Move the listener to a separate endpoint on port 80, which is only accessible from the private network. Change accounts.kosmos.org to use the new endpoint via a `.local` domain instead of faking external access.
kosmos-akkounts
Deploy akkounts-api from GitHub (https://github.com/67P/akkounts-api). It will run on port 3200. The nginx recipe sets up a reverse proxy and Let's Encrypt TLS certificate