diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix
index cc5c6df..cdc1e8b 100644
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@@ -63,8 +63,9 @@
     };
 
     services = {
-      # TODO move to grafana service lib
       friendlyport.vpn.ports = [
+        80
+        443
         myData.ports.grafana
         myData.ports.prometheus
         myData.ports.exporters.node
@@ -121,6 +122,18 @@
   services = {
     tailscale.enable = true;
 
+    caddy = {
+      enable = true;
+      acmeCA = null;
+      virtualHosts."grafana.jakstys.lt" = {
+        extraConfig = ''
+          encode gzip
+          reverse_proxy 127.0.0.1:3000
+          tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem
+        '';
+      };
+    };
+
     grafana = {
       enable = true;
       provision = {
@@ -187,6 +200,48 @@
     };
   };
 
+  systemd.services = {
+    caddy = let
+      grafanaZone = config.mj.services.nsd-acme.zones."grafana.jakstys.lt";
+    in {
+      unitConfig.ConditionPathExists = [
+        grafanaZone.certFile
+        grafanaZone.keyFile
+      ];
+      serviceConfig.LoadCredential = [
+        "grafana.jakstys.lt-cert.pem:${grafanaZone.certFile}"
+        "grafana.jakstys.lt-key.pem:${grafanaZone.keyFile}"
+      ];
+      after = ["nsd-acme-grafana.jakstys.lt.service"];
+      wants = ["nsd-acme-grafana.jakstys.lt.service"];
+    };
+
+    cert-watcher = {
+      description = "Restart caddy when tls keys/certs change";
+      wantedBy = ["multi-user.target"];
+      unitConfig = {
+        StartLimitIntervalSec = 10;
+        StartLimitBurst = 5;
+      };
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.systemd}/bin/systemctl restart caddy.service";
+      };
+    };
+  };
+
+  systemd.paths = {
+    cert-watcher = {
+      wantedBy = ["multi-user.target"];
+      pathConfig = {
+        PathChanged = [
+          config.mj.services.nsd-acme.zones."grafana.jakstys.lt".certFile
+        ];
+        Unit = "cert-watcher.service";
+      };
+    };
+  };
+
   networking = {
     hostId = "f9117e1b";
     hostName = "vno1-oh2";
@@ -200,8 +255,8 @@
       }
     ];
     firewall = {
-      allowedUDPPorts = [53];
-      allowedTCPPorts = [53];
+      allowedUDPPorts = [53 80 443];
+      allowedTCPPorts = [53 80 443];
       logRefusedConnections = false;
       checkReversePath = "loose"; # for tailscale
     };
diff --git a/modules/services/nsd-acme/default.nix b/modules/services/nsd-acme/default.nix
index b6e3cb3..dbb31b4 100644
--- a/modules/services/nsd-acme/default.nix
+++ b/modules/services/nsd-acme/default.nix
@@ -55,7 +55,7 @@ in {
     zones = lib.mkOption {
       default = {};
       type = attrsOf (submodule (
-        {...}: {
+        {name, ...}: {
           options = {
             accountKey = lib.mkOption {type = path;};
             days = lib.mkOption {
@@ -66,6 +66,17 @@ in {
               type = bool;
               default = false;
             };
+
+            # Warning: paths here are here to be read from. Changing them will
+            # not place the files somewhere else.
+            certFile = lib.mkOption {
+              type = str;
+              default = "/var/lib/nsd-acme/${name}/${name}/cert.pem";
+            };
+            keyFile = lib.mkOption {
+              type = str;
+              default = "/var/lib/nsd-acme/${name}/private/${name}/key.pem";
+            };
           };
         }
       ));