diff --git a/agenix-config-module.nix b/agenix-config-module.nix
index 94d4536..8e9196e 100644
--- a/agenix-config-module.nix
+++ b/agenix-config-module.nix
@@ -1,3 +1,7 @@
 {
-  age.secrets.samsehu_DUCK_DNS_TOKEN.file = ./secrets/samsehu_DUCK_DNS_TOKEN.age;
+  age.secrets.samsehu_DUCK_DNS_TOKEN = {
+    file = ./secrets/samsehu_DUCK_DNS_TOKEN.age;
+    owner = "dynamicdns";
+    group = "dynamicdns";
+  };
 }
diff --git a/configuration.nix b/configuration.nix
index 8d7d8d1..469e8aa 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -65,14 +65,18 @@
   services.cockpit = {
     enable = true;
     openFirewall = true;
+    settings = {
+      WebService = {
+        Origins = "https://cockpit.samsehu.perli.casa wss://cockpit.samsehu.perli.casa";
+        ProtocolHeader = "X-Forwarded-Proto";
+        LoginTo = false;
+      };
+    };
   };
 
   services.udisks2.enable = true;
 
-  services.jellyfin = {
-    enable = true;
-    openFirewall = true;
-  };
+  services.jellyfin.enable = true;
 
   services.blocky = {
     enable = true;
@@ -114,6 +118,10 @@
 
   services.forgejo = {
     enable = true;
+    settings = {
+      server.ROOT_URL = "https://git.samsehu.perli.casa/";
+      server.HTTP_ADDR = "127.0.0.1";
+    };
   };
 
   services.lldap = {
@@ -124,6 +132,7 @@
       ldap_user_dn = "admin";
       # Default administrator password
       ldap_user_pass = "extending pulsate nastily";
+      http_host = "127.0.0.1";
     };
   };
 
@@ -137,7 +146,7 @@
   systemd.services.dynamic-dns-updater = {
     serviceConfig.User = "dynamicdns";
     path = [ pkgs.curl ];
-    script = "curl -o ~/duck.log --url-query domains=samsehuperli --url-query token@${config.age.secrets.samsehu_DUCK_DNS_TOKEN.path} https://www.duckdns.org/update";
+    script = "curl --silent --url-query domains=samsehuperli --url-query token@${config.age.secrets.samsehu_DUCK_DNS_TOKEN.path} https://www.duckdns.org/update";
     startAt = "hourly";
   };
   systemd.timers.dynamic-dns-updater = {
@@ -147,9 +156,41 @@
   # Reverse proxy with Caddy
   services.caddy = {
     enable = true;
-    virtualHosts."samsehu.perli.casa".extraConfig = ''
-      respond "Hello, world!"
+    globalConfig = ''
+      email "fresh.car0178@geemili.xyz"
     '';
+
+    virtualHosts."lldap.samsehu.perli.casa".extraConfig = ''
+      reverse_proxy localhost:17170
+    '';
+
+    virtualHosts."headscale.samsehu.perli.casa".extraConfig = ''
+      reverse_proxy localhost:64639
+    '';
+
+    virtualHosts."cockpit.samsehu.perli.casa".extraConfig = ''
+      reverse_proxy localhost:9090
+    '';
+
+    virtualHosts."git.samsehu.perli.casa".extraConfig = ''
+      reverse_proxy localhost:3000
+    '';
+
+    virtualHosts."jellyfin.samsehu.perli.casa".extraConfig = ''
+      reverse_proxy localhost:8096
+    '';
+  };
+
+  # Headscale for access to the network while away from home
+  services.headscale = {
+    enable = true;
+    settings = {
+      server_url = "https://headscale.samsehu.perli.casa";
+      listen_addr = "127.0.0.1:64639";
+      metrics_listen_addr = "127.0.0.1:64640";
+      tls_cert_path = null;
+      tls_key_path = null;
+    };
   };
 
   # Enable automatic upgrades
@@ -177,19 +218,13 @@
     # Caddy HTTP and HTTPS
     80
     443
-
-    # Forgejo web interface
-    3000
-
-    # lldap LDAP
-    3890
-
-    # lldap HTTP; user login and administration
-    17170
   ];
   networking.firewall.allowedUDPPorts = [
     # Blocky DNS
     53
+
+    # Headscale UDP port for STUN protocol
+    3478
   ];
 
   # Use systemd-resolved and set networkmanager to allow mdns