diff --git a/system/machines/server/modules/nginx/default.nix b/system/machines/server/modules/nginx/default.nix
index f12500e..8496379 100644
--- a/system/machines/server/modules/nginx/default.nix
+++ b/system/machines/server/modules/nginx/default.nix
@@ -125,23 +125,40 @@ in
         };
       };
 
-      virtualHosts."ai.${domain}" = {
+      virtualHosts."ai.${domain}" = let
+        apiKeyAuth = ''
+          set $api_key "";
+          if ($http_authorization ~* "^Bearer (.+)$") {
+            set $api_key $1;
+          }
+          if ($api_key = "") {
+            return 401 '{"error": "Missing Authorization header"}';
+          }
+          include ${config.sops.templates."nginx-ai-auth.conf".path};
+        '';
+      in {
         useACMEHost = domain;
         forceSSL = true;
+
+        # Web UI — llama.cpp chat interface (browser)
+        # Auth handled by llama.cpp itself (--api-key flag)
         locations."/" = {
-          proxyPass = "http://192.168.0.23:8321";
+          proxyPass = "http://192.168.0.23:8000";
           proxyWebsockets = true;
-          extraConfig = ''
-            # API key auth — validated against the sops-managed key
-            set $api_key "";
-            if ($http_authorization ~* "^Bearer (.+)$") {
-              set $api_key $1;
-            }
-            if ($api_key = "") {
-              return 401 '{"error": "Missing Authorization header"}';
-            }
-            include ${config.sops.templates."nginx-ai-auth.conf".path};
-          '';
+        };
+
+        # API — Llama Stack (opencode, programmatic clients)
+        locations."/v1/" = {
+          proxyPass = "http://192.168.0.23:8321/v1/";
+          proxyWebsockets = true;
+          extraConfig = apiKeyAuth;
+        };
+
+        # Llama Stack beta API
+        locations."/v1beta/" = {
+          proxyPass = "http://192.168.0.23:8321/v1beta/";
+          proxyWebsockets = true;
+          extraConfig = apiKeyAuth;
         };
       };