diff --git a/modules/nixos/security/acme/default.nix b/modules/nixos/security/acme/default.nix
index 740eea9..ff54ce1 100644
--- a/modules/nixos/security/acme/default.nix
+++ b/modules/nixos/security/acme/default.nix
@@ -23,6 +23,11 @@ in {
       type = str;
       description = "The domain to request a wildcard cert for.";
     };
+    isWildcard = mkOption {
+      type = bool;
+      default = true;
+      description = "Whether or not to request a wildcard cert.";
+    };
     dnsCredentialsFile = mkOption {
       type = path;
       description = "The path to the credentials file for the DNS provider.";
@@ -49,7 +54,7 @@ in {
         # own DNS to make `lego` happy (will resolve names to a public IP).
         dnsResolver = "1.1.1.1:53";
         credentialsFile = cfg.dnsCredentialsFile;
-        extraDomainNames = [("*." + cfg.domainName)];
+        extraDomainNames = mkIf cfg.isWildcard [("*." + cfg.domainName)];
       };
     };
   };
diff --git a/secrets/cf_dns_kilonull.age b/secrets/cf_dns_kilonull.age
index df96353..10dc1cf 100644
Binary files a/secrets/cf_dns_kilonull.age and b/secrets/cf_dns_kilonull.age differ
diff --git a/secrets/hass_mqtt.age b/secrets/hass_mqtt.age
index b010afb..8d064cd 100644
Binary files a/secrets/hass_mqtt.age and b/secrets/hass_mqtt.age differ
diff --git a/secrets/hydra-aws-creds.age b/secrets/hydra-aws-creds.age
index 07a1e6e..b5e5936 100644
Binary files a/secrets/hydra-aws-creds.age and b/secrets/hydra-aws-creds.age differ
diff --git a/secrets/nextcloud_admin.age b/secrets/nextcloud_admin.age
index 8b679b7..28d0118 100644
--- a/secrets/nextcloud_admin.age
+++ b/secrets/nextcloud_admin.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> piv-p256 UIEGzg AnK3fZAMaiuHUwPHAI0061l8KBzmjSgZBMjk3UIPJwHd
-1iwaFAOz0zIx6B41JtcG2DK2N069hYQ4Vnqg4fedpjo
--> ssh-ed25519 Yk7ehg IyyI4ryCFtm+chFhUKfwa4xolCvEvNhxNjkNZgK18X8
-VaSato0zX/b39z+Gg+7e249RUxNMHeEmRBs+42jIu0Q
--> ssh-ed25519 SYNSNQ fmj8P+lL02Yul83iYLBgUsEjGvqhmhY9cX9v/MNTORk
-WiwoKI9T6NJG7W5LvD+uyNuQMNRTDoCJ1G1SAEtv8Lo
---- miVPF2w5xzQgwPwqt66QSR/Cu8/yyZK2W+MJgd2VcMM
-%WÕÛHÕà‘h|_WçIù7'|=J@ùPÌhª!ê;jÊVjð¹óö„$cùœ¶±v˜«]d´|Ãô‰
\ No newline at end of file
+-> piv-p256 UIEGzg AlVgFIs0fcxvCxhQpvJy0zoxyDG/jjdH3tanlh6g03Hb
+h0BWlUFf6thkOhL7C7p4a+y6pcSyxNcaQRqJB+t5MPI
+-> ssh-ed25519 Yk7ehg FISeG4j0GnisFHqaKG3EQlHVwvyMgNaB/azd+K406mE
+Hls/fpeD7Y8ijA4i8PVkLOUKIe7G9TGaUegwVBTLV/c
+-> ssh-ed25519 SYNSNQ iNNqmZu6C7L5encU/oLYXQswn2DtuW/hvtSLGJft8gQ
+EjwJRLMuqezJ427LC9pfR0VibL+IL/idlAJE9WupD9k
+--- v3VGseXZtHJeTOxhRIp2fSGAJ8rr/dWQpJP1p12To/I
+¿T%yôFÒ½ÿfÙ:_9¤8zÚM{¨Me¶´˜þyºFLÉµ×wüx¸gsþ¹zwÊÙ:òŒŽ§n(U>Bì
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index f144354..e2ad489 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -6,9 +6,10 @@ let
     gospel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDzjXVoQEfO9JIcFbp56EvQ0oBdr9Cmhxp4z0ih+ZEZ";
     node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETLBnc8kJokmFiA28BaSYpeE7flY1W0SM5C1pWv/tOv";
     pi4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9fnNXzEmDdmtR+KWj/M9vQioFR0s/4jMnIkUFcj8As";
+    proxy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAf6Z7SZEOH3H51T/GPIc/B0OpbaydM5l2PP3nMnwpFl";
   };
 in {
-  "cf_dns_kilonull.age".publicKeys = [users.me machines.node machines.gospel machines.pi4];
+  "cf_dns_kilonull.age".publicKeys = [users.me machines.node machines.gospel machines.pi4 machines.proxy];
   "nextcloud_admin.age".publicKeys = [users.me machines.node machines.gospel];
   "theengs_ble_mqtt.age".publicKeys = [users.me machines.pi4 machines.gospel];
   "hass_mqtt.age".publicKeys = [users.me machines.pi4 machines.node machines.gospel];
diff --git a/secrets/teslamate_db.age b/secrets/teslamate_db.age
index 6f7332e..f992338 100644
--- a/secrets/teslamate_db.age
+++ b/secrets/teslamate_db.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> piv-p256 UIEGzg A8ilJuoE2n5sF0XF6PhErjsJ1/EttBm4tn5Sv51WATLr
-KtXedCvKhAyM7cNaHNqMsiNBgRDb6N1ZO/nj0+NFLQY
--> ssh-ed25519 Yk7ehg yA2ilbzpLOSs2D3pDXu3p6kpUwkdr7gK9et5mf5iuhs
-ON1C1BCQRwQTavOfqGq0byy5elO7EWTkuOi+h5BLa6Y
--> ssh-ed25519 SYNSNQ ywdfhuW5cs1aSDPo+JL2b6APhiTijZ892yQk0GA/hlI
-m3UBcMG6riihCV1ZNkn11nU+TOfMUyixbC3vnEpvLao
---- CiF9tD78NMgnvy788sBkFti4LdMPx8kQ9DKWphIW8Fo
-^9Íá¢À=]}ÉŽ—‘(önâGÎ<ó·¦C:$BeG©ÓXü
\ No newline at end of file
+-> piv-p256 UIEGzg A7y0aAtgUDLMypaXczhKrN0YTi82Ebmj3YTQ1WZTHU+U
+SsotYlcsVQN/O8DTUXIxFmeISElpTF5nxYzsrhVCABE
+-> ssh-ed25519 Yk7ehg epI85HdXuSYs7C/01CT7Y8XaTRrw+HkVo6wOa0fz2Bo
+mf5q0kcWeElyNAShdVY7MLGSun0cL0ixK5QzQu1NEOk
+-> ssh-ed25519 SYNSNQ YgAvuTGFh6hpkaAHIBda4uqmzFEJQkNj2HPenWRoz3o
+QjIZqvcqMo4rI+diLDgffrW65qWGnGqrhTR/5Gx8B+4
+--- 2co6b8q6Yg+J4SyPY56r9HGl/gfvEF5Ad010PaftIR0
+±LA!µ¯xÉ‡á
+]$FºÑìLÑZþa|môXÊiq&×»:=edŽBÈ
\ No newline at end of file
diff --git a/secrets/teslamate_encryption.age b/secrets/teslamate_encryption.age
index 15e0c46..794812f 100644
Binary files a/secrets/teslamate_encryption.age and b/secrets/teslamate_encryption.age differ
diff --git a/secrets/teslamate_mqtt.age b/secrets/teslamate_mqtt.age
index daee6ac..6133be4 100644
Binary files a/secrets/teslamate_mqtt.age and b/secrets/teslamate_mqtt.age differ
diff --git a/secrets/theengs_ble_mqtt.age b/secrets/theengs_ble_mqtt.age
index 82b90a0..a10192b 100644
--- a/secrets/theengs_ble_mqtt.age
+++ b/secrets/theengs_ble_mqtt.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> piv-p256 UIEGzg A+4ueAfFezO+SbFTU2WVj37mD4CccdnordVpwye7j+6g
-FMiMoUqfyNgw/uhhBxuKyx6yUPiZZ1pPt6iIxe0DZHM
--> ssh-ed25519 t5XIGA zRq/bzdlJZy9ll2MqKrFuoqSW4oeJ5UxhSkJ+3qlaG8
-y4EFhlpHL6zivpDZW35Fa3vNkbwTmcAOmtvE3HMtfIo
--> ssh-ed25519 SYNSNQ LAgvsPWPPz6cn1n3Ygu8HgT8NUyuhDn4xY9APX6T0D8
-sEX8cCiwf/poOeKEox279MCEGMyIUHnMHbiYZdwR/xU
---- nIO+s3lXRheBzqq9AZgNmg6rs8+HoF1sQOYzWy0wfds
-EÕ0¥ ™&åkß'/·9iÕÕg9FFZ4w1¥ D×<*IXq‹³?=ép"zÍ4hKþ	v·¶Ž
\ No newline at end of file
+-> piv-p256 UIEGzg Asl/n0iFj2Swc/Nf1bcMFxgFu64etnimDaw0oC74BbZT
+jHCir4VWyhxVGlLkdFYL/pH141ZczE9CRZ9ubWynaEQ
+-> ssh-ed25519 t5XIGA QiipiJkDoXn9Vsfwvs2bwvUDygdCaBbm2hPXCmSkpBA
+u6PipiF2jSvdt8ydx69UCEjYnMHGAkqOLqGNn78fo3I
+-> ssh-ed25519 SYNSNQ NMTuIYkgsxKEcwk7egjbzwlOmmKbrvvPOuUYtjUtjQM
+vpyVsReEuAPrcxqkXBWmyWFhx01o67fRznW3UG8R8qk
+--- zCzWtcgc8Cnu0XLFXZ9Rlk2u3h1ubZ2K+WqKl7qCaA8
+U-f´LþøÕT|Ä‚/.€>ŸõÏªo}yW«O›âGˆZ ª“¯´Åø”ññ¾¤ÀHçï‹ÞìºÍ`
\ No newline at end of file
diff --git a/systems/x86_64-do/proxy/README.md b/systems/x86_64-do/proxy/README.md
new file mode 100644
index 0000000..5e3fa24
--- /dev/null
+++ b/systems/x86_64-do/proxy/README.md
@@ -0,0 +1,5 @@
+- Log in (SSH key should already be configured)
+- Change password with `passwd`
+- Set up tailscale with `sudo tailscale up --accept-routes --ssh`
+- Write cloudflare creds to `/var/acme/creds`
+  - Ensure permissions `sudo chmod -R 700 /var/acme/creds`
diff --git a/systems/x86_64-do/proxy/default.nix b/systems/x86_64-do/proxy/default.nix
new file mode 100644
index 0000000..f25c444
--- /dev/null
+++ b/systems/x86_64-do/proxy/default.nix
@@ -0,0 +1,105 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  aa = {
+    nix.enable = true;
+    nix.useSelfhostedCache = true;
+
+    security.acme = {
+      enable = true;
+      domainName = "proxy.kilonull.com";
+      isWildcard = false;
+      # TODO: Use a different cert with more targetted permissions (this one
+      # can make wildcard certs)
+      # TODO: Add machine public key in secrets/secrets.nix
+      dnsCredentialsFile = "/var/acme/creds";
+    };
+
+    services = {
+      openssh.enable = true;
+      # NOTE: Need to run `tailscale login` on first boot
+      tailscale = {
+        enable = true;
+        configureClientRouting = true;
+      };
+    };
+
+    tools.zsh.enable = true;
+  };
+
+  services.nginx = {
+    enable = true;
+    appendHttpConfig = ''
+      log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time';
+      access_log  /var/log/nginx/access.log upstreamlog;
+    '';
+    virtualHosts."proxy.kilonull.com" = let
+      commonConfig = pkgs.writeText "common_config.conf" ''
+        proxy_redirect off;
+        proxy_set_header Host "hydra.kilonull.com";
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+
+        allow 127.0.0.1;
+        allow 100.0.0.0/8;
+        allow 192.168.113.0/24;
+      '';
+    in {
+      forceSSL = true;
+      useACMEHost = "proxy.kilonull.com";
+      locations = {
+        "/" = {
+          extraConfig = ''
+            deny all;
+          '';
+        };
+        "/hydra" = {
+          proxyPass = "https://hydra.kilonull.com";
+          extraConfig = ''
+            rewrite /hydra(.*) /$1 break;
+            include ${commonConfig};
+            deny all;
+          '';
+        };
+        "/hydra/api/push-github" = {
+          proxyPass = "https://hydra.kilonull.com/api/push-github";
+          extraConfig = ''
+            include ${commonConfig};
+            # GitHub webhook IPs
+            allow 192.30.252.0/22;
+            allow 185.199.108.0/22;
+            allow 140.82.112.0/20;
+            allow 143.55.64.0/20;
+            allow 2a0a:a440::/29;
+            allow 2606:50c0::/3;
+            deny all;
+          '';
+        };
+      };
+    };
+  };
+
+  users.users.${config.aa.user.name} = {
+    initialHashedPassword = "$y$j9T$/AuWXo5argOeEi1hwlu161$bvB.V5tfB.acWAvr6mV9lVucdGzQc16UVffMdPbqWD0";
+  };
+  networking.firewall.allowedTCPPorts = [
+    # SSH
+    22
+
+    # HTTP(S)
+    80
+    443
+  ];
+
+  virtualisation.digitalOcean = {
+    setRootPassword = true;
+    setSshKeys = true;
+  };
+
+  system.stateVersion = "24.05";
+}