diff --git a/hosts/akko/akkoma.nix b/hosts/akko/akkoma.nix
index 8935c7f..0798894 100644
--- a/hosts/akko/akkoma.nix
+++ b/hosts/akko/akkoma.nix
@@ -64,7 +64,25 @@ in {
 
   services.postgresql.enable = true;
 
+  security.acme = {
+    defaults.email = "me@xeiaso.net";
+    agreeTerms = true;
+
+    certs."akko.within.website" = {
+      group = "nginx";
+      dnsProvider = "route53";
+      credentialsFile = "/run/keys/aws-within.website";
+      extraLegoFlags = [ "--dns.resolvers=8.8.8.8:53" ];
+    };
+  };
+
   age.secrets = {
+    "aws-within.website" = {
+      file = ../../secret/aws-within.website.age;
+      path = "/run/keys/aws-within.website";
+      owner = "acme";
+      group = "nginx";
+    };
     akko-keyid = {
       file = ../../secret/akko-keyid.age;
       path = "/var/lib/secrets/akkoma/b2_key_id";
diff --git a/hosts/akko/default.nix b/hosts/akko/default.nix
index 5a6b65e..8c9f627 100644
--- a/hosts/akko/default.nix
+++ b/hosts/akko/default.nix
@@ -12,6 +12,13 @@
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6NPbPIcCTzeEsjyx0goWyj6fr2qzcfKCCdOUqg0N/v cadey@kos-mos" 
   ];
 
+  i18n.defaultLocale = "en_US.UTF-8";
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedUDPPorts = [ 80 443 ];
+  networking.firewall.trustedInterfaces = [ "tailscale0" ];
+
+  services.tailscale.enable = true;
+
   security.acme.email = "me@xeiaso.net";
   security.acme.acceptTerms = true;