diff --git a/modules/nixos/barcodebuddy.nix b/modules/nixos/barcodebuddy.nix
index e9ed8319..3e4cee0d 100644
--- a/modules/nixos/barcodebuddy.nix
+++ b/modules/nixos/barcodebuddy.nix
@@ -42,6 +42,13 @@ in {
         default = [ "127.0.0.1" "::1" ];
       };
     };
+    screen = {
+      enable = mkEnableOption "websocket server";
+      websocketPort = mkOption {
+        type = port;
+        default = 47631;
+      };
+    };
     redis = {
       enable = mkEnableOption "redis cache";
       server = mkOption {
@@ -77,7 +84,7 @@ in {
     bbuddyConfig.services.barcodebuddy = {
       settings = let
         defaults = mapOptionDefaults {
-          PORT_WEBSOCKET_SERVER = 47631;
+          ${if cfg.screen.enable then "PORT_WEBSOCKET_SERVER" else null} = cfg.screen.websocketPort;
           SEARCH_ENGINE = "https://google.com/search?q=";
           ${if cfg.reverseProxy.enable then "TRUSTED_PROXIES" else null} = cfg.reverseProxy.trustedAddresses;
           DISABLE_AUTHENTICATION = false;
@@ -133,7 +140,9 @@ in {
         all.pdo_sqlite
         all.sockets
         all.gettext
-      ] ++ optional cfg.redis.enable all.redis);
+        all.session
+        all.redis
+      ]);
 
       settings = mapOptionDefaults {
         "pm.max_children" = 10;
@@ -157,6 +166,9 @@ in {
       virtualHosts."${cfg.hostName}" = {
         root = "${cfg.package}";
         locations = {
+          "/api/".extraConfig = ''
+            try_files $uri /api/index.php$is_args$query_string;
+          '';
           "~ \\.php$".extraConfig = cfg.nginxPhpConfig;
         };
         extraConfig = ''
@@ -164,5 +176,18 @@ in {
         '';
       };
     };
+    conf.systemd.services.bbuddy-websocket = mkIf cfg.screen.enable {
+      wantedBy = [ "multi-user.target" ];
+      environment = mapAttrs' toEnvPair cfg.settings;
+      unitConfig = {
+        Description = "Run websocket server for barcodebuddy screen feature";
+      };
+      serviceConfig = {
+        ExecStart = "${config.services.phpfpm.pools.barcodebuddy.phpPackage}/bin/php ${cfg.package}/wsserver.php";
+        Restart = "on-failure";
+        StandardOutput = "null";
+        User = "barcodebuddy";
+      };
+    };
   in mkMerge [ bbuddyConfig (mkIf cfg.enable conf) ];
 }
diff --git a/nixos/barcodebuddy.nix b/nixos/barcodebuddy.nix
index 393377c8..8d7e0585 100644
--- a/nixos/barcodebuddy.nix
+++ b/nixos/barcodebuddy.nix
@@ -1,5 +1,5 @@
 {config, lib, ...}: let
-  inherit (lib.modules) mkDefault;
+  inherit (lib.modules) mkIf mkMerge mkAfter mkDefault;
   inherit (config.services) nginx;
   cfg = config.services.barcodebuddy;
 in {
@@ -11,11 +11,23 @@ in {
       EXTERNAL_GROCY_URL = "https://grocy.${config.networking.domain}";
       DISABLE_AUTHENTICATION = true;
     };
-    nginxPhpConfig = ''
-      include ${config.sops.secrets.barcodebuddy-fastcgi-params.path};
-    '';
+    nginxPhpConfig = mkMerge [
+      ''
+        include ${config.sops.secrets.barcodebuddy-fastcgi-params.path};
+      ''
+      (mkIf nginx.virtualHosts.barcodebuddy.proxied.enabled (mkAfter ''
+        set $bbuddy_https "";
+        if ($x_scheme = https) {
+          set $bbuddy_https 1;
+        }
+        fastcgi_param HTTPS $bbuddy_https if_not_empty;
+        fastcgi_param REQUEST_SCHEME $x_scheme;
+        fastcgi_param HTTP_HOST $x_forwarded_host;
+      ''))
+    ];
   };
-  config.services.nginx.virtualHosts.barcodebuddy = {
+  config.services.nginx.virtualHosts.barcodebuddy = mkIf cfg.enable {
+    proxied.xvars.enable = true;
     vouch = {
       enable = true;
       requireAuth = false;
@@ -31,7 +43,10 @@ in {
       };
     };
   };
-  config.sops.secrets.barcodebuddy-fastcgi-params = {
+  config.users.users.barcodebuddy = mkIf cfg.enable {
+    uid = 912;
+  };
+  config.sops.secrets.barcodebuddy-fastcgi-params = mkIf cfg.enable {
     sopsFile = mkDefault ./secrets/barcodebuddy.yaml;
     owner = mkDefault nginx.user;
   };