diff --git a/configs/sputnik/configuration.nix b/configs/sputnik/configuration.nix
index 51be770..b967950 100644
--- a/configs/sputnik/configuration.nix
+++ b/configs/sputnik/configuration.nix
@@ -4,6 +4,7 @@
     <system/proxy>
     ./hardware-configuration.nix
 
+    <system/server/packages.nix>
     ./nginx.nix
     ./tinc.nix
     ./codimd.nix
diff --git a/configs/sputnik/nginx.nix b/configs/sputnik/nginx.nix
index a4b072f..83c7b37 100644
--- a/configs/sputnik/nginx.nix
+++ b/configs/sputnik/nginx.nix
@@ -284,6 +284,47 @@ in {
         } // error.locations;
       };
 
+
+      "home.ingolf-wagner.de" = {
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 4443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 80;
+            ssl = false;
+          }
+        ];
+        extraConfig = ''
+          proxy_buffering off;
+          # client certificate
+          ssl_client_certificate ${<secrets/client-cert/ca.crt>};
+          # make verification optional, so we can display a 403 message to those
+          # who fail authentication
+          ssl_verify_client optional;
+        '';
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://pepe.private:8123";
+          proxyWebsockets = true;
+          extraConfig = ''
+            # if the client-side certificate failed to authenticate, show a 403
+            # message to the client
+            if ($ssl_client_verify != SUCCESS) {
+              return 403;
+            }
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+          '';
+        };
+      };
+
+
     };
   };
 
diff --git a/system/all/default.nix b/system/all/default.nix
index 3ef4fc8..28aaa40 100644
--- a/system/all/default.nix
+++ b/system/all/default.nix
@@ -72,6 +72,10 @@
     zsh.enable = true;
   };
 
+  # set vim to the default editor
+  # -----------------------------
+  programs.vim.defaultEditor = true;
+
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
diff --git a/system/server/default.nix b/system/server/default.nix
index 61f0a63..95d9f05 100644
--- a/system/server/default.nix
+++ b/system/server/default.nix
@@ -6,6 +6,7 @@
     ./initssh.nix
     ./graylog-exporter.nix
     ./prometheus-exporters.nix
+    ./packages.nix
   ];
 
   # make sure laptops stay awake when closing the montior
@@ -17,19 +18,5 @@
   # config vim
   programs.custom.vim.enable = true;
 
-  # no need to to start a service
-  environment.systemPackages = let
-
-    nginxShowConfig = pkgs.writers.writePython3Bin "nginx-show-config" {
-      flakeIgnore = [ "E265" "E225" "W292" ];
-    } (lib.fileContents <assets/nginx-show-config.sh>);
-  in [
-    pkgs.mosh
-
-    # nginxfmt
-    pkgs.nginx-config-formatter
-    nginxShowConfig
-  ];
-
 }
 
diff --git a/system/server/packages.nix b/system/server/packages.nix
new file mode 100644
index 0000000..d146fb1
--- /dev/null
+++ b/system/server/packages.nix
@@ -0,0 +1,17 @@
+{ pkgs, config, lib, ... }:
+{
+
+  # no need to to start a service
+  environment.systemPackages = let
+
+    nginxShowConfig = pkgs.writers.writePython3Bin "nginx-show-config" {
+      flakeIgnore = [ "E265" "E225" "W292" ];
+    } (lib.fileContents <assets/nginx-show-config.sh>);
+  in [
+    pkgs.mosh
+
+    # nginxfmt
+    pkgs.nginx-config-formatter
+    nginxShowConfig
+  ];
+}