diff --git a/flake.lock b/flake.lock
index 93f4b2b..c46145d 100755
--- a/flake.lock
+++ b/flake.lock
@@ -544,11 +544,11 @@
     },
     "zeroq-credentials": {
       "locked": {
-        "lastModified": 1753364427,
-        "narHash": "sha256-80qOUx/1DspR1RzdkUFxhaqvxfqcVDnbp3kAfq151tI=",
+        "lastModified": 1753387589,
+        "narHash": "sha256-kJypMcuUJ6PRVrBQxQa7qYhPmyEDh14aZ8EMSLALhwA=",
         "ref": "refs/heads/master",
-        "rev": "36b8715d3aafab43fbec37855f7e8793d59bef29",
-        "revCount": 16,
+        "rev": "5973e19fc796a3bb6124d6f44400da8dc8f3196b",
+        "revCount": 18,
         "type": "git",
         "url": "ssh://git@github.com/oqyude/zeroq-credentials.git"
       },
diff --git a/modules/vds/nginx.nix b/modules/vds/nginx.nix
index bb45bdb..752cbda 100755
--- a/modules/vds/nginx.nix
+++ b/modules/vds/nginx.nix
@@ -8,27 +8,53 @@
 {
   services = {
     nginx = {
-      enable = false;
+      enable = true;
       recommendedGzipSettings = true;
       recommendedOptimisation = true;
       recommendedProxySettings = true;
       recommendedTlsSettings = true;
       virtualHosts = {
-        "localhost:10000" = {
-          forceSSL = false;
-          enableACME = false;
+        "vless-sub" = {
+
+          serverName = "${inputs.zeroq.devices.vds.hostname}.latxa-platy.ts.net";
           listen = [
             {
-              addr = "100.64.0.0";
-              port = 10000;
+              addr = "${inputs.zeroq.devices.vds.hostname}.latxa-platy.ts.net"; # Tailscale IP вашего VDS
+              port = 44444;
+              ssl = false;
             }
             {
-              addr = "192.168.1.20";
-              port = 10000;
+              addr = "${inputs.zeroq.devices.vds.hostname}.latxa-platy.ts.net"; # Tailscale IP вашего VDS
+              port = 44443;
+              ssl = true;
             }
           ];
+          root = "${inputs.zeroq-credentials.paths.vless-subs.root}"; # "${inputs.zeroq-credentials}/services/xray/subs";
+          locations."/" = {
+            extraConfig = ''
+              if ($scheme = http) {
+                return 301 https://$host:44443$request_uri;
+              }
+            '';
+          };
+          enableACME = true;
+          forceSSL = true; # Принудительно HTTPS
+
         };
       };
     };
   };
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "oqyude@gmail.com"; # Укажите ваш email
+    certs."${inputs.zeroq.devices.vds.hostname}.latxa-platy.ts.net" = {
+      dnsProvider = null; # Tailscale hostname не требует DNS-проверки, если используем HTTP-01
+      webroot = "/var/lib/acme/acme-challenge";
+    };
+  };
+  networking.firewall.allowedTCPPorts = [
+    44443
+    44444
+    80
+  ];
 }