diff --git a/configuration.nix b/configuration.nix
index a10214c..f25ed1e 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -397,102 +397,116 @@
   services.caddy = {
     enable = true;
     globalConfig = ''
-      # servers {
-      #   protocols h1 h2
-      # }
       email "fresh.car0178@geemili.xyz"
+
+      @connected_via_tailscale {
+        remote_ip 100.64.0.0/10
+        remote_ip fd7a:115c:a1e0::/48
+      }
     '';
 
     virtualHosts."lldap.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3
-      reverse_proxy localhost:17170
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:17170
+      }
+      respond 403
     '';
 
     virtualHosts."headscale.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 192.168.0.69
       reverse_proxy localhost:64639
     '';
 
     virtualHosts."cockpit.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3
-      reverse_proxy localhost:9090
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:9090
+      }
+      respond 403
     '';
 
     virtualHosts."git.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 192.168.0.69
       reverse_proxy localhost:3000
     '';
 
     virtualHosts."jellyfin.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 192.168.0.69
       reverse_proxy localhost:8096
     '';
 
     virtualHosts."nextcloud.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3
+      handle @connected_via_tailscale {
+        # https://docs.nextcloud.com/server/27/admin_manual/issues/general_troubleshooting.html#service-discovery
+        redir /.well-known/carddav /remote.php/dav 301
+        redir /.well-known/caldav /remote.php/dav 301
 
-      # https://docs.nextcloud.com/server/27/admin_manual/issues/general_troubleshooting.html#service-discovery
-      redir /.well-known/carddav /remote.php/dav 301
-      redir /.well-known/caldav /remote.php/dav 301
-
-      root * ${config.services.nextcloud.package}
-      php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
-        root ${config.services.nextcloud.package}
-        capture_stderr
+        root * ${config.services.nextcloud.package}
+        php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
+          root ${config.services.nextcloud.package}
+          capture_stderr
+        }
+        file_server
       }
-      file_server
+      respond 403
     '';
 
     virtualHosts."glauth.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3
-      reverse_proxy localhost:5555
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:5555
+      }
+      respond 403
     '';
 
     virtualHosts."dex.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3
-      reverse_proxy localhost:5556
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:5556
+      }
+      respond 403
     '';
 
     virtualHosts."kavita.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 192.168.0.69
-      reverse_proxy localhost:5000
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:5000
+      }
+      respond 403
     '';
  
     virtualHosts."aria.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3
-      handle /jsonrpc {
-        reverse_proxy localhost:6800 
+      handle @connected_via_tailscale {
+        handle /jsonrpc {
+          reverse_proxy localhost:6800
+        }
+        handle_path /ariang* {
+          root * ${pkgs.ariang}/share/ariang
+          file_server
+        }
+        redir / /ariang/#!/settings/rpc/set?protocol=wss&host=aria.samsehu.perli.casa&port=443&secret=YXJpYTJycGM=&interface=jsonrpc
       }
-      handle_path /ariang* {
-        root * ${pkgs.ariang}/share/ariang
-        file_server
-      }
-      redir / /ariang/#!/settings/rpc/set?protocol=wss&host=aria.samsehu.perli.casa&port=443&secret=YXJpYTJycGM=&interface=jsonrpc
+      respond 403
     '';
 
     virtualHosts."lid.arr.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 
-      reverse_proxy localhost:8686
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:8686
+      }
+      respond 403
     '';
     virtualHosts."rad.arr.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 
-      reverse_proxy localhost:7878
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:7878
+      }
+      respond 403
     '';
     virtualHosts."read.arr.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 
-      reverse_proxy localhost:8787
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:8787
+      }
+      respond 403
     '';
     virtualHosts."son.arr.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 
-      reverse_proxy localhost:8989 
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:8989
+      }
+      respond 403
     '';
   };
-  # patch the caddy service to wait for the tailscale interface before starting
-  systemd.services."caddy" = {
-    requires = [ "tailscaled.service" ];
-    bindsTo = [ "sys-subsystem-net-devices-tailscale0.device" "sys-subsystem-net-devices-enp3s0.device" ];
-    after = [ "sys-subsystem-net-devices-tailscale0.device" "sys-subsystem-net-devices-enp3s0.device" "tailscaled.service" ];
-  };
 
   # Headscale for access to the network while away from home
   services.headscale = {