diff --git a/base/services/nginx.nix b/base/services/nginx.nix
index f97e3ff..9053c09 100644
--- a/base/services/nginx.nix
+++ b/base/services/nginx.nix
@@ -67,10 +67,10 @@
     };
 
     ${config.networking.fqdn} = {
-      sslCertificate = "/etc/certs/nginx.crt";
-      sslCertificateKey = "/etc/certs/nginx.key";
-      addSSL = true;
-      extraConfig = "return 444;";
+      sslCertificate = lib.mkDefault "/etc/certs/nginx.crt";
+      sslCertificateKey = lib.mkDefault "/etc/certs/nginx.key";
+      addSSL = lib.mkDefault true;
+      extraConfig = lib.mkDefault "return 444;";
     };
   };
 }
diff --git a/modules/grzegorz.nix b/modules/grzegorz.nix
index 9a4ddcc..fb0eee9 100644
--- a/modules/grzegorz.nix
+++ b/modules/grzegorz.nix
@@ -37,9 +37,13 @@ in {
   services.nginx.enable = true;
   services.nginx.virtualHosts = {
     ${config.networking.fqdn} = {
+      # NOTE: this overrides the default config in base/services/nginx.nix
+      addSSL = false;
       forceSSL = true;
       enableACME = true;
+
       kTLS = true;
+
       serverAliases = [
         "${machine}.pvv.org"
       ];