diff --git a/configurations/nixos/pureintent/default.nix b/configurations/nixos/pureintent/default.nix
index e050260..aa8eca8 100644
--- a/configurations/nixos/pureintent/default.nix
+++ b/configurations/nixos/pureintent/default.nix
@@ -24,6 +24,7 @@ in
   services.tailscale.enable = true;
   networking.firewall.allowedTCPPorts = [
     80
+    443
   ];
 
   programs.nix-ld.enable = true; # for vscode server
diff --git a/flake.lock b/flake.lock
index 8632767..aa21a47 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1479,11 +1479,11 @@
         "tabler-icons-hs": "tabler-icons-hs"
       },
       "locked": {
-        "lastModified": 1757034328,
-        "narHash": "sha256-7pnWkaUaXMRnqZh9X53yo3iIttDmVVu+kvOuFsM84zE=",
+        "lastModified": 1757036681,
+        "narHash": "sha256-Yr6x0+/s6vu+vzZPSL1Pi7kCMQQcyPkN6Mg/KCq0tkw=",
         "owner": "juspay",
         "repo": "vira",
-        "rev": "fecf73e240cb9661eb4ad745fc731a957197ca6f",
+        "rev": "45c4d9e5369e4c7f18bb5a71f68dd22685452c91",
         "type": "github"
       },
       "original": {
diff --git a/modules/nixos/linux/vira.nix b/modules/nixos/linux/vira.nix
index a173565..ea7fbd0 100644
--- a/modules/nixos/linux/vira.nix
+++ b/modules/nixos/linux/vira.nix
@@ -10,12 +10,51 @@ in
 
   services.vira = {
     enable = true;
-    hostname = "0.0.0.0";
-    port = 5001;
-    https = true;
     stateDir = "/var/lib/vira";
-    openFirewall = true;
+    hostname = "127.0.0.1"; # Cuz, nginx reverse proxy
+    port = 5001;
+    https = false; # Cuz, nginx reverse proxy
+    basePath = "/vira/"; # Cuz, nginx reverse proxy
     package = inputs.vira.packages.${pkgs.system}.default;
   };
 
+  # Configure nginx reverse proxy for vira with SSL
+  services.nginx.virtualHosts."pureintent" = {
+    forceSSL = true;
+    enableACME = false;
+    sslCertificate = "/var/lib/acme/pureintent/cert.pem";
+    sslCertificateKey = "/var/lib/acme/pureintent/key.pem";
+    locations."/vira/" = {
+      proxyPass = "http://127.0.0.1:5001/";
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+      '';
+    };
+  };
+
+  # Generate self-signed certificate for nginx
+  systemd.services.nginx-self-signed-cert = {
+    description = "Generate self-signed certificate for nginx";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "nginx.service" ];
+    script = ''
+      mkdir -p /var/lib/acme/pureintent
+      if [ ! -f /var/lib/acme/pureintent/cert.pem ] || [ ! -f /var/lib/acme/pureintent/key.pem ]; then
+        ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -keyout /var/lib/acme/pureintent/key.pem -out /var/lib/acme/pureintent/cert.pem -days 365 -nodes -subj "/C=US/ST=Local/L=Local/O=Local/CN=pureintent"
+        chmod 600 /var/lib/acme/pureintent/key.pem
+        chmod 644 /var/lib/acme/pureintent/cert.pem
+        chown -R nginx:nginx /var/lib/acme/pureintent
+      fi
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+    };
+  };
+
+
 }