diff --git a/hosts/butterfly/services/nginx.nix b/hosts/butterfly/services/nginx.nix
index ba78c0a..5dcb5c6 100644
--- a/hosts/butterfly/services/nginx.nix
+++ b/hosts/butterfly/services/nginx.nix
@@ -1,30 +1,13 @@
-{
-  inputs,
-  pkgs,
-  ...
-}: {
-  nixpkgs.overlays = [
-    (self: super: {
-      # in wake of CVE-2022-3602/CVE-2022-3786
-      nginxStable = super.nginxStable.override {openssl = pkgs.libressl;};
-    })
-    inputs.dobutterfliescry-net.overlays.default
-  ];
-
-  # simple nginx instance to host static construction page
-  # TODO: I want sshd and forgejo's ssh server to both be bound to port 22
-  #       So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc)
-  #       and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
+{pkgs, ...}: {
   services.nginx = {
     enable = true;
-    # XXX: TODO: this should auto use the nginxStable overlay no?
-    # in wake of CVE-2022-3602/CVE-2022-3786
-    # package = pkgs.nginxStable.override {openssl = pkgs.libressl;};
+    # NOTE: in wake of CVE-2022-3602/CVE-2022-3786 nginxStable is overlayed
+    package = pkgs.nginx;
 
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
+    # recommendedGzipSettings = true;
+    # recommendedOptimisation = true;
+    # recommendedProxySettings = true;
+    # recommendedTlsSettings = true;
 
     # streamConfig = ''
     #   server {
@@ -43,40 +26,33 @@
         enableACME = true;
         # kTLS = true; # offload TLS to the linux kernel
       };
-
-      vault =
-        {
-          forceSSL = true;
-          locations."/".proxyPass = "${localhost}:8222";
-        }
-        // std;
-      forge =
-        {
-          forceSSL = true;
-          extraConfig = ''
-            client_max_body_size 512M;
-          '';
-          locations."/".proxyPass = "${localhost}:3000";
-        }
-        // std;
     in {
       "dobutterfliescry.net" =
         {
           default = true;
-          addSSL = true; # not strictly enforced <3
-          # root = "/var/www/cry";
+          addSSL = true; # addSSL NOT forceSSL <3
           root = "${pkgs.dobutterfliescry-net}/www";
           # extraConfig = ''
           #   error_page 404 /custom_404.html;
           # '';
         }
         // std;
-      # Route "vault" subdomain to vaultwarden
-      "vault.imbored.dev" = vault;
-      # Route "forge" subdomain to forgejo
-      # TODO: use `forgejo.settings.server.ENABLE_ACME` instead?
+      "vault.imbored.dev" =
+        {
+          forceSSL = true;
+          locations."/".proxyPass = "${localhost}:8222";
+        }
+        // std;
+      # "tearforge.net" =
+      #   {
+      #     forceSSL = true;
+      #     extraConfig = ''
+      #       client_max_body_size 512M;
+      #     '';
+      #     locations."/".proxyPass = "${localhost}:3000";
+      #   }
+      #   // std;
       # "tearforge.net" = forge;
-      "forge.dobutterfliescry.net" = forge;
     };
   };
 }
diff --git a/overlays/default.nix b/overlays/default.nix
index 5c6507a..d18a23d 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -1,5 +1,5 @@
-[
-  (self: super: {
+{inputs, ...}: (
+  self: super: {
     angry-oxide = import ../packages/angryoxide {
       pkgs = super;
       inherit
@@ -18,6 +18,10 @@
       pkgs = super;
     };
 
+    # in wake of CVE-2022-3602/CVE-2022-3786
+    nginxStable = super.nginxStable.override {openssl = super.libressl;};
+    nginx = super.nginx.override {openssl = super.libressl;};
+
     element-desktop = super.element-desktop.overrideAttrs (final: prev: {
       desktopItems = [
         ((builtins.elemAt prev.desktopItems 0).override {
@@ -25,5 +29,5 @@
         })
       ];
     });
-  })
-]
+  }
+)