diff --git a/nixos/modules/services/upRootNutrition.nix b/nixos/modules/services/upRootNutrition.nix
index bc21a1b..dbf5094 100755
--- a/nixos/modules/services/upRootNutrition.nix
+++ b/nixos/modules/services/upRootNutrition.nix
@@ -1,5 +1,6 @@
 {flake, ...}: let
   inherit (flake.config.machines.devices) server;
+  inherit (flake.config.people.users) user0;
   inherit (flake.config.services.instances) upRootNutrition web;
   service = upRootNutrition;
   localhost = web.localhost.address0;
@@ -10,12 +11,27 @@ in {
       virtualHosts = {
         "${host}" = {
           extraConfig = ''
-            root * /var/lib/website/dist/index.html
+            root * /var/lib/website/dist
+            try_files {path} /index.html
+            file_server
 
+            # Optional: Add security headers
+            header {
+              Strict-Transport-Security "max-age=31536000;"
+              X-Content-Type-Options "nosniff"
+              X-Frame-Options "DENY"
+              Referrer-Policy "strict-origin-when-cross-origin"
+            }
+
+            # Your existing redirects
             redir /.well-known/carddav /remote.php/dav/ 301
             redir /.well-known/caldav /remote.php/dav/ 301
 
-            reverse_proxy ${localhost}:${toString service.ports.port0}
+            # Only proxy API requests if needed
+            @api {
+              path /api/*
+            }
+            reverse_proxy @api ${localhost}:${toString service.ports.port0}
 
             tls ${service.ssl.cert} ${service.ssl.key}
           '';
@@ -23,14 +39,4 @@ in {
       };
     };
   };
-  fileSystems."${service.paths.path0}" = {
-    device = service.paths.path0;
-    fsType = "none";
-    options = ["bind"];
-    depends = [server.storage0.mount];
-  };
-
-  systemd.tmpfiles.rules = [
-    "Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
-  ];
 }