diff --git a/auth-notes.org b/auth-notes.org
index 9266631..570d6a8 100644
--- a/auth-notes.org
+++ b/auth-notes.org
@@ -184,6 +184,13 @@ now works
 because front-end is setting up js 'new PocketBase' with 127.0.0.1 connection
 *** adding a custom flag:
 https://github.com/pocketbase/pocketbase/discussions/1900
+** TODO change some additional config to option :
+      ${optionalString config.proxyWebsockets ''
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+      ''}
+( also in planning poker repo )
 
 
 
diff --git a/flake.nix b/flake.nix
index 879e94a..4433f5d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -70,6 +70,12 @@
                 description =
                   "Whether pocketbase should serve on https and issue own certs. Main case for true - when not under nginx";
               };
+              useHostTls = lib.mkOption {
+                type = lib.types.bool;
+                default = false;
+                description =
+                  "Whether virtual host should enable NixOS ACME certs";
+              };
             };
             config = let
               username = "${shortName}-user";
@@ -106,6 +112,8 @@
                   proxyPass =
                     "http://127.0.0.1:${toString cfg.port}";
                   # taken from https://pocketbase.io/docs/going-to-production/
+                  forceSSL = cfg.useHostTls;
+                  enableACME = cfg.useHostTls;
                   extraConfig = ''
                     # check http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
                     proxy_set_header Connection ''';