diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix
index 9a0a501..c334679 100644
--- a/hosts/vps-private/default.nix
+++ b/hosts/vps-private/default.nix
@@ -70,6 +70,12 @@
           doBackups = true;
         };
 
+        freshrss = {
+          enable = true;
+          domain = "rss.${privateDomain}";
+          doBackups = true;
+        };
+
         alloy = {
           enable = true;
           domain = "alloy.${config.networking.hostName}.${privateDomain}";
diff --git a/modules/system/services/auto-gc.nix b/modules/system/services/auto-gc.nix
index fa33158..c6719b6 100644
--- a/modules/system/services/auto-gc.nix
+++ b/modules/system/services/auto-gc.nix
@@ -18,8 +18,8 @@ in
           [
             "--keep 10"
             "--keep-since 7d"
+            (lib.optionalString cfg.onlyCleanRoots "--no-gc")
           ]
-          ++ lib.optional cfg.onlyCleanRoots "--no-gc"
           |> lib.concatStringsSep " ";
       };
     };
diff --git a/modules/system/services/caddy.nix b/modules/system/services/caddy.nix
index 84b026f..cd863fb 100644
--- a/modules/system/services/caddy.nix
+++ b/modules/system/services/caddy.nix
@@ -13,6 +13,11 @@ let
   publicHostsExist = virtualHosts |> lib.any (vHost: (!self.lib.isPrivateDomain vHost.domain));
   privateHostsExist = virtualHosts |> lib.any (vHost: self.lib.isPrivateDomain vHost.domain);
 
+  webPorts = [
+    80
+    443
+  ];
+
   mkVirtualHost =
     {
       domain,
@@ -23,25 +28,24 @@ let
     }:
     lib.nameValuePair domain {
       logFormat = "output file ${config.services.caddy.logDir}/${domain}.log { mode 640 }";
-      extraConfig =
-        let
-          certDir = config.security.acme.certs.${domain}.directory;
-        in
-        [
-          (lib.optionals (self.lib.isPrivateDomain domain) [
-            "tls ${certDir}/fullchain.pem ${certDir}/key.pem"
-            "bind ${config.custom.networking.overlay.address}"
-          ])
-          (lib.optional (port != null) "reverse_proxy localhost:${toString port}")
-          (lib.optionals (files != null) [
-            "root * ${files}"
-            "encode"
-            "file_server"
-          ])
-          (lib.optional (extraConfig != null) extraConfig)
-        ]
-        |> lib.concatLists
-        |> lib.concatLines;
+      extraConfig = lib.concatLines [
+        (lib.optionalString (self.lib.isPrivateDomain domain) (
+          let
+            certDir = config.security.acme.certs.${domain}.directory;
+          in
+          ''
+            tls ${certDir}/fullchain.pem ${certDir}/key.pem
+            bind ${config.custom.networking.overlay.address}
+          ''
+        ))
+        (lib.optionalString (port != null) "reverse_proxy localhost:${toString port}")
+        (lib.optionalString (files != null) ''
+          root * ${files}
+          encode
+          file_server
+        '')
+        (lib.optionalString (extraConfig != null) extraConfig)
+      ];
     };
 in
 {
@@ -91,10 +95,7 @@ in
           message = "Each caddy virtual host must set exactly one of `port` or `files`";
         };
 
-        networking.firewall.allowedTCPPorts = lib.mkIf publicHostsExist [
-          80
-          443
-        ];
+        networking.firewall.allowedTCPPorts = lib.mkIf publicHostsExist webPorts;
 
         services.caddy = {
           enable = true;