diff --git a/nixos/access/vouch.nix b/nixos/access/vouch.nix
index 77b24e4b..42982f01 100644
--- a/nixos/access/vouch.nix
+++ b/nixos/access/vouch.nix
@@ -41,26 +41,29 @@ in {
       name.shortServer = mkDefault "login";
     in {
       vouch = {xvars, ...}: {
+        enable = mkDefault false;
         inherit name locations;
-        serverAliases = [nginx.vouch.doubleProxy.serverName];
-        proxied.enable = true;
         proxy = {
           upstream = mkDefault "vouch'access";
+        };
+      };
+      vouch'access = {xvars, ...}: {
+        enable = mkDefault nginx.vouch.doubleProxy.enable;
+        serverName = nginx.vouch.doubleProxy.serverName;
+        proxied.enable = true;
+        #listen'.proxied.ssl = true;
+        proxy = {
+          copyFromVhost = "vouch";
           host = mkDefault xvars.get.host;
         };
-        local.denyGlobal = true;
+        ssl.cert.copyFromVhost = "vouch";
       };
       vouch'local = {xvars, ...}: {
         name = {
           inherit (name) shortServer;
           includeTailscale = mkDefault false;
         };
-        serverAliases = mkIf cfg.enable [nginx.vouch.doubleProxy.localServerName];
-        proxied.enable = true;
-        proxy = {
-          upstream = mkDefault "vouch'access'local";
-          host = mkDefault xvars.get.host;
-        };
+        proxy.upstream = mkDefault "vouch'access'local";
         local.enable = true;
         ssl = {
           force = true;
@@ -68,6 +71,18 @@ in {
         };
         inherit locations;
       };
+      vouch'local'access = {xvars, ...}: {
+        enable = mkDefault nginx.vouch.doubleProxy.enable;
+        serverName = nginx.vouch.doubleProxy.localServerName;
+        proxied.enable = true;
+        #listen'.proxied.ssl = true;
+        proxy = {
+          copyFromVhost = "vouch'local";
+          host = mkDefault xvars.get.host;
+        };
+        ssl.cert.copyFromVhost = "vouch'local";
+        inherit locations;
+      };
       vouch'tail = {xvars, ...}: {
         enable = mkDefault (tailscale.enable && !nginx.virtualHosts.vouch'local.name.includeTailscale);
         ssl.cert.copyFromVhost = "vouch'local";
diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix
index 34448753..c1f24c41 100644
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@@ -144,14 +144,17 @@ in {
         virtualHosts.barcodebuddy'local.allServerNames
       ];
     };
-    login = {
+    login = let
+      inherit (lib.lists) head tail optional optionals;
+      domains =
+        optional virtualHosts.vouch.enable virtualHosts.vouch.serverName
+        ++ virtualHosts.vouch'local.allServerNames
+        ++ optionals virtualHosts.vouch.enable virtualHosts.vouch.otherServerNames
+        ++ optionals virtualHosts.vouch'tail.enable virtualHosts.vouch'tail.allServerNames;
+    in {
       inherit (nginx) group;
-      domain = virtualHosts.vouch.serverName;
-      extraDomainNames = mkMerge [
-        virtualHosts.vouch.otherServerNames
-        virtualHosts.vouch'local.allServerNames
-        (mkIf virtualHosts.vouch'tail.enable virtualHosts.vouch'tail.allServerNames)
-      ];
+      domain = head domains;
+      extraDomainNames = tail domains;
     };
     unifi = {
       inherit (nginx) group;