diff --git a/flake.nix b/flake.nix
index 678b81c..2a04a9f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,6 @@
 # flake for blakes nixos config
 # define new devices in outputs
-# generation: 48 current  2025-10-07 20:39:26  25.05.20251001.5b5be50  6.12.49                          *
+# generation: 49 current  2025-10-07 20:40:25  25.05.20251001.5b5be50  6.12.49                          *
 {
   description = "blakes nix config";
   inputs = {
diff --git a/modules/homelab/services/arr/sonarr/default.nix b/modules/homelab/services/arr/sonarr/default.nix
index da7768f..8add4db 100644
--- a/modules/homelab/services/arr/sonarr/default.nix
+++ b/modules/homelab/services/arr/sonarr/default.nix
@@ -60,7 +60,7 @@ in
     # reverse proxy entryo
     services.nginx.virtualHosts."sonarr.snowbelle.lan" = {
       enableACME = false;
-      forceSSL = true;
+      forceSSL = false;
       sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
       sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
       locations."/" = {
diff --git a/modules/homelab/services/jellyfin/default.nix b/modules/homelab/services/jellyfin/default.nix
index 90fa0cc..25f658f 100644
--- a/modules/homelab/services/jellyfin/default.nix
+++ b/modules/homelab/services/jellyfin/default.nix
@@ -54,7 +54,18 @@ in
     # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
 
-    # reverse proxy entryo
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."jellyfin.snowbelle.lan" = {
+      enableACME = false;
+      forceSSL = false;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+
+    # external reverse proxy entry
     services.nginx.virtualHosts."media.blakedheld.xyz" = {
       enableACME = false;
       forceSSL = true;