diff --git a/nixos/access/gensokyo.nix b/nixos/access/gensokyo.nix
index 0e9b4d72..36438663 100644
--- a/nixos/access/gensokyo.nix
+++ b/nixos/access/gensokyo.nix
@@ -7,7 +7,6 @@
   inherit (lib.modules) mkDefault;
 in {
   services.nginx.virtualHosts.${config.networking.domain} = {
-    default = mkDefault true;
     locations."/" = {
       root = pkgs.gensokyoZone;
     };
diff --git a/nixos/access/plex.nix b/nixos/access/plex.nix
index 8da2effd..94dca347 100644
--- a/nixos/access/plex.nix
+++ b/nixos/access/plex.nix
@@ -4,7 +4,7 @@
   ...
 }: let
   inherit (lib.options) mkOption;
-  inherit (lib.modules) mkIf mkOptionDefault;
+  inherit (lib.modules) mkIf mkDefault mkOptionDefault;
   cfg = config.services.plex;
   access = config.services.nginx.access.plex;
 in {
@@ -53,11 +53,13 @@ in {
     in {
       ${access.domain} = {
         locations."/" = location;
+        kTLS = mkDefault true;
         inherit extraConfig;
       };
       ${access.localDomain} = {
         local.enable = true;
         locations."/" = location;
+        kTLS = mkDefault true;
         inherit extraConfig;
       };
     };
diff --git a/nixos/access/zigbee2mqtt.nix b/nixos/access/zigbee2mqtt.nix
index 11bbacc7..e0a53128 100644
--- a/nixos/access/zigbee2mqtt.nix
+++ b/nixos/access/zigbee2mqtt.nix
@@ -24,6 +24,10 @@ in {
       type = str;
       default = "z2m.local.${config.networking.domain}";
     };
+    tailDomain = mkOption {
+      type = str;
+      default = "z2m.tail.${config.networking.domain}";
+    };
     port = mkOption {
       type = port;
     };
@@ -42,10 +46,7 @@ in {
         locations."/" = location;
       };
       ${access.localDomain} = {
-        local.enable = true;
-        locations."/" = location;
-      };
-      "z2m.tail.${config.networking.domain}" = mkIf config.services.tailscale.enable {
+        serverAliases = mkIf config.services.tailscale.enable [ access.tailDomain ];
         local.enable = true;
         locations."/" = location;
       };
diff --git a/nixos/nginx.nix b/nixos/nginx.nix
index 4bf39856..b2fae928 100644
--- a/nixos/nginx.nix
+++ b/nixos/nginx.nix
@@ -29,5 +29,12 @@ with lib; {
       #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
     '';
     clientMaxBodySize = "512m";
+    virtualHosts.fallback = {
+      serverName = null;
+      default = mkDefault true;
+      locations."/".extraConfig = mkDefault ''
+        return 404;
+      '';
+    };
   };
 }
diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix
index 2a6db2a5..44a25a86 100644
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@@ -41,6 +41,7 @@ in {
       credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path;
       ingress = {
         "prox.${config.networking.domain}".service = "http://localhost";
+        ${config.networking.domain}.service = "http://localhost";
       };
     };
   };
diff --git a/tf/cloudflare_tunnels.tf b/tf/cloudflare_tunnels.tf
index 11d4b104..9600ca8a 100644
--- a/tf/cloudflare_tunnels.tf
+++ b/tf/cloudflare_tunnels.tf
@@ -10,6 +10,7 @@ module "hakurei" {
   account_id = var.cloudflare_account_id
   zone_id    = cloudflare_zone.gensokyo-zone_zone.id
   subdomains = [
+    "@",
     "prox",
   ]
 }