diff --git a/vps-configuration.nix b/vps-configuration.nix
index c1bc40e..8678735 100644
--- a/vps-configuration.nix
+++ b/vps-configuration.nix
@@ -12,25 +12,50 @@
     efiInstallAsRemovable = true;
   };
 
-  networking.hostName = "tien";
+  environment.systemPackages = with pkgs; [
+    curl
+  ];
 
-  # do not use DHCP, as dashserv provisions IPs using cloud-init
+  networking.hostName = "tien";
+  # do not use DHCP, as dashserv provisions IPs using cloud-init (see service below)
   networking.useDHCP = pkgs.lib.mkForce false;
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 80 443 ];
+    trustedInterfaces = [ "tailscale0" ];
+  };
+
+  services.caddy = {
+    enable = true;
+    email = lib.strings.concatStrings ["mail" "@" "johannes-rothe.de"];
+    virtualHosts = {
+      "johannes-rothe.de".extraConfig = ''
+        reverse_proxy base:11112
+      '';
+      "www.johannes-rothe.de".extraConfig = ''
+        reverse_proxy base:11112
+      '';
+      "cloud.johannes-rothe.de".extraConfig = ''
+        reverse_proxy base:5002
+      '';
+      "feeds.johannes-rothe.de".extraConfig = ''
+        reverse_proxy base:1990
+      '';
+      "git.johannes-rothe.de".extraConfig = ''
+        reverse_proxy base:3001
+      '';
+      "radicale.johannes-rothe.de".extraConfig = ''
+        reverse_proxy base:5232
+      '';
+    };
+  };
+
   services.cloud-init = {
     enable = true;
     network.enable = true;
   };
 
-  networking.firewall = {
-    enable = true;
-    trustedInterfaces = [ "tailscale0" ];
-  };
-
   services.tailscale.enable = true;
 
-  environment.systemPackages = with pkgs; [
-    curl
-  ];
-
   system.stateVersion = "24.05";
 }