diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix
index 4bcd596d4..53b06a702 100644
--- a/krebs/3modules/retiolum-bootstrap.nix
+++ b/krebs/3modules/retiolum-bootstrap.nix
@@ -1,53 +1,38 @@
-{ config, lib, pkgs, ... }:
-
+{ config, pkgs, ... }:
 with import <stockholm/lib>;
 let
   cfg = config.krebs.retiolum-bootstrap;
-
-  out = {
-    options.krebs.retiolum-bootstrap = api;
-    config = lib.mkIf cfg.enable imp;
-  };
-
-  api = {
-    enable = mkEnableOption "retiolum boot strap for tinc.krebsco.de";
-    hostname = mkOption {
+in
+{
+  options.krebs.retiolum-bootstrap = {
+    enable = mkEnableOption "retiolum boot strap for ${cfg.serverName}";
+    serverName = mkOption {
         type = types.str;
         description = "hostname which serves tinc boot";
         default = "tinc.krebsco.de" ;
     };
-    listen = mkOption {
-        type = with types; listOf str;
-        description = ''Addresses to listen on (nginx-syntax).
-        ssl will be configured, http will be redirected to ssl.
-        Make sure to have at least 1 ssl port configured.
-        '';
-        default = [ "80" "443 ssl" ] ;
-    };
-    ssl_certificate_key = mkOption {
-        type = types.str;
-        description = "Certificate key to use for ssl";
-        default = "${toString <secrets>}/tinc.krebsco.de.key";
-    };
-    ssl_certificate = mkOption {
+    sslCertificate = mkOption {
         type = types.str;
         description = "Certificate file to use for ssl";
         default = "${toString <secrets>}/tinc.krebsco.de.crt" ;
     };
+    sslCertificateKey = mkOption {
+        type = types.str;
+        description = "Certificate key to use for ssl";
+        default = "${toString <secrets>}/tinc.krebsco.de.key";
+    };
     # in use:
     #  <secrets/tinc.krebsco.de.crt>
     #  <secrets/tinc.krebsco.de.key>
   };
 
-  imp = {
-    krebs.nginx.servers = assert config.krebs.nginx.enable; {
-      retiolum-boot-ssl = {
-        server-names = singleton cfg.hostname;
-        listen = cfg.listen;
-        extraConfig = ''
-          ssl_certificate ${cfg.ssl_certificate};
-          ssl_certificate_key ${cfg.ssl_certificate_key};
-
+  config = mkIf cfg.enable {
+    services.nginx = {
+      enable = mkDefault true;
+      virtualHosts.retiolum-bootstrap = {
+        inherit (cfg) serverName sslCertificate sslCertificateKey;
+        enableSSL = true;
+        extraConfig =''
           if ($scheme = http){
             return 301 https://$server_name$request_uri;
           }
@@ -55,10 +40,7 @@ let
           root ${pkgs.retiolum-bootstrap};
           try_files $uri $uri/retiolum.sh;
         '';
-        locations = [];
       };
     };
   };
-
-in
-out
+}