diff --git a/modules/server/caddy.nix b/modules/server/caddy.nix
new file mode 100644
index 0000000..ef7a59b
--- /dev/null
+++ b/modules/server/caddy.nix
@@ -0,0 +1,7 @@
+{config, ...}: {
+  flake.modules.nixos.server = {...}: {
+    services.caddy.enable = config.flake.meta.web.domain.has;
+    networking.firewall.allowedTCPPorts = [80 443];
+    networking.firewall.allowedUDPPorts = [80 443];
+  };
+}
diff --git a/modules/server/cloudflared.nix b/modules/server/cloudflared.nix
deleted file mode 100644
index eed619a..0000000
--- a/modules/server/cloudflared.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{config, ...}: {
-  flake.modules.nixos.server = {pkgs, ...}: {
-    environment.systemPackages = [pkgs.cloudflared];
-
-    services.cloudflared.enable = config.flake.meta.web.domain.has;
-  };
-}
diff --git a/modules/server/copyparty.nix b/modules/server/copyparty.nix
index 73dd298..ba1e3cd 100644
--- a/modules/server/copyparty.nix
+++ b/modules/server/copyparty.nix
@@ -19,15 +19,11 @@ in {
     };
     sops.secrets."cloudflare/copyparty" = {};
 
-    services.cloudflared.tunnels = lib.mkIf config.services.cloudflared.enable {
-      "files" = {
-        credentialsFile = "/run/secrets/cloudflare/copyparty";
-        default = "http_status:404";
-        ingress = {
-          "files.${flk.meta.web.domain.domain}" = {
-            service = "http://localhost:3293";
-          };
-        };
+    services.caddy.virtualHosts = {
+      "files.${flk.meta.web.domain.domain}" = {
+        extraConfig = ''
+          reverse_proxy :3293
+        '';
       };
     };
 
@@ -43,14 +39,7 @@ in {
         e2t = true;
         shr = "/shr";
 
-        xff-hdr =
-          if config.services.cloudflared.enable
-          then "cf-connecting-ip"
-          else null;
-        rproxy =
-          if config.services.cloudflared.enable
-          then 1
-          else null;
+        rproxy = 1;
       };
       accounts = {
         ilay.passwordFile = config.sops.secrets."copyparty/passwords/ilay".path;
diff --git a/modules/server/forgejo/forgejo.nix b/modules/server/forgejo/forgejo.nix
index e18046e..268886b 100644
--- a/modules/server/forgejo/forgejo.nix
+++ b/modules/server/forgejo/forgejo.nix
@@ -8,15 +8,11 @@ in {
   }: {
     sops.secrets."cloudflare/git" = {};
 
-    services.cloudflared.tunnels = lib.mkIf config.services.cloudflared.enable {
-      "git" = {
-        credentialsFile = "/run/secrets/cloudflare/git";
-        default = "http_status:404";
-        ingress = {
-          "git.${flk.meta.web.domain.domain}" = {
-            service = "http://localhost:5675";
-          };
-        };
+    services.caddy.virtualHosts = {
+      "git.${flk.meta.web.domain.domain}" = {
+        extraConfig = ''
+          reverse_proxy :5675
+        '';
       };
     };
 
diff --git a/modules/server/ssh.nix b/modules/server/ssh.nix
index 9397dca..c2da051 100644
--- a/modules/server/ssh.nix
+++ b/modules/server/ssh.nix
@@ -8,6 +8,9 @@
       };
     };
 
+    networking.firewall.allowedTCPPorts = [22];
+    networking.firewall.allowedUDPPorts = [22];
+
     users.users.${config.flake.meta.user.name} = {
       openssh.authorizedKeys.keys = [
         config.flake.meta.user.ssh_key
diff --git a/secrets.yaml b/secrets.yaml
index 4a7058e..bc41594 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -4,9 +4,6 @@ copyparty:
     passwords:
         ilay: ENC[AES256_GCM,data:BIh+FIdvKg8=,iv:q+aCn2f2/Y2TbQc5pR2buEO0DSAj7Bq3Zvyjv1cf30Y=,tag:zaSse7VCTdEd6jo5JEiZsA==,type:str]
         ron: ENC[AES256_GCM,data:8sw3Sf158A==,iv:9EyFYAxoFMGYijQ93lDOjSoaP/RHMtphlhto14ofXq0=,tag:T2MvVxUXnlx+yZyH0znZsA==,type:str]
-cloudflare:
-    copyparty: ENC[AES256_GCM,data:SK8qhyjIiOsKzZsnh8W8/BRJmbHoLA6rCGGUzKb9ucbTiiCUhfnaR7A/0SSKKecrMwTmuCos0WnEUe0ixGWJcHncEoLpMyAQMfmL81wbyfDhkxrEjc77aSRomAqM9X/jWg3ocp4oxKKUkEfnnKUqkv4vse+J/lBZjlOoTtwiPoJ1V/GL2JKru/f/LoERQqCEaAqMnQeXJyi/5pf4wPCKLbRQxZ1LCmxeyMMRU0FgOQ==,iv:HqAmQR1SMd4D3uf0eSCfKBCO61mM/Zdfiv/RBlaiJkc=,tag:7ESjgrqkG9RWDAmV/2wGdA==,type:str]
-    git: ENC[AES256_GCM,data:QxpLDjVsPiIxSKq6hWUOBS0wWxZ2ccLmSYQA64U3n+Y42Uuaf92pJHt3CQ2ZSaIXWbgpVotln/vBexRA1RH4ZpF5vwyYX1XUwCisv3qdkS/P4/kZIt8TtdvYV1pVwxZRqm58aA0L4ZuNk0q5a1tscrXtLVJ2+uvF9we6Oloz5uMA+XCBwzkqo6Ucbc/47gbUPTRSzMRpY1n8ma71NiensFn0lGtyWfB7TW26pLbSVg==,iv:mZmufTufxBuRkE0YNBwRNV4Shq1Uq2r+MzsNuzPkzQI=,tag:igtKa2VSLBjY9eKWONoKOg==,type:str]
 forgejo:
     token: ENC[AES256_GCM,data:3bsyRuBeK7+Blph3YUFB92b1pWgLcSUjy5j+2KfigaFubHs6c26zAEuH0bKBZg==,iv:lAJWyZlaV1hP6W6Y2ZkMfFFACcGjnHW/pNuXgPSOLlU=,tag:POmNl8JIidEoHhnjaqqz4A==,type:str]
 openclaw:
@@ -41,7 +38,7 @@ sops:
             MFp0UW1HSW9MbmppcHlNM25CaFhqOWcKppF0dE4YNh+mN1tyZju4zxM6ZFBSKx9U
             cGYtUemtt4s9ko3hPt8ZM/ysKOeZgnYoeG7QQnwSoF3F+/gurvb0Bg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-27T21:30:21Z"
-    mac: ENC[AES256_GCM,data:42D8He2GuUGDh5AIOomKt9EV/qU5vTSQrDvvarMzAlPaW3RBcDCBTbwA41Vz7raQJf/EvtU/2D2rQ6U4Pjdlc9rzctSlAesZPgPdbjtfcbNUylxExh0CEgKaeVcCKOQ+Bi7ZzLGiQewRdnxeihEiOkxS0LHyzHyEcOxqN1A/uGw=,iv:UgwHroeJIWos20+SpnBCvcmwnyF5O7P1d7n07UAwzAA=,tag:wRegPCgl5RY8o+e7IGqELA==,type:str]
+    lastmodified: "2026-03-18T20:55:00Z"
+    mac: ENC[AES256_GCM,data:5tUwCWDZWMyqLQ2F1z+wEmlANN4j+sI8ijcfXn78fEKX2bl9dnNy5BHipRdduiToL3TeIwXYObfems2C2S+SjJtBwdBN23BHZsq89JswE5+0BssW9LvFJ7a0bnfHQ50Zh/L4Ae49m88ge0ma0fXbO2IiSIC1cpKm62pMgeqnEDY=,iv:OcXj3ls5pm7/lOUyhbbtbfuGT7NP23BL70uBRmGTVc0=,tag:o4WHDK8puizf99Uu/Gwt4Q==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.12.1