diff --git a/configuration.nix b/configuration.nix
index 1a7966f..3787556 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -7,6 +7,7 @@ let
   # custom packages
   nodeinfo = (import pkgs/nodeinfo.nix);
   lightning-charge = import pkgs/lightning-charge.nix { inherit pkgs; };
+  nanopos = import pkgs/nanopos.nix { inherit pkgs; };
 in {
   disabledModules = [ "services/security/tor.nix" ];
 
@@ -26,10 +27,14 @@ in {
      nodeinfo
      jq
      lightning-charge.package
+     nanopos.package
+     nodejs-8_x
+     nginx
   ];
   nixpkgs.config.packageOverrides = pkgs: {
     inherit nodeinfo;
     inherit lightning-charge;
+    inherit nanopos;
   };
 
   services.openssh.enable = true;
@@ -38,9 +43,9 @@ in {
 #     openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILacgZRwLsiICNHGHY2TG2APeuxFsrw6Cg13ZTMQpNqA nickler@rick" ];
 #  };
 
-  # networking.firewall.allowedTCPPorts = [ ... ];
   # networking.firewall.allowedUDPPorts = [ ... ];
   networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ ];
 
   #services.bitcoin.proxy = services.tor.client.socksListenAddress;
   services.nixbitcoin.enable = true;
diff --git a/modules/lightning-charge.nix b/modules/lightning-charge.nix
index 884983a..91008f4 100644
--- a/modules/lightning-charge.nix
+++ b/modules/lightning-charge.nix
@@ -23,16 +23,6 @@ in {
   };
 
   config = mkIf cfg.enable {
-      users.users.lightning-charge =
-        {
-          description = "lightning-charge User";
-          group = "lightning-charge";
-          extraGroups = [ "keys" ];
-      };
-      users.groups.lightning-charge = {
-        name = "lightning-charge";
-      };
-
       systemd.services.lightning-charge =
         { description = "Run lightning-charge";
           wantedBy = [ "multi-user.target" ];
@@ -42,7 +32,9 @@ in {
             {
               EnvironmentFile = "/secrets/lightning-charge-api-token";
               ExecStart = "${pkgs.lightning-charge.package}/bin/charged -l ${config.services.clightning.dataDir} -d ${config.services.clightning.dataDir}/lightning-charge.db";
-
+              # Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket,
+              # so this must run as the clightning user
+              # https://github.com/ElementsProject/lightning/issues/1366
               User = "clightning";
               Restart = "on-failure";
               RestartSec = "10s";
diff --git a/modules/nixbitcoin.nix b/modules/nixbitcoin.nix
index b25ef82..2a2e58e 100644
--- a/modules/nixbitcoin.nix
+++ b/modules/nixbitcoin.nix
@@ -4,6 +4,37 @@ with lib;
 
 let
   cfg = config.services.nixbitcoin;
+  indexFile = pkgs.writeText "index.html" ''
+    <html>
+      <body>
+        <p>
+          <h1>
+            nix-bitcoin
+          </h1>
+        </p>
+        <p>
+        <h2>
+          <a href="store/">store</a>
+        </h2>
+        </p>
+        <p>
+        <h3>
+          lightning node: CLIGHTNING_ID
+        </h3>
+        </p>
+      </body>
+    </html>
+  '';
+  createWebIndex = pkgs.writeText "make-index.sh" ''
+    set -e
+    mkdir -p /var/www/
+    cp ${indexFile} /var/www/index.html
+    chown -R nginx /var/www/
+    nodeinfo
+    . <(nodeinfo)
+    sed -i "s/CLIGHTNING_ID/$CLIGHTNING_ID/g" /var/www/index.html
+  '';
+
 in {
   imports =
     [
@@ -11,6 +42,7 @@ in {
       ./bitcoind.nix
       ./clightning.nix
       ./lightning-charge.nix
+      ./nanopos.nix
     ];
 
   options.services.nixbitcoin = {
@@ -51,10 +83,59 @@ in {
     services.bitcoind.prune = 2000;
 
     # clightning
-    services.clightning.enable = true;
-    services.clightning.bitcoin-rpcuser = config.services.bitcoind.rpcuser;
+    services.clightning = {
+      enable = true;
+      bitcoin-rpcuser = config.services.bitcoind.rpcuser;
+    };
+    services.tor.hiddenServices.clightning = {
+      map = [{
+        port = 9375; toPort = 9375;
+      }];
+      version = 3;
+    };
+
 
     services.lightning-charge.enable = true;
+    services.nanopos.enable = true;
+
+    services.nginx = {
+      enable = true;
+      virtualHosts."_" = {
+        root = "/var/www";
+        extraConfig = ''
+          location /store/ {
+            proxy_pass http://127.0.0.1:${toString config.services.nanopos.port};
+            rewrite /store/(.*) /$1 break;
+          }
+        '';
+      };
+
+
+    };
+    services.tor.hiddenServices.nginx = {
+      map = [{
+        port = 80;
+      } {
+        port = 443;
+      }];
+      version = 3;
+    };
+
+    # create-web-index
+    systemd.services.create-web-index = {
+      description = "Get node info";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "nodeinfo.service" ];
+      path  = [ pkgs.nodeinfo pkgs.clightning pkgs.jq pkgs.sudo ];
+      serviceConfig = {
+        ExecStart="${pkgs.bash}/bin/bash ${createWebIndex}";
+        User = "root";
+        Type = "simple";
+        RemainAfterExit="yes";
+        Restart = "on-failure";
+        RestartSec = "10s";
+      };
+    };
 
     # nodeinfo
     systemd.services.nodeinfo = {
@@ -63,14 +144,13 @@ in {
       after = [ "clightning.service" "tor.service" ];
       path  = [ pkgs.clightning pkgs.jq pkgs.sudo ];
       serviceConfig = {
-        ExecStart="${pkgs.bash}/bin/bash ${pkgs.nodeinfo}/bin/nodeinfo > /var/lib/nodeinfo.nix";
+        ExecStart="${pkgs.bash}/bin/bash ${pkgs.nodeinfo}/bin/nodeinfo > /var/lib/nodeinfo.sh";
         User = "root";
         Type = "simple";
         RemainAfterExit="yes";
         Restart = "on-failure";
         RestartSec = "10s";
       };
-
     };
 
     # Define a user account. Don't forget to set a password with ‘passwd’.
diff --git a/network-vbox.nix b/network-vbox.nix
index 62f4e2a..a914499 100644
--- a/network-vbox.nix
+++ b/network-vbox.nix
@@ -20,5 +20,12 @@ in
       deployment.keys.lightning-charge-api-token.user = "clightning";
       deployment.keys.lightning-charge-api-token.group = "clightning";
       deployment.keys.lightning-charge-api-token.permissions = "0440";
+
+      # variable is called CHARGE_TOKEN instead of API_TOKEN
+      deployment.keys.lightning-charge-api-token-for-nanopos.text = "CHARGE_TOKEN=" + secrets.lightning-charge-api-token;
+      deployment.keys.lightning-charge-api-token-for-nanopos.destDir = "/secrets/";
+      deployment.keys.lightning-charge-api-token-for-nanopos.user = "nanopos";
+      deployment.keys.lightning-charge-api-token-for-nanopos.group = "nanopos";
+      deployment.keys.lightning-charge-api-token-for-nanopos.permissions = "0440";
     };
 }
diff --git a/pkgs/nodeinfo.sh b/pkgs/nodeinfo.sh
index 6d8033e..ed4e4cf 100644
--- a/pkgs/nodeinfo.sh
+++ b/pkgs/nodeinfo.sh
@@ -1,11 +1,12 @@
 set -e
 set -o pipefail
 
-printenv
-BITCOIND_ONION=$(cat /var/lib/tor/onion/bitcoind/hostname)
-CLIGHTNING_ID=$(sudo -u clightning lightning-cli --lightning-dir=/var/lib/clightning getinfo | jq -r '.id')
+BITCOIND_ONION="$(cat /var/lib/tor/onion/bitcoind/hostname)"
+CLIGHTNING_NODEID=$(sudo -u clightning lightning-cli --lightning-dir=/var/lib/clightning getinfo | jq -r '.id')
+CLIGHTNING_ONION="$(cat /var/lib/tor/onion/clightning/hostname)"
+CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735"
 
-echo \{
-echo "  bitcoind_onion = \"$BITCOIND_ONION\";"
-echo "  clightning_id = \"$CLIGHTNING_ID\";"
-echo \}
+echo BITCOIND_ONION="$BITCOIND_ONION"
+echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID"
+echo CLIGHTNING_ONION="$CLIGHTNING_ONION"
+echo CLIGHTNING_ID="$CLIGHTNING_ID"