diff --git a/nix/modules/darwin/system/security/default.nix b/nix/modules/darwin/system/security/default.nix
index 8cd1551..caa567b 100644
--- a/nix/modules/darwin/system/security/default.nix
+++ b/nix/modules/darwin/system/security/default.nix
@@ -26,6 +26,7 @@ in {
           ${pkgs.coreutils}/bin/env nix-env -p /nix/var/nix/profiles/system --set /nix/store/*, \
           ${pkgs.coreutils}/bin/env /nix/store/*/activate, \
           /etc/profiles/per-user/${config.${namespace}.user.name}/bin/openconnect, \
+          /sbin/route, \
           /usr/bin/dscacheutil, \
           /usr/bin/killall, \
           /usr/bin/pkill, \
diff --git a/nix/modules/home/security/openconnect/default.nix b/nix/modules/home/security/openconnect/default.nix
index fee3f3c..e0423d9 100644
--- a/nix/modules/home/security/openconnect/default.nix
+++ b/nix/modules/home/security/openconnect/default.nix
@@ -8,6 +8,13 @@
 with lib;
 with lib.custom; let
   cfg = config.${namespace}.security.openconnect;
+  route_delete_command =
+    if pkgs.stdenv.isLinux
+    then "sudo route del -net 192.168.0.0/16"
+    else if pkgs.stdenv.isDarwin
+    then "sudo route delete -net 192.168.0.0/16"
+    else "";
+
   vpnScript = pkgs.writeScriptBin "myvpn" ''
     #! ${pkgs.bash}/bin/sh
 
@@ -57,7 +64,7 @@ with lib.custom; let
               echo "VPN is up and running!"
               echo "******************************************************"
               echo "Removing LAN routes to VPN"
-              sudo route del -net 192.168.0.0/16
+              ${route_delete_command}
             fi
           ;;
           down)
diff --git a/nix/modules/nixos/containers/jellyfin/default.nix b/nix/modules/nixos/containers/jellyfin/default.nix
index 60575fc..d160814 100644
--- a/nix/modules/nixos/containers/jellyfin/default.nix
+++ b/nix/modules/nixos/containers/jellyfin/default.nix
@@ -22,6 +22,7 @@ in {
         host = "${cfg.host}";
         url = "http://${cfg.localAddress}:8096";
         route_enabled = cfg.enable;
+        middleware = "secure-headers";
       })
     (import ../shared/shared-adguard-dns-rewrite.nix
       {
@@ -58,29 +59,29 @@ in {
           "hostPath" = "${cfg.dataPath}/log/";
           isReadOnly = false;
         };
+      };
 
-        config = {...}: {
-          systemd.tmpfiles.rules = [
-            "d /var/lib/jellyfin 700 jellyfin jellyfin -"
-          ];
-          services.jellyfin = {
-            enable = true;
-          };
+      config = {...}: {
+        systemd.tmpfiles.rules = [
+          "d /var/lib/jellyfin 700 jellyfin jellyfin -"
+        ];
+        services.jellyfin = {
+          enable = true;
+        };
 
-          networking = {
-            firewall = {
-              enable = true;
-              # https://jellyfin.org/docs/general/networking/index.html#port-bindings
-              allowedTCPPorts = [8096 8920];
-              allowedUDPPorts = [1900 7359];
-            };
-            # Use systemd-resolved inside the container
-            # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-            useHostResolvConf = lib.mkForce false;
+        networking = {
+          firewall = {
+            enable = false;
+            # https://jellyfin.org/docs/general/networking/index.html#port-bindings
+            allowedTCPPorts = [8096 8920];
+            allowedUDPPorts = [1900 7359];
           };
-          services.resolved.enable = true;
-          system.stateVersion = "24.11";
+          # Use systemd-resolved inside the container
+          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+          useHostResolvConf = lib.mkForce false;
         };
+        services.resolved.enable = true;
+        system.stateVersion = "24.11";
       };
     };
   };