diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix
index c7b39ac..5b51bcd 100644
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@@ -93,6 +93,7 @@ in {
           nodes.sentinel.config.networking.providedDomains.influxdb
           nodes.sentinel.config.networking.providedDomains.loki
           nodes.sentinel.config.networking.providedDomains.paperless
+          "home.${config.repo.secrets.global.domains.me}"
         ];
       filters = [
         {
diff --git a/hosts/zackbiene/default.nix b/hosts/zackbiene/default.nix
index ca62c1d..47c04f8 100644
--- a/hosts/zackbiene/default.nix
+++ b/hosts/zackbiene/default.nix
@@ -4,7 +4,6 @@
   nodes,
   ...
 }: let
-  inherit (config.repo.secrets.local) acme;
   sentinelCfg = nodes.sentinel.config;
   wardWebProxyCfg = nodes.ward-web-proxy.config;
 in {
@@ -30,17 +29,6 @@ in {
   topology.self.hardware.info = "O-Droid N2+";
 
   boot.mode = "efi";
-  users.groups.acme.members = ["nginx"];
-  services.nginx.enable = true;
-  services.nginx.recommendedSetup = true;
-
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      inherit (acme) email;
-      reloadServices = ["nginx"];
-    };
-  };
 
   meta.promtail = {
     enable = true;
diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix
index 2506d27..ee5f97e 100644
--- a/hosts/zackbiene/home-assistant.nix
+++ b/hosts/zackbiene/home-assistant.nix
@@ -1,11 +1,12 @@
 {
   lib,
   config,
+  nodes,
   ...
 }: let
   homeDomain = "home.${config.repo.secrets.global.domains.me}";
 in {
-  wireguard.proxy-home.firewallRuleForNode.ward.allowedTCPPorts = [
+  wireguard.proxy-home.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
     config.services.home-assistant.config.http.server_port
   ];
 
@@ -37,7 +38,7 @@ in {
         server_host = ["0.0.0.0"];
         server_port = 8123;
         use_x_forwarded_for = true;
-        trusted_proxies = ["127.0.0.1"];
+        trusted_proxies = [nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4];
       };
 
       homeassistant = {
@@ -82,7 +83,11 @@ in {
         #themes = "!include_dir_merge_named themes";
       };
     };
-    extraPackages = python3Packages: with python3Packages; [psycopg2];
+    extraPackages = python3Packages:
+      with python3Packages; [
+        psycopg2
+        gtts
+      ];
   };
 
   age.secrets."home-assistant-secrets.yaml" = {
@@ -97,16 +102,7 @@ in {
     '';
   };
 
-  services.nginx = {
-    upstreams.homeassistant = {
-      extraConfig = ''
-        zone homeassistant 64k;
-        keepalive 2;
-      '';
-    };
-  };
-
-  nodes.ward = {
+  nodes.ward-web-proxy = {
     services.nginx = {
       upstreams."home-assistant" = {
         servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.home-assistant.config.http.server_port}" = {};
@@ -117,7 +113,7 @@ in {
       };
       virtualHosts.${homeDomain} = {
         forceSSL = true;
-        enableACME = true;
+        useACMEWildcardHost = true;
         locations."/" = {
           proxyPass = "http://home-assistant";
           proxyWebsockets = true;
diff --git a/hosts/zackbiene/kea.nix b/hosts/zackbiene/kea.nix
index 33e0245..301bcb2 100644
--- a/hosts/zackbiene/kea.nix
+++ b/hosts/zackbiene/kea.nix
@@ -27,12 +27,6 @@ in {
         interfaces = ["wlan1"];
         service-sockets-max-retries = -1;
       };
-      option-data = [
-        {
-          name = "domain-name-servers";
-          data = "192.168.1.3"; # FIXME: global (also search for 192.168 and "*Ip =")
-        }
-      ];
       subnet4 = [
         {
           interface = "wlan1";