diff --git a/nix/home/programs/jellyfin/default.nix b/nix/home/programs/jellyfin/default.nix
index 06dda85..433680d 100644
--- a/nix/home/programs/jellyfin/default.nix
+++ b/nix/home/programs/jellyfin/default.nix
@@ -1,3 +1,5 @@
+{ lib, ... }:
+
 {
   networking.firewall = {
     allowedTCPPorts = [
@@ -17,6 +19,8 @@
 
   services.jellyfin.enable = true;
 
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email;
   services.nginx = {
     enable = true;
     recommendedGzipSettings = true;
@@ -24,7 +28,9 @@
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
 
-    virtualHosts."mediaserver" = {
+    virtualHosts."${lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/domain}" = {
+      forceSSL = true;
+      enableACME = true;
       # http2 can more performant for streaming: https://blog.cloudflare.com/introducing-http2/
       http2 = true;
 
diff --git a/secrets b/secrets
index 70b9503..b914c37 160000
--- a/secrets
+++ b/secrets
@@ -1 +1 @@
-Subproject commit 70b9503c98eb2f690a6c7461549ca59be3089db2
+Subproject commit b914c37721237fc8f22edfa19b83a7bdc3d4ff83