diff --git a/modules/nixos/guests/firefly-iii/default.nix b/modules/nixos/guests/firefly-iii/default.nix
index 6a67859..fcf3188 100755
--- a/modules/nixos/guests/firefly-iii/default.nix
+++ b/modules/nixos/guests/firefly-iii/default.nix
@@ -56,6 +56,11 @@ in
             };
           };
 
+          phpfpm.pools.firefly-iii.phpEnv = {
+            TRUSTED_PROXIES = "*";
+            APP_URL = "https://${host}";
+          };
+
           firefly-iii-data-importer = {
             enable = true;
           };
@@ -70,7 +75,10 @@ in
 
                 encode gzip
 
-                php_fastcgi unix//run/phpfpm/firefly-iii.sock
+                php_fastcgi unix//run/phpfpm/firefly-iii.sock {
+                  env HTTPS {http.request.header.X-Forwarded-Proto}
+                  env HTTP_X_FORWARDED_PROTO {http.request.header.X-Forwarded-Proto}
+                }
               '';
             };
           };
@@ -95,6 +103,10 @@ in
           };
         };
 
+        users.users.caddy = {
+          extraGroups = [ "firefly-iii" ];
+        };
+
         networking.firewall.allowedTCPPorts = [
           22
           80
@@ -104,6 +116,10 @@ in
 
         systemd = {
           services = {
+            caddy = {
+              after = [ "phpfpm-firefly-iii.service" ];
+              requires = [ "phpfpm-firefly-iii.service" ];
+            };
             fix-secrets-permissions = {
               description = "Fix secrets permissions for firefly-iii";
               wantedBy = [ "multi-user.target" ];
@@ -239,7 +255,10 @@ in
   };
   services.caddy.virtualHosts."${host}" = {
     extraConfig = ''
-      reverse_proxy http://${serviceCfg.interface.ip}:80
+      reverse_proxy http://${serviceCfg.interface.ip}:80 {
+        header_up X-Forwarded-Proto https
+        header_up X-Forwarded-Host {host}
+      }
 
       tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key}