diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix
index 6c46516..0c06e9a 100644
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -137,7 +137,7 @@
           # Setup NAT masquerading on external interfaces
           chain postrouting {
             type nat hook postrouting priority filter; policy accept;
-            oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
+            oifname { "wan", "server", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
           }
         }
       '';
diff --git a/hosts/fw.cloonar.com/modules/gitea.nix b/hosts/fw.cloonar.com/modules/gitea.nix
index 5f05ddf..9845276 100644
--- a/hosts/fw.cloonar.com/modules/gitea.nix
+++ b/hosts/fw.cloonar.com/modules/gitea.nix
@@ -111,8 +111,8 @@ in
       };
     };
     bindMounts = {
-      "${security.acme.certs.${domain}.directory}" = {
-        hostPath = "/var/lib/acme/gitea/";
+      "/var/lib/acme/gitea/" = {
+        hostPath = "${security.acme.certs.${domain}.directory}";
         isReadOnly = true;
       };
     };