diff --git a/flakes/common/hm_modules/de_i3/theme.nix b/flakes/common/hm_modules/de_i3/theme.nix
index 0b6d7ce..7d37d67 100644
--- a/flakes/common/hm_modules/de_i3/theme.nix
+++ b/flakes/common/hm_modules/de_i3/theme.nix
@@ -5,8 +5,19 @@
     x11.enable = true;
     package = pkgs.bibata-cursors;
     name = "Bibata-Modern-Classic";
-    size = 16;
+    size = 14;
   };
+
+  # Ensure all X11 apps see the same cursor settings
+  xresources.properties = {
+    "Xcursor.theme" = "Bibata-Modern-Classic";
+    "Xcursor.size" = 14;
+  };
+  home.sessionVariables = {
+    XCURSOR_THEME = "Bibata-Modern-Classic";
+    XCURSOR_SIZE = "14";
+  };
+
   gtk = {
     enable = true;
     theme = { package = pkgs.flat-remix-gtk; name = "Flat-Remix-GTK-Grey-Darkest"; };
diff --git a/hosts/h001/mods/openbao.nix b/hosts/h001/mods/openbao.nix
index 74927ab..78e3bd5 100644
--- a/hosts/h001/mods/openbao.nix
+++ b/hosts/h001/mods/openbao.nix
@@ -5,23 +5,38 @@
   ...
 }:
 {
+  services.nginx = {
+    virtualHosts = {
+      "sec.joshuabell.xyz" = {
+        addSSL = true;
+        sslCertificate = "/var/lib/acme/joshuabell.xyz/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/joshuabell.xyz/key.pem";
+        locations."/" = {
+          proxyWebsockets = true;
+          proxyPass = "http://localhost:8200";
+          recommendedProxySettings = true;
+        };
+      };
+    };
+  };
+
   services.openbao = {
     enable = true;
     package = pkgs.openbao;
-    
+
     settings = {
       ui = true;
-      
+
       listener.default = {
         type = "tcp";
         address = "127.0.0.1:8200";
         tls_disable = true; # nginx will handle TLS
       };
-      
+
       storage.file = {
         path = "/var/lib/openbao";
       };
-      
+
       # Disable mlock requirement for development
       # In production, you may want to enable this
       disable_mlock = true;
@@ -42,7 +57,7 @@
       ProtectSystem = "strict";
       ProtectHome = true;
       ReadWritePaths = [ "/var/lib/openbao" ];
-      
+
       # Resource limits
       LimitNOFILE = 65536;
       LimitNPROC = 4096;
diff --git a/hosts/h001/nginx.nix b/hosts/h001/nginx.nix
index a808ab2..530fe30 100644
--- a/hosts/h001/nginx.nix
+++ b/hosts/h001/nginx.nix
@@ -17,6 +17,7 @@ let
 in
 {
   # TODO transfer these to o001 to use same certs?
+  # Will I ever get rate limited by lets encrypt with both doing their own?
   security.acme = lib.mkIf (hasSecret "linode_rw_domains") {
     acceptTerms = true;
     defaults.email = "admin@joshuabell.xyz";
diff --git a/hosts/linode/l001/headscale.nix b/hosts/linode/l001/headscale.nix
index 98f93bb..0d4ac78 100644
--- a/hosts/linode/l001/headscale.nix
+++ b/hosts/linode/l001/headscale.nix
@@ -32,6 +32,7 @@
               (h001ARecord "chat")
               (h001ARecord "sso-proxy")
               (h001ARecord "n8n")
+              (h001ARecord "sec")
               (h001ARecord "sso")
               (h001ARecord "gist")
               (h001ARecord "git")
diff --git a/hosts/lio/flake.lock b/hosts/lio/flake.lock
index 1c62189..ce26221 100644
--- a/hosts/lio/flake.lock
+++ b/hosts/lio/flake.lock
@@ -1207,11 +1207,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1761621645,
-        "narHash": "sha256-pbwLPnz2WEAJ4K6d/iBy0u/Rko9NLaN8gn8NqsBzUNo=",
+        "lastModified": 1761712156,
+        "narHash": "sha256-4vU7FPZFXSFguQUIPrbLQOk3VSokp6RH8t7zQoqneow=",
         "ref": "refs/heads/master",
-        "rev": "26dd42aebb0b2bc218acf2e36113997133f4dbbd",
-        "revCount": 319,
+        "rev": "04f666dabbaced8d661693cfbe4eb7efa359ce7d",
+        "revCount": 320,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/nvim"
       },
diff --git a/hosts/lio/flake.nix b/hosts/lio/flake.nix
index 69d8c92..2af9344 100644
--- a/hosts/lio/flake.nix
+++ b/hosts/lio/flake.nix
@@ -49,6 +49,7 @@
 
               secrets.nixosModules.default
               ros_neovim.nixosModules.default
+              ({ ... }: { ringofstorms-nvim.includeAllRuntimeDependencies = true; })
               flatpaks.nixosModules.default
 
               common.nixosModules.essentials
diff --git a/hosts/oracle/o001/nginx.nix b/hosts/oracle/o001/nginx.nix
index a87fa9b..20f2eb5 100644
--- a/hosts/oracle/o001/nginx.nix
+++ b/hosts/oracle/o001/nginx.nix
@@ -187,6 +187,13 @@
             proxyPass = "http://100.64.0.13";
           };
         };
+        "sec.joshuabell.xyz" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://100.64.0.13";
+          };
+        };
         "sso.joshuabell.xyz" = {
           enableACME = true;
           forceSSL = true;
diff --git a/secrets_epic.md b/secrets_epic.md
index beb8945..faef05d 100644
--- a/secrets_epic.md
+++ b/secrets_epic.md
@@ -41,14 +41,16 @@ services.openbao = {
 
 ### 1.2 Configure Nginx Reverse Proxy
 
-**File:** `hosts/h001/nginx.nix`
+**File:** Put this inside of the openbao.nix file as well above or below the existing configuration.
 
 **Tasks:**
-- [ ] Add virtualHost for `vault.joshuabell.xyz`
-- [ ] Configure SSL using existing ACME wildcard cert
-- [ ] Set up proxy to `http://127.0.0.1:8200`
-- [ ] Enable websockets for UI
-- [ ] Add security headers
+- [x] Add virtualHost for `sec.joshuabell.xyz`
+- [x] Configure SSL using existing ACME wildcard cert
+- [x] Add virtualHost for `sec.joshuabell.xyz`
+- [x] Configure SSL using existing ACME wildcard cert
+- [x] Set up proxy to `http://127.0.0.1:8200`
+- [x] Enable websockets for UI
+- [x] Add security headers
 
 **Expected config:**
 ```nix