diff --git a/hosts/sid/secrets/secrets.yaml b/hosts/sid/secrets/secrets.yaml
index 7d553c7..2488cb5 100644
--- a/hosts/sid/secrets/secrets.yaml
+++ b/hosts/sid/secrets/secrets.yaml
@@ -32,6 +32,7 @@ mailserver:
         vaultwarden: ENC[AES256_GCM,data:nSiiyurI0pNGlJiHpgu5jUQIq688IbPKlJCvx4jrFN9TwIY+kfVOaO4KWKkavBYfMZqMuEBr7EAdRULS,iv:OpgfXl1uYLgjOGDTkXFj/wPFUoE6uK89gtXLsB2x6gE=,tag:knJkNQnRCNcc/2nKBYdVCw==,type:str]
 radicale:
     sid: ENC[AES256_GCM,data:/OgIrXnGttIymGw98feiUjKPOIlrgRIC0TNCdBnuJOiA0RzbF0b9SMVzwEZiTEmS82g2lSvxQkE4kZjeOgOC0RLvCyZAmtWojq+g1pN0qhEkhwH0Qtu9wNnSYHuRqh2E5nWzHNGl/eF6zQ==,iv:5XtlyXjpB+XrVvJ7IoM7Gu63xA8vYrcJjUjLPmOMAIU=,tag:SAuYl/wzxnINyVWn9nI5yA==,type:str]
+hetzner-dns-api-key: ENC[AES256_GCM,data:KQooOZjQMtCSVqMI8yKVEk0xebTEuNs5WsxTDC9kcXdGZIgq8ZIEk5ku94EV95i0ad9y5Zx0ozt7aWcNHiMMfQ==,iv:jssQ7PejT5awmeMowdSIEFKDfLW7PWvsd++lh9/MlXs=,tag:UoNRz9neDzDxDjmGmBNPjA==,type:str]
 sops:
     age:
         - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
@@ -52,7 +53,7 @@ sops:
             RzhnczA0S1pxcXZncGpWVHNYQW96L28K+ytH3PPyg4+wibpAQhp02RiSfZ83EDRB
             UJ8UV1d+51D0e2A1sI95r2AzDj4jfwUnI+LYDPC/qEpsu5LFLGVyeg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-15T22:25:00Z"
-    mac: ENC[AES256_GCM,data:/Y68+WlI/BykmwajvluW1EiCfzdfIJe+nDwstqusqhwhc7h5exD5xuuU9CB0lcUGwODwrIfWECWLLhJfn86/Wc2WDT2yinIj89mik/rRB0klMx75v0w1v6vxiYuQU0WHPtajDuuaMTo1QxJFczZt0RVPtDPwmVip5EEQpNsqzig=,iv:gWqFTUP7PAk5QzRfKFpTD5iCdneciih0HM8am8+TS/8=,tag:E1QY6PnM3oFZm/qfrL/8dg==,type:str]
+    lastmodified: "2026-04-15T19:31:40Z"
+    mac: ENC[AES256_GCM,data:Xq+oQUiAr/YCYXlUT+qYtY279R9MrXs6Iehyi3zt7V7mJyWO8LKEQlM36R4WwkMb719arfso1LOu14XRhhMuF7dZcB+pn0nY8aVqNU1mq2RvSnXYJioXJBV8uRcq8xMviubown4Cz3XfFrSkeNSXSnh//op5Rk7Eoq8hv49t13o=,iv:aT4yXx8dPoyfIC9ZPnVl0LL3kygsAN+KSIiwjtpfvxg=,tag:lYdL7Rj/kl/NLEXZMu1Hwg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1
diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix
index 508967c..0cbeb6c 100644
--- a/hosts/sid/services/nginx.nix
+++ b/hosts/sid/services/nginx.nix
@@ -25,12 +25,12 @@ in
     enable = true;
     config = with constants; ''
       .:53 {
-        bind 127.0.0.1 ${hosts.sid.ip}
+        bind ${hosts.sid.ip}
         hosts {
-          # ${hosts.rx4.ip} ${services.vaultwarden.fqdn}
-          # ${hosts.rx4.ip} ${services.webdav.fqdn}
+          ${hosts.rx4.ip} ${services.vaultwarden.fqdn}
+          ${hosts.rx4.ip} ${services.webdav.fqdn}
           ${hosts.rx4.ip} rx4.tail
-          # ${hosts.sid.ip} ${services.netdata.fqdn}
+          ${hosts.sid.ip} ${services.netdata.fqdn}
           ${hosts.sid.ip} sid.tail
           ${hosts.vde.ip} vde.tail
           fallthrough
@@ -43,6 +43,15 @@ in
     '';
   };
 
+  security.acme = {
+    certs."${constants.intranet}" = {
+      domain = "*.${constants.intranet}";
+      webroot = null;
+      dnsProvider = "hetzner";
+      credentialsFile = config.sops.templates.hetzner-dns-api-key.path;
+    };
+  };
+
   services.nginx = {
     enable = true;
     openFirewall = true;
@@ -62,10 +71,10 @@ in
       address = constants.hosts.rx4.ip;
       port = constants.services.miniflux.port;
     };
-    # virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost {
-    #   inherit ssl;
-    #   port = constants.services.netdata.port;
-    # };
+    virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost {
+      inherit ssl;
+      port = constants.services.netdata.port;
+    };
     virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost {
       inherit ssl;
       address = constants.hosts.rx4.ip;
@@ -83,16 +92,16 @@ in
       address = constants.hosts.rx4.ip;
       port = constants.services.rsshub-oci.port;
     };
-    # virtualHosts."${constants.services.vaultwarden.fqdn}" = mkVirtualHost {
-    #   inherit ssl;
-    #   address = constants.hosts.rx4.ip;
-    #   port = constants.services.vaultwarden.port;
-    # };
-    # virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost {
-    #   inherit ssl;
-    #   address = constants.hosts.rx4.ip;
-    #   port = constants.services.webdav.port;
-    # };
+    virtualHosts."${constants.services.vaultwarden.fqdn}" = mkVirtualHost {
+      inherit ssl;
+      address = constants.hosts.rx4.ip;
+      port = constants.services.vaultwarden.port;
+    };
+    virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost {
+      inherit ssl;
+      address = constants.hosts.rx4.ip;
+      port = constants.services.webdav.port;
+    };
     # FIXME
     # virtualHosts."print.sid.ovh" = {
     #   enableACME = true;
@@ -103,4 +112,18 @@ in
     #   };
     # };
   };
+
+  sops =
+    let
+      owner = "acme";
+      group = "acme";
+      mode = "0400";
+    in
+    {
+      secrets.hetzner-dns-api-key = { inherit owner group mode; };
+      templates.hetzner-dns-api-key = {
+        inherit owner group mode;
+        content = "HETZNER_API_TOKEN=${config.sops.placeholder.hetzner-dns-api-key}";
+      };
+    };
 }