diff --git a/hosts/envoy/stalwart-mail.nix b/hosts/envoy/stalwart-mail.nix
index 4df6622..d04e220 100644
--- a/hosts/envoy/stalwart-mail.nix
+++ b/hosts/envoy/stalwart-mail.nix
@@ -82,12 +82,12 @@ in {
         listener = {
           jmap = {
             protocol = "jmap";
-            bind = " [::]:18080";
+            bind = " [::]:8080";
             url = "https://mail.${primaryDomain}/jmap";
           };
           imaps = {
             protocol = "imap";
-            bind = "[::]:1993";
+            bind = "[::]:993";
             tls.enable = true;
             tls.implicit = true;
           };
diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix
index 78a68f7..0b80305 100644
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@@ -70,7 +70,7 @@ in {
       group = "influxdb2";
     };
 
-    services.influxdb2.provision.organizations.machines.auths."grafana home:home_assistan (${config.node.name})" = {
+    services.influxdb2.provision.organizations.home.auths."grafana home:home_assistant (${config.node.name})" = {
       readBuckets = ["home_assistant"];
       writeBuckets = ["home_assistant"];
       tokenFile = nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-home-${config.node.name}".path;
diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix
index 5b51bcd..88483ea 100644
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@@ -94,6 +94,7 @@ in {
           nodes.sentinel.config.networking.providedDomains.loki
           nodes.sentinel.config.networking.providedDomains.paperless
           "home.${config.repo.secrets.global.domains.me}"
+          "fritzbox.${config.repo.secrets.global.domains.me}"
         ];
       filters = [
         {
diff --git a/hosts/ward/guests/web-proxy.nix b/hosts/ward/guests/web-proxy.nix
index c54033b..1f7c78a 100644
--- a/hosts/ward/guests/web-proxy.nix
+++ b/hosts/ward/guests/web-proxy.nix
@@ -1,5 +1,6 @@
 {config, ...}: let
   inherit (config.repo.secrets.local) acme;
+  fritzboxDomain = "fritzbox.${config.repo.secrets.global.domains.me}";
 in {
   wireguard.proxy-home = {
     client.via = "ward";
@@ -32,6 +33,33 @@ in {
     inherit (acme) certs wildcardDomains;
   };
 
+  services.nginx = {
+    upstreams.fritzbox = {
+      servers."192.168.178.1" = {};
+      extraConfig = ''
+        zone grafana 64k;
+        keepalive 2;
+      '';
+    };
+    virtualHosts.${fritzboxDomain} = {
+      forceSSL = true;
+      useACMEWildcardHost = true;
+      locations."/" = {
+        proxyPass = "http://fritzbox";
+        proxyWebsockets = true;
+      };
+      # Allow using self-signed certs. We just want to make sure the connection
+      # is over TLS.
+      # FIXME: refer to lan 192.168... and fd10:: via globals
+      extraConfig = ''
+        proxy_ssl_verify off;
+        allow 192.168.1.0/24;
+        allow fd10::/64;
+        deny all;
+      '';
+    };
+  };
+
   users.groups.acme.members = ["nginx"];
   services.nginx.enable = true;
   services.nginx.recommendedSetup = true;
diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix
index 44ff4e9..3c44cc1 100644
--- a/hosts/zackbiene/home-assistant.nix
+++ b/hosts/zackbiene/home-assistant.nix
@@ -6,6 +6,7 @@
   ...
 }: let
   homeDomain = "home.${config.repo.secrets.global.domains.me}";
+  fritzboxDomain = "fritzbox.${config.repo.secrets.global.domains.me}";
 in {
   wireguard.proxy-home.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
     config.services.home-assistant.config.http.server_port
@@ -59,7 +60,9 @@ in {
       #### only selected components from default_config ####
 
       assist_pipeline = {};
+      backup = {};
       bluetooth = {};
+      config = {};
       #cloud = {};
       #conversation = {};
       dhcp = {};
@@ -67,7 +70,6 @@ in {
       history = {};
       homeassistant_alerts = {};
       logbook = {};
-      map = {};
       #media_source = {};
       mobile_app = {};
       my = {};
@@ -80,8 +82,6 @@ in {
 
       ### Components not from default_config
 
-      backup = {};
-      config = {};
       frontend = {
         #themes = "!include_dir_merge_named themes";
       };
@@ -115,12 +115,12 @@ in {
       if [[ -e ${config.services.home-assistant.configDir}/secrets.yaml ]]; then
         rm ${config.services.home-assistant.configDir}/secrets.yaml
       fi
-      cat ${config.age.secrets."home-assistant-secrets.yaml".path} > ${config.services.home-assistant.configDir}/secrets.yaml
 
       # Update influxdb token
+      # We don't use -i because it would require chown with is a @privileged syscall
       INFLUXDB_TOKEN="$(cat ${config.age.secrets.hass-influxdb-token.path})" \
-        ${lib.getExe pkgs.yq-go} -i '.influxdb_token = strenv(INFLUXDB_TOKEN)' \
-        ${config.services.home-assistant.configDir}/secrets.yaml
+        ${lib.getExe pkgs.yq-go} '.influxdb_token = strenv(INFLUXDB_TOKEN)' \
+        ${config.age.secrets."home-assistant-secrets.yaml".path} > ${config.services.home-assistant.configDir}/secrets.yaml
 
       touch -a ${config.services.home-assistant.configDir}/{automations,scenes,scripts,manual}.yaml
     '';
@@ -140,13 +140,16 @@ in {
       group = "influxdb2";
     };
 
-    services.influxdb2.provision.organizations.machines.auths."home-assistant (${config.node.name})" = {
+    services.influxdb2.provision.organizations.home.auths."home-assistant (${config.node.name})" = {
       readBuckets = ["home_assistant"];
       writeBuckets = ["home_assistant"];
       tokenFile = nodes.sire-influxdb.config.age.secrets."hass-influxdb-token-${config.node.name}".path;
     };
   };
 
+  # Connect to fritzbox via https proxy (to ensure valid cert)
+  networking.hosts."192.168.1.4" = [fritzboxDomain];
+
   nodes.ward-web-proxy = {
     services.nginx = {
       upstreams."home-assistant" = {