diff --git a/newinfra/README.md b/newinfra/README.md
new file mode 100644
index 0000000..2a8c0bc
--- /dev/null
+++ b/newinfra/README.md
@@ -0,0 +1,29 @@
+# new infra
+
+New infra based on more servers and more shit.
+
+All servers have their hostname as their name here and are reachable via `$hostname.infra.noratrieb.dev`.
+They will have different firewall configurations depending on their roles.
+
+```
+
+--------    --------
+| dns1 |    | dns2 |
+--------    --------
+
+--------
+| vps1 |
+--------
+
+```
+
+## DNS
+
+Two [knot-dns](https://www.knot-dns.cz/) nameservers (`dns1`, `dns2`).
+All records are fully static, generated in the NixOS config.
+
+## HTTP(S)
+
+Right now, there's only a single server (`vps1`) serving Caddy.
+
+In the future, there might be a second one in a shared-storage HA setup (with a postgres cluster probably)?
diff --git a/newinfra/nix/hive.nix b/newinfra/nix/hive.nix
index 81d34ba..1669820 100644
--- a/newinfra/nix/hive.nix
+++ b/newinfra/nix/hive.nix
@@ -37,7 +37,10 @@
   };
 
   dns1 = { name, nodes, modulesPath, ... }: {
-    imports = [ ./modules/dns (modulesPath + "/profiles/qemu-guest.nix") ];
+    imports = [
+      (modulesPath + "/profiles/qemu-guest.nix")
+      ./modules/dns
+    ];
 
     # The name and nodes parameters are supported in Colmena,
     # allowing you to reference configurations in other nodes.
@@ -54,7 +57,10 @@
     fileSystems."/" = { device = "/dev/sda3"; fsType = "ext4"; };
   };
   dns2 = { name, nodes, modulesPath, lib, ... }: {
-    imports = [ ./modules/dns (modulesPath + "/profiles/qemu-guest.nix") ];
+    imports = [
+      (modulesPath + "/profiles/qemu-guest.nix")
+      ./modules/dns
+    ];
 
     # The name and nodes parameters are supported in Colmena,
     # allowing you to reference configurations in other nodes.
@@ -102,4 +108,25 @@
       ATTR{address}=="96:00:03:91:16:47", NAME="eth0"
     '';
   };
+
+  vps1 = { name, nodes, modulesPath, ... }: {
+    imports = [
+      (modulesPath + "/profiles/qemu-guest.nix")
+      ./modules/ingress
+    ];
+
+    # The name and nodes parameters are supported in Colmena,
+    # allowing you to reference configurations in other nodes.
+    networking.hostName = name;
+
+    deployment.targetHost = "vps1.nilstrieb.dev";
+    deployment.tags = [ "ingress" "eu" ];
+
+    system.stateVersion = "23.11";
+
+    boot.loader.grub.device = "/dev/sda";
+    boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+    boot.initrd.kernelModules = [ "nvme" ];
+    fileSystems."/" = { device = "/dev/sda3"; fsType = "ext4"; };
+  };
 }
diff --git a/newinfra/nix/modules/ingress/Caddyfile b/newinfra/nix/modules/ingress/Caddyfile
new file mode 100644
index 0000000..c1ff2ce
--- /dev/null
+++ b/newinfra/nix/modules/ingress/Caddyfile
@@ -0,0 +1,29 @@
+{
+	email nilstrieb@proton.me
+}
+
+# https://gist.github.com/ryanburnette/d13575c9ced201e73f8169d3a793c1a3
+(cors) {
+	@cors_preflight{args.0} method OPTIONS
+	@cors{args.0} header Origin {args.0}
+
+	handle @cors_preflight{args.0} {
+		header {
+			Access-Control-Allow-Origin "{args.0}"
+			Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
+			Access-Control-Allow-Credentials "false"
+			Access-Control-Allow-Headers "${args.1}"
+			Access-Control-Max-Age "86400"
+			defer
+		}
+		respond "" 204
+	}
+
+	handle @cors{args.0} {
+		header {
+			Access-Control-Allow-Origin "{args.0}"
+			Access-Control-Expose-Headers *
+			defer
+		}
+	}
+}
diff --git a/debug.html b/newinfra/nix/modules/ingress/debugging-page/index.html
similarity index 70%
rename from debug.html
rename to newinfra/nix/modules/ingress/debugging-page/index.html
index 14d2ca3..14c6682 100644
--- a/debug.html
+++ b/newinfra/nix/modules/ingress/debugging-page/index.html
@@ -2,12 +2,11 @@
 <html lang="en">
 <head>
     <meta charset="UTF-8">
-    <meta http-equiv="X-UA-Compatible" content="IE=edge">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>nils' server</title>
+    <title>nora' server</title>
 </head>
 <body>
-    <h1>congrats, you landed on my server directly!?</h1>
+    <h1>congrats, you landed on my server (100% NixOS) directly!?</h1>
     <p>sorry, but there isn't anything cool here. this is <b>my</b> infra, you are not allowed here.</p>
     <p>if you do want to be allowed here, then uh.. still no.</p>
     <p>:3</p>
diff --git a/newinfra/nix/modules/ingress/default.nix b/newinfra/nix/modules/ingress/default.nix
index c915eb0..b964688 100644
--- a/newinfra/nix/modules/ingress/default.nix
+++ b/newinfra/nix/modules/ingress/default.nix
@@ -1 +1,20 @@
-{ ... }: { }
+{ pkgs, ... }: {
+  networking.firewall.allowedTCPPorts = [
+    22
+    443
+  ];
+
+  services.caddy = {
+    enable = true;
+    configFile = pkgs.writeText "Caddyfile"
+      (
+        builtins.readFile ./Caddyfile +
+        ''
+          vps1.nilstrieb.dev {
+            root * ${./debugging-page}
+            file_server
+          }
+        ''
+      );
+  };
+}