diff --git a/config/services/jellyfin.nix b/config/services/jellyfin.nix
index 51f2c3d..8a38b7e 100644
--- a/config/services/jellyfin.nix
+++ b/config/services/jellyfin.nix
@@ -2,8 +2,32 @@
 
   services.jellyfin.enable = true;
 
+  services.nginx.virtualHosts."watch.kyouma.net" = {
+    forceSSL = true;  
+    http3 = true;
+    quic = true;
+    useACMEHost = "fentanyl.trade";
+    locations = {
+      "= /".return = "302 https://$host/web/";
+      "/" = {
+        proxyPass = "http://[::1]:8096";
+        recommendedProxySettings = true;
+        extraConfig = ''
+          proxy_buffering on;
+        '';
+      };
+      "= /web/" = {
+        proxyPass = "http://[::1]:8096";
+        recommendedProxySettings = true;
+      };
+      "/socket" = {
+        proxyPass = "http://[::1]:8096";
+        recommendedProxySettings = true;
+        proxyWebsockets = true;
+      };
+    };
+  };
   kyouma.nginx.virtualHosts = {
-    "watch.kyouma.net".redirectTo = "fentanyl.trade";
     "fentanyl.trade" = {
       serverAliases = lib.singleton "frotti.ng";
       locations = {
diff --git a/config/services/nginx.nix b/config/services/nginx.nix
index b27fa24..2b400ca 100644
--- a/config/services/nginx.nix
+++ b/config/services/nginx.nix
@@ -34,7 +34,6 @@ in {
       add_header Strict-Transport-Security 	$hsts_header;
       add_header X-Content-Type-Options 	  "nosniff" always;
       add_header X-XSS-Protection 		      "1; mode=block" always;
-      add_header X-Frame-Options 		        "SAMEORIGIN" always;
       add_header Referrer-Policy 		        "same-origin" always;
       add_header Alt-Svc                    'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
       #add_header Content-Security-Policy    "script-src 'self'; object-src 'none'; base-uri 'none';" always;
diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix
index c2707c7..47361fc 100644
--- a/modules/nginx/default.nix
+++ b/modules/nginx/default.nix
@@ -5,13 +5,13 @@
     add_header Alt-Svc                    'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
     #add_header Content-Security-Policy   "script-src 'self'; object-src 'none'; base-uri 'none';" always;
     add_header X-Content-Type-Options 	  "nosniff" always;
-    add_header X-XSS-Protection 		      "1; mode=block" always;
     add_header X-Frame-Options 		        "SAMEORIGIN" always;
+    add_header X-XSS-Protection 		      "1; mode=block" always;
     add_header Referrer-Policy 		        "same-origin" always;
   '';
   createHost = vhostName: vhostCfg: {
     extraConfig = lib.optionalString (vhostCfg ? "extraConfig") (
-      vhostCfg.extraConfig + "\n" + extraConfig
+      vhostCfg.extraConfig
     ) + lib.optionalString (
       if (vhostCfg ? "verifyClientCert") then 
         vhostCfg.verifyClientCert
@@ -20,7 +20,7 @@
       ssl_client_certificate ${./kyouma_Root_CA.pem};
       ssl_verify_client on;
       ssl_verify_depth 1;
-    '';
+    '' + "\n" + extraConfig;
     forceSSL = true;
   } //
   lib.optionalAttrs (!(vhostCfg ? "useACMEHost")) {