diff --git a/systems/LoutreOS/web.nix b/systems/LoutreOS/web.nix
index 0992c90..ce4c50a 100644
--- a/systems/LoutreOS/web.nix
+++ b/systems/LoutreOS/web.nix
@@ -41,32 +41,6 @@ let
         return 302 https://login.nyanlout.re/login?go=$scheme://$http_host$request_uri;
     }
   '';
-
-  nginxSimpleReverse = rport: {
-    enableACME = true;
-    forceSSL = true;
-
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:${toString(rport)}/";
-    };
-  };
-
-  nginxAuthReverse = rport: {
-    enableACME = true;
-    forceSSL = true;
-
-    extraConfig = ''
-      include ${nginxSsoAuth};
-    '';
-
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:${toString(rport)}/";
-      extraConfig = ''
-        auth_request_set $cookie $upstream_http_set_cookie;
-        add_header Set-Cookie $cookie;
-      '';
-    };
-  };
 in
 {
   security.acme = {
@@ -134,7 +108,31 @@ in
           };
         };
       };
-      virtualHosts = {
+      virtualHosts = let
+        base = locations: {
+          inherit locations;
+          forceSSL = true;
+          enableACME = true;
+        };
+        simpleReverse = rport: base {
+          "/" = {
+            proxyPass = "http://127.0.0.1:${toString(rport)}/";
+          };
+        };
+        authReverse = rport: base {
+          "/" = {
+            proxyPass = "http://127.0.0.1:${toString(rport)}/";
+            extraConfig = ''
+              auth_request_set $cookie $upstream_http_set_cookie;
+              add_header Set-Cookie $cookie;
+            '';
+          };
+        } // {
+          extraConfig = ''
+            include ${nginxSsoAuth};
+          '';
+        };
+      in {
         "nyanlout.re" = {
           default = true;
           enableACME = true;
@@ -239,18 +237,18 @@ in
             proxyPass = "http://127.0.0.1:${toString(config.services.nginx.sso.configuration.listen.port)}/";
           };
         };
-        "grafana.nyanlout.re" = nginxAuthReverse config.services.grafana.port;
-        "transmission.nyanlout.re" = nginxAuthReverse config.services.transmission.port;
-        "radarr.nyanlout.re" = nginxAuthReverse 7878;
-        "sonarr.nyanlout.re" = nginxAuthReverse 8989;
-        "syncthing.nyanlout.re" = nginxAuthReverse 8384;
-        "jackett.nyanlout.re" = nginxAuthReverse 9117;
-        "pgmanage.nyanlout.re" = nginxAuthReverse config.services.pgmanage.port;
-        "matrix.nyanlout.re" = nginxSimpleReverse 8008;
-        "airsonic.nyanlout.re" = nginxSimpleReverse 4040;
-        "emby.nyanlout.re" = nginxSimpleReverse 8096;
-        "ci.nyanlout.re" = nginxSimpleReverse 52350;
-        "gitea.nyanlout.re" = nginxSimpleReverse config.services.gitea.httpPort;
+        "grafana.nyanlout.re" = authReverse config.services.grafana.port;
+        "transmission.nyanlout.re" = authReverse config.services.transmission.port;
+        "radarr.nyanlout.re" = authReverse 7878;
+        "sonarr.nyanlout.re" = authReverse 8989;
+        "syncthing.nyanlout.re" = authReverse 8384;
+        "jackett.nyanlout.re" = authReverse 9117;
+        "pgmanage.nyanlout.re" = authReverse config.services.pgmanage.port;
+        "matrix.nyanlout.re" = simpleReverse 8008;
+        "airsonic.nyanlout.re" = simpleReverse 4040;
+        "emby.nyanlout.re" = simpleReverse 8096;
+        "ci.nyanlout.re" = simpleReverse 52350;
+        "gitea.nyanlout.re" = simpleReverse config.services.gitea.httpPort;
       };
       appendConfig = ''
         rtmp {