diff --git a/hosts/pie/configuration.nix b/hosts/pie/configuration.nix
index cead313..c0baf16 100644
--- a/hosts/pie/configuration.nix
+++ b/hosts/pie/configuration.nix
@@ -33,6 +33,8 @@ in {
     authorizedKeys = psCfg.user.publicKeys;
     hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
   };
+  # See https://discourse.nixos.org/t/ssh-and-network-in-initrd-on-raspberry-pi-4/6289/3
+  boot.initrd.availableKernelModules = [ "genet" ];
 
   pub-solar.core.disk-encryption-active = false;
 
diff --git a/hosts/pie/networking.nix b/hosts/pie/networking.nix
index ac6c0c1..8c99301 100644
--- a/hosts/pie/networking.nix
+++ b/hosts/pie/networking.nix
@@ -34,7 +34,7 @@
   # Caddy reverse proxy for local services like cups
   services.caddy = {
     globalConfig = ''
-      default_bind 192.168.178.2 2a02:908:5b1:e3c0:3077:2::
+      default_bind 192.168.178.2 2a02:908:5b1:e3c0:3077:2:: 10.0.1.2 fd00:acab:1312:acab:2::
       auto_https off
     '';
   };
diff --git a/hosts/pie/unbound.nix b/hosts/pie/unbound.nix
index 53f2201..aa4fb73 100644
--- a/hosts/pie/unbound.nix
+++ b/hosts/pie/unbound.nix
@@ -14,8 +14,12 @@
           "::0"
         ];
         access-control = [
+          # Allow from local network
           "192.168.178.0/24 allow"
-          "2a02:908:5b1:e3c0::/64 allow"
+
+          # Allow from wireguard
+          "10.0.1.0/24 allow"
+          "fd00:acab:1312:acab::/48 allow"
         ];
         local-zone = [
           "\"b12f.io\" static"
@@ -30,7 +34,8 @@
 
           "\"droppie.b12f.io. 10800 IN A 10.0.1.3\""
           "\"droppie.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:3::\""
-          "\"backup.b12f.io. 10800 IN CNAME droppie.b12f.io\""
+          "\"backup.b12f.io. 10800 IN A 10.0.1.3\""
+          "\"backup.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:3::\""
 
           "\"pie.local. 10800 IN A 192.168.178.2\""
           "\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""
@@ -39,10 +44,14 @@
 
           "\"pie.b12f.io. 10800 IN A 10.0.1.2\""
           "\"pie.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
-          "\"firefly.b12f.io. 10800 IN CNAME pie.b12f.io\""
-          "\"firefly-importer.b12f.io. 10800 IN CNAME pie.b12f.io\""
-          "\"paperless.b12f.io. 10800 IN CNAME pie.b12f.io\""
-          "\"invoicing.b12f.io. 10800 IN CNAME pie.b12f.io\""
+          "\"firefly.b12f.io. 10800 IN A 10.0.1.2\""
+          "\"firefly.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
+          "\"firefly-importer.b12f.io. 10800 IN A 10.0.1.2\""
+          "\"firefly-importer.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
+          "\"paperless.b12f.io. 10800 IN A 10.0.1.2\""
+          "\"paperless.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
+          "\"invoicing.b12f.io. 10800 IN A 10.0.1.2\""
+          "\"invoicing.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
 
           "\"fritz.box. 10800 IN A 192.168.178.1\""
           "\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\""