diff --git a/machines/modules/dokuwiki-draft.nix b/machines/modules/dokuwiki-draft.nix
index 453cce4..efd6dc1 100644
--- a/machines/modules/dokuwiki-draft.nix
+++ b/machines/modules/dokuwiki-draft.nix
@@ -1,19 +1,55 @@
 { config, pkgs, ... }:
 
 {
-  services.dokuwiki."malo" = {
+  services.dokuwiki."malo-wiki-name" = {
     enable = true;
     aclUse = true;
-    usersFile = "/var/lib/dokuwiki/malo/users.auth.php";
-    nginx = {
-      forceSSL = true;
-      enableACME = true;
-      serverName = "wiki.malobeo.org";
-    };
+    acl = "* @ALL 8";  # everyone can edit using this config
+    # note there is a users file at
+    # /var/lib/dokuwiki/<wiki-name>/users.auth.php
+    # makes sense to edit it by hand
+    superUser = "@admin";
+    plugins = let
+      plugin-todo = pkgs.stdenv.mkDerivation {
+        name = "todo";
+        src = pkgs.fetchFromGitHub {
+          owner = "leibler";
+          repo = "dokuwiki-plugin-todo";
+          rev = "7e36f4fffc46df9e2fd116d7d6dc326202530b71";
+          sha256 = "sha256-o794cFdnVEUHvLRP/UzrD26fzNGa9gYzR7sw2Ns8tvo=";
+        };
+        buildInputs = [ pkgs.unzip ];
+        installPhase = "mkdir -p $out; cp -R * $out/";
+      };
+    in [ plugin-todo ];
     disableActions = "register";
     extraConfig = ''
       $conf['title'] = 'malobeo wiki';
       $conf['lang'] = 'en';
     '';
   };
+  # nginx with self-signed ceritificate:
+  # generate key using:
+  # $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx-selfsigned.key -out nginx-selfsigned.crt
+  # I followed the guide on https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04
+  services.nginx.virtualHosts."malo-wiki-name" = {
+    addSSL = true;
+    sslCertificate = "/etc/nixos/nginx-selfsigned.crt";
+    sslCertificateKey = "/etc/nixos/nginx-selfsigned.key";
+  };
+  # open ports for HTTP and HTTPS
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedUDPPorts = [ 80 443 ];
+
+  # generic nginx configuration
+  services.nginx = {
+    enable = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    sslProtocols = "TLSv1.3";
+    sslCiphers = "EECDH+AESGCM:EDH+AESGCM";
+    sslDhparam = "/etc/nixos/dhparam.pem";
+  };
 }