description = ''
               The absolute path or name of your firefly-pico database.
@@ -372,7 +372,6 @@ in
         [
           "${cfg.dataDir}/storage"
           "${cfg.dataDir}/storage/app"
-          "${cfg.dataDir}/storage/database"
           "${cfg.dataDir}/storage/framework"
           "${cfg.dataDir}/storage/framework/cache"
           "${cfg.dataDir}/storage/framework/sessions"