diff --git a/flake.nix b/flake.nix
index a0999ac..d051b03 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,6 @@
 # flake for blakes nixos config
 # define new devices in outputs
-# generation: 42 current  2025-10-06 15:02:37  25.05.20251001.5b5be50  6.12.49                          *
+# generation: 45 current  2025-10-06 15:34:13  25.05.20251001.5b5be50  6.12.49                          *
 {
   description = "blakes nix config";
   inputs = {
diff --git a/modules/homelab/services/jellyfin/default.nix b/modules/homelab/services/jellyfin/default.nix
index 5f64734..c61f589 100644
--- a/modules/homelab/services/jellyfin/default.nix
+++ b/modules/homelab/services/jellyfin/default.nix
@@ -48,8 +48,10 @@ in
 
     # reverse proxy entryo
     services.nginx.virtualHosts."media.blakedheld.xyz" = {
+      enableACME = false;
       forceSSL = true;
-      enableACME = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
       locations."/" = {
         proxyPass = "http://127.0.0.1:8096";
       };
diff --git a/modules/system/sops.nix b/modules/system/sops.nix
index 3000894..f374f89 100644
--- a/modules/system/sops.nix
+++ b/modules/system/sops.nix
@@ -35,7 +35,15 @@ in
           group = "root";
           neededForUsers = true;
         };
-        
+         "ssl_blakedheld_crt" = lib.mkIf config.users.blake.enable { 
+          owner = "root";
+          group = "root";
+        };
+          "ssl_blakedheld_key" = lib.mkIf config.users.blake.enable { 
+          owner = "root";
+          group = "root";
+        };
+       
       };
     };
   };