diff --git a/nixos/access/unifi.nix b/nixos/access/unifi.nix
index 45a4fb41..8910f7cf 100644
--- a/nixos/access/unifi.nix
+++ b/nixos/access/unifi.nix
@@ -4,14 +4,16 @@
   ...
 }: let
   inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
-  inherit (lib.lists) concatMap;
+  inherit (lib.modules) mkIf mkDefault mkOptionDefault;
   inherit (config.services) nginx tailscale unifi;
   access = nginx.access.unifi;
 in {
   options.services.nginx.access.unifi = with lib.types; {
-    global.enable = mkEnableOption "global access" // {
-      default = access.useACMEHost != null;
+    global = {
+      enable = mkEnableOption "global access" // {
+        default = access.useACMEHost != null;
+      };
+      management = mkEnableOption "global management port access";
     };
     host = mkOption {
       type = str;
@@ -55,45 +57,39 @@ in {
           proxyPass = access.url;
         };
       };
-      streamListen = { config, ... }: {
-        listen = concatMap (addr: [
-          {
-            inherit addr;
-            port = 80;
-            ssl = false;
-          }
-          (mkIf (config.addSSL || config.forceSSL) {
-            inherit addr;
-            port = 443;
-            ssl = true;
-          })
-          (mkIf (config.addSSL || config.forceSSL) {
-            inherit addr;
-            port = access.managementPort;
-            ssl = true;
-          })
-        ]) nginx.defaultListenAddresses;
-      };
     in {
-      ${access.domain} = mkIf access.global.enable (mkMerge [ {
-        vouch.enable = true;
+      "${access.domain}@management" = mkIf access.global.management {
+        listen = map (addr: {
+          inherit addr;
+          port = access.managementPort;
+          ssl = true;
+        }) nginx.defaultListenAddresses;
+        serverName = access.domain;
+        default = mkDefault true;
         forceSSL = mkDefault true;
         kTLS = mkDefault true;
         useACMEHost = mkDefault access.useACMEHost;
         inherit locations extraConfig;
-      } streamListen ]);
-      ${access.localDomain} = mkMerge [ {
+      };
+      ${access.domain} = mkIf (access.global.enable || access.useACMEHost != null) {
+        vouch.enable = mkDefault true;
+        forceSSL = mkDefault true;
+        kTLS = mkDefault true;
+        useACMEHost = mkDefault access.useACMEHost;
+        inherit locations extraConfig;
+      };
+      ${access.localDomain} = {
         serverAliases = mkIf tailscale.enable [ access.tailDomain ];
         useACMEHost = mkDefault access.useACMEHost;
         addSSL = mkDefault (access.useACMEHost != null);
         kTLS = mkDefault true;
         local.enable = true;
         inherit locations extraConfig;
-      } streamListen ];
+      };
     };
   };
   config.networking.firewall = {
     interfaces.local.allowedTCPPorts = [ access.managementPort ];
-    allowedTCPPorts = mkIf access.global.enable [ access.managementPort ];
+    allowedTCPPorts = mkIf access.global.management [ access.managementPort ];
   };
 }