diff --git a/hosts/frikandel/default.nix b/hosts/frikandel/default.nix
index 126999f..b17fef9 100644
--- a/hosts/frikandel/default.nix
+++ b/hosts/frikandel/default.nix
@@ -6,6 +6,7 @@
     ./networking.nix
     ./unbound.nix
     ./nginx.nix
+    ./invoiceplane-proxy.nix
     ./wireguard.nix
     ./email.nix
     ./website.nix
diff --git a/hosts/frikandel/invoiceplane-proxy.nix b/hosts/frikandel/invoiceplane-proxy.nix
new file mode 100644
index 0000000..f8f210b
--- /dev/null
+++ b/hosts/frikandel/invoiceplane-proxy.nix
@@ -0,0 +1,20 @@
+{
+  flake,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  security.acme.certs = {
+    "invoicing.b12f.io" = {};
+  };
+
+  services.nginx.virtualHosts = {
+    "invoicing.b12f.io" = {
+      forceSSL = true;
+      useACMEHost = "invoicing.b12f.io";
+      # This redirects to invoiceplane on pie
+      locations."/".proxyPass = "https://invoicing.b12f.io";
+    };
+  };
+}
diff --git a/hosts/frikandel/unbound.nix b/hosts/frikandel/unbound.nix
index c21ffec..c19f869 100644
--- a/hosts/frikandel/unbound.nix
+++ b/hosts/frikandel/unbound.nix
@@ -58,6 +58,9 @@
           "\"b12f.io\" transparent"
         ];
         local-data = [
+          "\"droppie.b12f.io. 10800 IN A 10.13.12.3\""
+          "\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
+
           "\"droppie.b12f.io. 10800 IN A 10.13.12.3\""
           "\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
           "\"backup.b12f.io. 10800 IN A 10.13.12.3\""
diff --git a/hosts/pie/invoiceplane.nix b/hosts/pie/invoiceplane.nix
index 74fa216..6093d9d 100644
--- a/hosts/pie/invoiceplane.nix
+++ b/hosts/pie/invoiceplane.nix
@@ -33,7 +33,6 @@ in {
 
   services.invoiceplane.webserver = "nginx";
   services.invoiceplane.sites."invoicing.b12f.io" = {
-    # nginx is not supported
     enable = true;
 
     database = {
diff --git a/modules/acme/default.nix b/modules/acme/default.nix
index b95847d..7535361 100644
--- a/modules/acme/default.nix
+++ b/modules/acme/default.nix
@@ -19,6 +19,8 @@
       # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
       dnsProvider = "hostingde";
       dnsPropagationCheck = true;
+      # We check via dns0 directly or unbound will be in our way
+      dnsResolver = "193.110.81.0";
       credentialsFile = config.age.secrets."hosting-de-acme-secrets".path;
       group = "nginx";
       webroot = null;
diff --git a/terraform/b12f.io.tf b/terraform/b12f.io.tf
index fa70308..16f9fda 100644
--- a/terraform/b12f.io.tf
+++ b/terraform/b12f.io.tf
@@ -160,7 +160,7 @@ resource "hostingde_record" "b12f-invoicing" {
   zone_id = hostingde_zone.b12f.id
   name = "invoicing.b12f.io"
   type = "CNAME"
-  content = "pie.b12f.io"
+  content = "frikandel.b12f.io"
   ttl = 300
 }