diff --git a/hosts/frikandel/email.nix b/hosts/frikandel/email.nix
index e8b6fce..a43a99d 100644
--- a/hosts/frikandel/email.nix
+++ b/hosts/frikandel/email.nix
@@ -1,6 +1,7 @@
 {
   pkgs,
   lib,
+  flake,
   ...
 }: {
   age.secrets."mail@b12f.io-password" = {
@@ -9,8 +10,19 @@
     owner = "maddy";
   };
 
+  services.caddy.virtualHosts = {
+    "mail.b12f.io" = {
+      extraConfig = ''
+        respond "404 Not Found"
+      '';
+    };
+  };
+
   services.maddy = {
-    enable = true;
+    enable = false;
+
+    openFirewall = true;
+
     primaryDomain = "b12f.io";
 
     ensureAccounts = [
diff --git a/hosts/frikandel/networking.nix b/hosts/frikandel/networking.nix
index 728c79b..f1d382e 100644
--- a/hosts/frikandel/networking.nix
+++ b/hosts/frikandel/networking.nix
@@ -31,6 +31,8 @@
     interface = "enp1s0";
   };
 
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
   # Caddy reverse proxy for local services like cups
   services.caddy = {
     globalConfig = ''
diff --git a/hosts/frikandel/website.nix b/hosts/frikandel/website.nix
index e69de29..8240cf4 100644
--- a/hosts/frikandel/website.nix
+++ b/hosts/frikandel/website.nix
@@ -0,0 +1,42 @@
+{
+  pkgs,
+  lib,
+  ...
+}: let
+  bbeu = pkgs.stdenv.mkDerivation {
+    name = "benjaminbaedorf.eu";
+    src = builtins.fetchgit {
+      url = "https://git.pub.solar/b12f/benjaminbaedorf.eu.git";
+      sparseCheckout = [
+        "fonts"
+        "cows.jpg"
+        "fonts.css"
+        "index.html"
+        "public-pgp-benjamin-baedorf.asc"
+      ];
+      hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+    };
+  };
+in {
+  services.caddy.virtualHosts = {
+    "benjaminbaedorf.eu" = {
+      extraConfig = ''
+          redir https://b12f.io{uri} temporary
+      '';
+    };
+
+    "b12f.io" = {
+      extraConfig = ''
+        handle {
+          root * ${bbeu}
+          try_files {path}.html {path}
+          file_server
+        }
+
+        handle_errors {
+          respond "{http.error.status_code} {http.error.status_text}"
+        }
+      '';
+    };
+  };
+}
diff --git a/hosts/pie/unbound.nix b/hosts/pie/unbound.nix
index 88fe672..1ac1fcd 100644
--- a/hosts/pie/unbound.nix
+++ b/hosts/pie/unbound.nix
@@ -73,6 +73,8 @@
           forward-tls-upstream = "yes";
         }
       ];
+
+      remote-control.control-enable = true;
     };
   };
 
diff --git a/secrets/mail@b12f.io-password.age b/secrets/mail@b12f.io-password.age
new file mode 100644
index 0000000..0e3ead3
Binary files /dev/null and b/secrets/mail@b12f.io-password.age differ