diff --git a/machines/fuuko/services/media.nix b/machines/fuuko/services/media.nix
index 378bfd7..d5b8ea6 100644
--- a/machines/fuuko/services/media.nix
+++ b/machines/fuuko/services/media.nix
@@ -1,13 +1,15 @@
+{ config, ... }:
+
 {
+  sops.secrets.media-htpasswd.owner = "nginx";
+
   services.nginx.virtualHosts."media.sbruder.de" = {
     enableACME = true;
     forceSSL = true;
 
-    basicAuthFile = "/data/media/.htpasswd";
+    basicAuthFile = config.sops.secrets.media-htpasswd.path;
 
     root = "/data/media/";
-
-    locations."=/.htpasswd".return = "403";
   };
 
   services.nginx-interactive-index.virtualHosts."media.sbruder.de".locations."/".enable = true;
diff --git a/machines/vueko/configuration.nix b/machines/vueko/configuration.nix
index 1f6df62..d0f7fec 100644
--- a/machines/vueko/configuration.nix
+++ b/machines/vueko/configuration.nix
@@ -4,6 +4,8 @@
   imports = [
     ./hardware-configuration.nix
     ../../modules
+
+    ./services/media.nix
   ];
 
   sbruder = {
diff --git a/machines/vueko/secrets.yaml b/machines/vueko/secrets.yaml
index bb39a6b..2c28037 100644
--- a/machines/vueko/secrets.yaml
+++ b/machines/vueko/secrets.yaml
@@ -1,12 +1,13 @@
 wg-home-private-key: ENC[AES256_GCM,data:/RHNF6Zw6CTWa9ahUhGWRfkR8KIj+HdqUIojA1w6HQBFbZ/+Vo+CcYTYO5I=,iv:2sDH1P3VRjmLw6Ilkq0rw/hossHrNWP5uRvX9yr5fLE=,tag:KIT5GCfXuhg6RjA8+Nmtnw==,type:str]
+media-sb-proxy-auth: ENC[AES256_GCM,data:hYKmrpIMotRaf47bt8LSyXT2FEUHu26SLtKCt2zh/ziFtH2empD2NTlpf+l5Q6VHW1r1RUyE0KdmNM4nZRumJ/NuP3Aa9ErGTI3qozjQk9Kl,iv:pLYZv8X76XQGBd36PjQPkiUNPR08PkIKuTqJ+mmaMcw=,tag:3PMAO3lOfT+y+1s8yJLvhA==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-03-26T12:53:24Z"
-    mac: ENC[AES256_GCM,data:Ux7QNbgDbh5GQwbn8qY/+zIX+DOBxPiXDeyesvTGR0Q4pO8avnjQQgaXhvl6PrH2htKx0yYno9zq3IcEh4fzhS3Bowsg5UdSQbaGQf9HDW0nP3DYs3Zb+yD/TO1deY5KAgzBIZz4RVdo031qlvpfzfHjjM7Cda+E8rKU8GhY9KU=,iv:IX/xATHbmCFlRlh9s/zFvNvTlY7uyB3TL5ER/+BuElM=,tag:nkZk2UVLdwbF71LhQ3WzqA==,type:str]
+    lastmodified: "2022-08-21T15:55:45Z"
+    mac: ENC[AES256_GCM,data:qtMmv0BfPmgoLrlIxfED7vXoIU+lU6SOXGsh1EPLQUjSnDEaWJpj3gDTEWVskgwHoBdt+jFaCw1j+nI36+6F+KQDwD58sV1/Oiw/J7J5QwePGeU1iyXmq/JwPNU4wYfe3O15tNRXkpFfv4tV/rdeFqbbh0++V4nQ5ZnDE0MlUJA=,iv:NOOSGauhsWhMrMXL81syzSpcvgGk4LVKwQ840/78MWg=,tag:GbMzBSlcSvMRJojGy6/0BA==,type:str]
     pgp:
         - created_at: "2021-04-06T11:13:54Z"
           enc: |
@@ -49,4 +50,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: BB046D773F54739757553A053CB9B8EFD7FED749
     unencrypted_suffix: _unencrypted
-    version: 3.7.1
+    version: 3.7.3
diff --git a/machines/vueko/services/media.nix b/machines/vueko/services/media.nix
new file mode 100644
index 0000000..b4dab89
--- /dev/null
+++ b/machines/vueko/services/media.nix
@@ -0,0 +1,49 @@
+{ config, ... }:
+
+{
+  sops.secrets = {
+    media-htpasswd.owner = "nginx";
+    media-proxy-auth.owner = "nginx";
+    media-sb-proxy-auth = {
+      owner = "nginx";
+      sopsFile = ../secrets.yaml;
+    };
+  };
+
+  services.nginx.virtualHosts."media-sb.sbruder.de" = {
+    enableACME = true;
+    forceSSL = true;
+
+    basicAuthFile = config.sops.secrets.media-htpasswd.path;
+
+    locations = {
+      "/" = {
+        extraConfig = ''
+          rewrite ^(.*/)$ /__regular$1 last;
+          rewrite ^(.*\\.[^/]*)$ /__storagebox$1 last;
+        '';
+      };
+      "/__nginx-interactive-index-assets__/".alias = "${builtins.filterSource
+        (path: type: baseNameOf path != "default.nix")
+        ../../../modules/nginx-interactive-index}/";
+
+      "/__regular/" = {
+        extraConfig = ''
+          internal;
+          proxy_pass https://media.sbruder.de/;
+          include ${config.sops.secrets.media-proxy-auth.path};
+          proxy_buffering off;
+        '';
+      };
+      "/__storagebox/" = {
+        extraConfig = ''
+          internal;
+          proxy_pass https://u313368-sub3.your-storagebox.de/;
+          proxy_set_header Host u313368-sub3.your-storagebox.de;
+          include ${config.sops.secrets.media-sb-proxy-auth.path};
+          proxy_buffering off;
+        '';
+      };
+    };
+  };
+}
diff --git a/secrets.yaml b/secrets.yaml
index e02cfde..5973503 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -1,3 +1,4 @@
+media-htpasswd: ENC[AES256_GCM,data:8o+MBYaH+OoPrK2FtDzxCLXCz8oGDezIALl2KkoVlj/ZtC4WfTHu6NnaUbi+xUb7s8bLHchpmFyXC9U5+yGAlHV/v7zKOrkrga08Qn2sHqudZS8uRMj4Mh/WdYbAJ+MjfhihTf377obIDJAesYwL8Jnkcy5NiVSD7jN7PJUlTLFLiXr+U+dYctJG1b2TnhNaGL9FnutG6GnOHP37AZaTMPaD0YgSNJ+PNEGULkajwxNj2dn9XFeQGa5DlETHh8UlL3+6hUBUgXsAiN3UkRYJGLybq2vDlS9uRXRzobCiqK1E58SXS0ZMOUzewtvvOixXDC31/ppd1WmUOweJ4JiAKGWindgj5yejxf8kk2UaIJQTjATb1jtQTmdMBEfckIq+xvbyVNAofBSlSAuo/FGNYt7zf2uH1Y6A3cQwgTSaMo8Rs01AfszyaXLMqwiS+k9kq/QXkH4VLAbVakli4yuywB4pusqBvf5vAFDdgTtKhag4vuworbo/kM8KXh6nAA==,iv:n44K6SEtrL6MYEzXdPHbOvzoIQBqnVee+uC0/kbgd1M=,tag:HeOX3bXb107fSFXUk6Hc5Q==,type:str]
 media-proxy-auth: ENC[AES256_GCM,data:OcmYZq/tyzMB61NfyYZ8gAlEE+8w2IhlPlZ+dfedtfqVlPHk3iJsd9mvsXHf5ODTtuy00ll0MF4KYNePZkz7TeuaIdBgGlshFyE4gwsJdPXZNYnhcg==,iv:qo6SOaHrWsXfvRwgSKDTSnreOcO9xy3RKrfE2k+VLEg=,tag:14DT86PQdEuK9zyZzcAohA==,type:str]
 media-ssh-key: ENC[AES256_GCM,data:cT5Jp5asgF2GZL4nn0rS4+tmli5adZjDa/G6WD/QXbOLtAjquytX63LKrLYUoTjOa7rNAjxDBIYEi90uvubKxOI0QbXACj0MSt6WbkxmosYResnFl9/WefpROctpGcDvn60fzer0K75IRBAtpAogVU7VynOkOuPa0xhTyAU8ZPOmij456UjpbtIgSg4yKVDn14jj/OZ1Oz+qd3bHC8FSQvp0jSKD9xfIizc2kb6ca3LRdR7VtJtTnJOOADRKaLC+rBywVyTOlCQBLiZ6LE9i6SmgFOdI+l6z9jE1Vi3vZ3BAe8Q/wWQ6Kjts+3+RkjPbgdjdWzxyHly/dr8lU1HcwtMHgKBV84asJBghCm6B1o48AEqd4oF9W039rCRQkR/VMb/ser0ifEjwnpDnDskrFYxWzidMKsfHGOtZxm7rzvOxSRA+Rcx9vxwa90gRsU4mBdx7QG0y3f/AbxRvVCuLLZW/y0JpCtE2B/mcObRvjsZP3RXQIS4vGAeTerd18RwsrsWO,iv:+ASa0hhWXmQ2hgJ9UuRFjnf/fA65kxWXiC+rDI6Lnx8=,tag:LDYSsN0DXAFiW0w+YBcopA==,type:str]
 torrent-proxy-auth: ENC[AES256_GCM,data:4oi4uZCgslTvmso1SCedu3gKsOTCtYIAf3g1mBS6/ta3d/hd6GJ0Ns+/9w51WrhcyJQRLSR7jLlzxRzKFp6JvKXlNAeflXDqOKNfk0LXY1GKTZynOA==,iv:26d+hQ9yn5CzDGNZvi9A5bvzgo87IrJHz67xTac4UA4=,tag:e8fO5Xpu7wpDiSC4CBsaaQ==,type:str]
@@ -9,8 +10,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-06-09T21:33:06Z"
-    mac: ENC[AES256_GCM,data:fIxn3nnbgF/IcQTGiFXPdzElupUw4mc8ri7GTwkE6uv9fw3AaoReVNIRIpoxjhoUE0ZkJs3wOElfmGJ8wFtkXQTF+PkeeI5RQB1+xofkQQnuHjBGbgYwD9mEHU36FkmSIkKzkkozvZBhGNZSrcKwKL83QpIOlxBTnRFIUmDm4n0=,iv:BLeAzU+mXJ00uxsMN/y8VzXU14O5reNKB3Kl5zRU3TY=,tag:5f83PCjyklB5g9rsxQQt+A==,type:str]
+    lastmodified: "2022-08-22T14:22:50Z"
+    mac: ENC[AES256_GCM,data:jeon/GqCA40VJogcR0jBtkZyLvRvEf3dhMfGl0NdLKEQhbH1a7xWSCe+riyszv4/UU6qkm/mIbrqLY4Tjaqg++f1AO9ZbSVleahik397cdVgfxaFBYrD2Ia7rvRqNSncHbK7Kc93GV/XzB6yIJTKcEKddNLxMvSnJtlaVaETECE=,iv:irJR+d+mxp6L9bZyTRjnTl42rEZS5u5awic2uR2DLLU=,tag:H0aWDkz0hTKkR/QXb7cvzQ==,type:str]
     pgp:
         - created_at: "2022-06-09T21:22:41Z"
           enc: |