diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix
index a6f95ad..c7bbba5 100644
--- a/hosts/orm/default.nix
+++ b/hosts/orm/default.nix
@@ -57,7 +57,21 @@
   };
   networking.firewall.interfaces."wg-birdsong".allowedTCPPorts = [ 5432 ];
 
-  qenya.services.actual.enable = true;
+  qenya.services.actual = {
+    enable = true;
+    domain = "actual.unspecified.systems";
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "actual.qenya.tel" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/".return = "301 https://actual.unspecified.systems$request_uri";
+      };
+    };
+  };
 
   system.stateVersion = "23.11";
 }
diff --git a/services/actual.nix b/services/actual.nix
index d5a1599..b46540e 100644
--- a/services/actual.nix
+++ b/services/actual.nix
@@ -1,20 +1,22 @@
 { config, lib, pkgs, ... }:
 
-with lib;
 let
+  inherit (lib) mkIf mkOption mkEnableOption types;
   cfg = config.qenya.services.actual;
-  domain = "actual.qenya.tel";
 in
 {
   options.qenya.services.actual = {
     enable = mkEnableOption "Actual Budget";
+    domain = mkOption {
+      type = types.str;
+    };
   };
 
   config = mkIf cfg.enable {
     services.nginx = {
       enable = true;
       virtualHosts = {
-        ${domain} = {
+        ${cfg.domain} = {
           forceSSL = true;
           enableACME = true;
           locations."/".proxyPass = "http://127.0.0.1:5006/";