diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json
index 71769a1..c216554 100644
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@@ -38,6 +38,7 @@
       "kosmos_gitea::nginx",
       "kosmos_website",
       "kosmos_website::default",
+      "kosmos-akkounts::nginx",
       "kosmos-akkounts::nginx_api",
       "kosmos-bitcoin::nginx_lndhub",
       "kosmos-ejabberd::nginx",
diff --git a/roles/akkounts.rb b/roles/akkounts.rb
index ba50d23..48cd5ac 100644
--- a/roles/akkounts.rb
+++ b/roles/akkounts.rb
@@ -3,7 +3,6 @@ name "akkounts"
 default_run_list = %w(
   role[postgresql_client]
   kosmos-akkounts::default
-  kosmos-akkounts::nginx
 )
 
 env_run_lists(
diff --git a/roles/nginx_proxy.rb b/roles/nginx_proxy.rb
index 9aa9cc9..2444bd9 100644
--- a/roles/nginx_proxy.rb
+++ b/roles/nginx_proxy.rb
@@ -23,6 +23,7 @@ default_run_list = %w(
   kosmos_garage::nginx_web
   kosmos_gitea::nginx
   kosmos_website::default
+  kosmos-akkounts::nginx
   kosmos-akkounts::nginx_api
   kosmos-bitcoin::nginx_lndhub
   kosmos-ejabberd::nginx
diff --git a/site-cookbooks/kosmos-akkounts/recipes/default.rb b/site-cookbooks/kosmos-akkounts/recipes/default.rb
index 212d9d0..4585e4c 100644
--- a/site-cookbooks/kosmos-akkounts/recipes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/default.rb
@@ -217,10 +217,7 @@ application deploy_path do
   end
 end
 
-# TODO move to nginx proxy
-include_recipe 'kosmos-akkounts::nginx'
-
-firewall_rule "Akkounts private access" do
+firewall_rule "akkounts_zerotier" do
   command  :allow
   port     node["akkounts"]["port"]
   protocol :tcp
diff --git a/site-cookbooks/kosmos-akkounts/recipes/nginx.rb b/site-cookbooks/kosmos-akkounts/recipes/nginx.rb
index 025cd9b..6ae1bfc 100644
--- a/site-cookbooks/kosmos-akkounts/recipes/nginx.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/nginx.rb
@@ -9,12 +9,20 @@ domain      = node[app_name]["domain"]
 
 nginx_certbot_site domain
 
+upstream_hosts = []
+search(:node, "role:akkounts").each do |node|
+  upstream_hosts << node["knife_zero"]["host"]
+end
+upstream_hosts.push("localhost") if upstream_hosts.empty?
+
 template "#{node['nginx']['dir']}/sites-available/#{domain}" do
   source "nginx_conf_#{app_name}.erb"
   owner 'www-data'
   mode 0640
   variables port: node[app_name]['port'],
             domain: domain,
+            upstream_port: node["akkounts"]["port"],
+            upstream_hosts: upstream_hosts,
             root_dir: "/opt/#{app_name}/public",
             ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
             ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
diff --git a/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb b/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb
index b02518d..f120afd 100644
--- a/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb
@@ -12,6 +12,7 @@ upstream_hosts = []
 search(:node, "role:akkounts").each do |node|
   upstream_hosts << node["knife_zero"]["host"]
 end
+upstream_hosts.push("localhost") if upstream_hosts.empty?
 
 template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
   source "nginx_conf_akkounts_api.erb"
diff --git a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
index d3f9c96..f8e44b6 100644
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
@@ -1,17 +1,23 @@
 # Generated by Chef
-<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 upstream _akkounts {
-  server   localhost:<%= @port %>;
+<% @upstream_hosts.each do |host| %>
+  server   <%= host %>:<%= @upstream_port %>;
+<% end %>
 }
 
+proxy_cache_path /var/cache/nginx/akkounts levels=1:2
+                 keys_zone=akkounts_cache:10m
+                 max_size=1g inactive=120m use_temp_path=off;
+
 server {
   listen 443 ssl http2;
-  add_header Strict-Transport-Security "max-age=15768000";
+  listen [::]:443 ssl http2;
+  server_name <%= @domain %>;
 
-  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
-  server_name <%= @domain %>;
+  add_header Strict-Transport-Security "max-age=15768000";
 
   access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
   error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
@@ -23,32 +29,19 @@ server {
     gzip_static on;
     expires max;
     add_header Cache-Control public;
+    proxy_cache akkounts_cache;
   }
 
-  try_files $uri/index.html $uri @app;
+  try_files $uri/index.html $uri @proxy;
 
-  location @app {
-    # an HTTP header important enough to have its own Wikipedia entry:
-    # http://en.wikipedia.org/wiki/X-Forwarded-For
+  location @proxy {
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-    # enable this if and only if you use HTTPS, this helps Rack
-    # set the proper protocol for doing redirects:
     proxy_set_header X-Forwarded-Proto https;
-
-    # pass the Host: header from the client right along so redirects
-    # can be set properly within the Rack application
     proxy_set_header Host $http_host;
-
-    # we don't want nginx trying to do something clever with
-    # redirects, we set the Host: header above already.
     proxy_redirect off;
-
-    # Increase number of buffers. Default is 8
     proxy_buffers 1024 8k;
+    proxy_http_version 1.1;
 
     proxy_pass http://_akkounts;
-    proxy_http_version 1.1;
-   }
+  }
 }
-<% end -%>
diff --git a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
index 1d237e9..7ef12ff 100644
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
@@ -1,5 +1,5 @@
 # Generated by Chef
-upstream _akkounts {
+upstream _akkounts_api {
 <% @upstream_hosts.each do |host| %>
   server   <%= host %>:<%= @upstream_port %>;
 <% end %>
@@ -15,6 +15,9 @@ server {
 
   add_header 'Strict-Transport-Security' 'max-age=31536000';
 
+  access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
+  error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
+
   location /kredits/ {
     add_header 'Access-Control-Allow-Origin' '*' always;
     add_header 'Access-Control-Allow-Methods' 'GET' always;
@@ -28,6 +31,6 @@ server {
     proxy_buffers 1024 8k;
     proxy_http_version 1.1;
 
-    proxy_pass http://_akkounts/api/kredits/;
+    proxy_pass http://_akkounts_api/api/kredits/;
   }
 }