diff --git a/flake.lock b/flake.lock
index 4229ce9..c6d1006 100644
--- a/flake.lock
+++ b/flake.lock
@@ -398,11 +398,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709309729,
-        "narHash": "sha256-W6RjXe2/LGFnNGfY9ML4YCDasmqksUWKoMRVPHkIguM=",
+        "lastModified": 1711389856,
+        "narHash": "sha256-fz75+eNnBgYnLvH1PlG6Rxr+YU7mvltyz0MyQQbG1CA=",
         "owner": "rouven0",
         "repo": "purge",
-        "rev": "0d083d35316101755d2ecb9bba32fefc42df914d",
+        "rev": "4efddb7c14ac11e20f1fa7cfc98711c47ad75bad",
         "type": "github"
       },
       "original": {
diff --git a/hosts/falkenstein/modules/nginx/default.nix b/hosts/falkenstein/modules/nginx/default.nix
index 109ff2e..6e3e13f 100644
--- a/hosts/falkenstein/modules/nginx/default.nix
+++ b/hosts/falkenstein/modules/nginx/default.nix
@@ -5,6 +5,8 @@
     services.nginx.virtualHosts = mkOption {
       type = types.attrsOf (types.submodule
         ({ name, ... }: {
+          enableACME = true;
+          forceSSL = true;
           # enable http3 for all hosts
           quic = true;
           http3 = true;
diff --git a/hosts/falkenstein/modules/purge/default.nix b/hosts/falkenstein/modules/purge/default.nix
index 5650a65..c2c264a 100644
--- a/hosts/falkenstein/modules/purge/default.nix
+++ b/hosts/falkenstein/modules/purge/default.nix
@@ -7,6 +7,7 @@ in
     file = ../../../../secrets/falkenstein/purge.age;
   };
   services.purge = {
+    inherit domain;
     enable = true;
     discord = {
       clientId = "941041925216157746";
@@ -14,11 +15,4 @@ in
       tokenFile = config.age.secrets.purge.path;
     };
   };
-  services.nginx.virtualHosts."${domain}" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:${toString config.services.purge.listenPort}";
-    };
-  };
 }
diff --git a/hosts/nuc/modules/nginx/default.nix b/hosts/nuc/modules/nginx/default.nix
index 56dd53a..fda795c 100644
--- a/hosts/nuc/modules/nginx/default.nix
+++ b/hosts/nuc/modules/nginx/default.nix
@@ -6,6 +6,8 @@
       type = types.attrsOf (types.submodule
         ({ name, ... }: {
           # split up nginx access logs per vhost
+          enableACME = true;
+          forceSSL = true;
           extraConfig = ''
             access_log /var/log/nginx/${name}_access.log;
             error_log /var/log/nginx/${name}_error.log;
diff --git a/shared/activation.nix b/shared/activation.nix
index b6c6530..3971674 100644
--- a/shared/activation.nix
+++ b/shared/activation.nix
@@ -1,9 +1,16 @@
-{ config, ... }:
+{ pkgs, config, ... }:
 {
   system.activationScripts.report-nixos-changes = ''
     if [ -e /run/current-system ] && [ -e $systemConfig ]; then
       echo System package diff:
       ${config.nix.package}/bin/nix store diff-closures /run/current-system $systemConfig || true
     fi
+    NO_FORMAT="\033[0m"
+    F_BOLD="\033[1m"
+    C_RED="\033[38;5;9m"
+    ${pkgs.diffutils}/bin/cmp --silent \
+      <(readlink /run/current-system/{initrd,kernel,kernel-modules}) \
+      <(readlink $systemConfig/{initrd,kernel,kernel-modules}) \
+      || echo -e "''${F_BOLD}''${C_RED}Kernel version changed, reboot is advised.''${NO_FORMAT}"
   '';
 }