diff --git a/configuration.nix b/configuration.nix
index 2f9b384..ee7de8e 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -341,6 +341,8 @@
       enableSTS = ''
         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
       '';
+      listenTLS   = [ { addr = "localhost"; port = 443; ssl = true; } ];
+      listenPlain = [ { addr = "[::]"; port = 80; } { addr = "0.0.0.0"; port = 80; } ];
     in
   rec {
     enable = true;
@@ -356,10 +358,10 @@
 
     # Maxwell
     virtualHosts."${hostname}" = {
-      enableACME = true;
-      forceSSL   = true;
-      default    = true;
-
+      enableACME  = true;
+      forceSSL    = true;
+      default     = true;
+      listen      = listenTLS ++ listenPlain;
       extraConfig = disableLog + enableSTS;
 
       # Returns IP address
@@ -402,6 +404,7 @@
     # Breve URL shortner
     virtualHosts."brve.bit" = with config.secrets; {
       forceSSL = true;
+      listen   = listenTLS ++ listenPlain;
       sslCertificate    = certs.breve.crt;
       sslCertificateKey = certs.breve.key;
 
@@ -415,6 +418,7 @@
     # The Cactalogue
     virtualHosts."cacta.bit" = {
       root = "/run/nginx/static/cactalogue";
+      listen = listenPlain;
       extraConfig = disableLog;
     };
     virtualHosts."cacta.eurofusion.eu" = virtualHosts."cacta.bit";
diff --git a/email.nix b/email.nix
index 13337da..d55f0e8 100644
--- a/email.nix
+++ b/email.nix
@@ -58,6 +58,13 @@
   # Keep the key stable across renewals (for DANE)
   security.acme.certs.${config.mailserver.fqdn}.extraLegoRenewFlags = [ "--reuse-key" ];
 
+  # Listen on localhost:443 for sslh
+  services.nginx.virtualHosts.${config.mailserver.fqdn}.listen =
+    [ { addr = "localhost"; port = 443; ssl = true; }
+      { addr = "[::]";      port = 80; }
+      { addr = "0.0.0.0";   port = 80; }
+    ];
+
   # Utilities
   environment.systemPackages = [
     # computes the DANE records
diff --git a/matrix.nix b/matrix.nix
index 6184b4a..ff8df99 100644
--- a/matrix.nix
+++ b/matrix.nix
@@ -58,7 +58,11 @@ in
   services.nginx.virtualHosts."riot.${config.var.hostname}" =
   { enableACME = true;
     forceSSL   = true;
-
+    listen =
+      [ { addr = "localhost"; port = 443; ssl = true; }
+        { addr = "[::]";      port = 80; }
+        { addr = "0.0.0.0";   port = 80; }
+      ];
     locations."/" =
       { index = "index.html";
         alias = (pkgs.element-web.override { inherit conf; }) + "/";
diff --git a/nameserver.nix b/nameserver.nix
index af022d2..234be58 100644
--- a/nameserver.nix
+++ b/nameserver.nix
@@ -46,14 +46,6 @@
         ];
     };
 
-  # Prevent collision between sslh and nginx
-  services.nginx.virtualHosts = with config.var;
-    { "brve.bit"          .listenAddresses = [ "localhost" ];
-      "mail.eurofusion.eu".listenAddresses = [ "localhost" ];
-      ${hostname}         .listenAddresses = [ "localhost" ];
-      "riot.${hostname}"  .listenAddresses = [ "localhost" ];
-    };
-
   # This is needed for the rotation of DNSCrypt keys
   security.polkit.enable = true;