diff --git a/hosts/thrall/default.nix b/hosts/thrall/default.nix
index 7549326..6b6ba7a 100644
--- a/hosts/thrall/default.nix
+++ b/hosts/thrall/default.nix
@@ -3,7 +3,9 @@
 # and in the NixOS manual (accessible by running â€˜nixos-helpâ€™).
 
 { config, pkgs, ... }:
-let extIface = "ens3";
+let
+  extIface = "ens3";
+  ledgerVHost = "ledger.failco.de";
 in {
   imports = [ # Include the results of the hardware scan.
     ./hardware-configuration.nix
@@ -244,12 +246,14 @@ in {
     };
 
     # hledger
-    "ledger.failco.de" = {
+    "${ledgerVHost}" = {
       forceSSL = true;
       enableACME = true;
       basicAuthFile = config.age.secrets.hledger-web.path;
       locations."/" = {
-        proxyPass = "http://127.0.0.1:3003/";
+        proxyPass = "http://${config.services.hledger-web.host}:${
+            toString config.services.hledger-web.port
+          }/";
         proxyWebsockets = true;
       };
     };
@@ -291,6 +295,19 @@ in {
     };
   };
 
+  services.hledger-web = {
+    enable = true;
+    baseUrl = "https://${ledgerVHost}";
+    port = 3003;
+    capabilities = {
+      view = true;
+      add = true;
+      manage = true;
+    };
+    journalFiles = [ "current.journal" ];
+    extraOptions = [ "-B" "--value=then" ];
+  };
+
   services.fail2ban = {
     enable = true;
     maxretry = 5;
diff --git a/secrets/hledger-web.htaccess.age b/secrets/hledger-web.htaccess.age
index 13337dc..c22f639 100644
--- a/secrets/hledger-web.htaccess.age
+++ b/secrets/hledger-web.htaccess.age
@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> X25519 ntNFHjGdIlYJTbloT8Ujpn8Yh+oAaX/m0DHrq9ukLHQ
-CTj9AefZLuZ0sBuFatp8/lEL8bUf2IXOHW00XJEdSVY
--> ssh-ed25519 NCz+gA kj420yScWjDD95LtvEb/62uXVzJU/v0ZSuJ+15MRdS8
-vFZNC94TxoXh1vVjHFPwPIV+nta5rWgdYWTokbBitxE
--> 9-grease %8XR5/t }
-22U6Glc0+L2vlRnrx1Sd1g9b4sfpt/1d0ihfEk5ZQOgEcy45+eNmbHTLQHYzpkFo
-PmIBJrRj07B93Pp1MR4sHmOMtK358D9l1LSURdWQtmtcocOoKdQWmPq+IQ
---- 1F50mU6ZhA2vbJq1Nkae6KWzxGY1DGdPNhlA6S3r2GM
-—F£œMÑ®æL~š†:5vÖ3ßd?	õ¬l~½Š:_€Õ„ZùDøÔJÝR„Õ+"
\ No newline at end of file
+-> X25519 FrE3cLVPZshP6+VgS5aRSggS/3XEjLZW2/yCcxQT6z0
+xlPC1bF0NqiDVEk/xU+7GPGpwbTPZk+iSZ4QvvJzCcU
+-> ssh-ed25519 NCz+gA Ag6jD9h0FTR+jVR2K3wpQgGqyLJzQZyNvU2+AJPz+Xc
+3QJhYsIl23/ve++5r9X/a2YUPSUgIBHJ8srPmeSnpKw
+-> BaPA]-grease A\OcT5|
+L4Nk5eiaKq72ELBFQemUGlXJXpmUt5aN++g9ljz+DBG8XL3bQ9RbPMhbEy/gzKf6
+8WbY
+--- hVjNjD1o1TI5B+CZqTdcoHjx3rRJCgrd4f13Vbhazmw
+Ø¾t,AýÄ¬[w3¬LØ’œbÎ`´4Þ?¬”6 üÐ¬œ‚Þ®Õªº„1qŸÍ?.'K¤jú€èe¦idÅUëÿ÷¤ád¬ˆ“Òf÷éeJJ=·«ÃpÅ—‰?oá ú
\ No newline at end of file