diff --git a/hosts/blacksteel/Caddyfile b/hosts/blacksteel/Caddyfile
new file mode 100644
index 0000000..bb05e95
--- /dev/null
+++ b/hosts/blacksteel/Caddyfile
@@ -0,0 +1,64 @@
+(default) {
+	encode zstd gzip
+
+	header {
+		# https://observatory.mozilla.org/analyze/ny4.dev
+		# https://infosec.mozilla.org/guidelines/web_security
+		# https://caddyserver.com/docs/caddyfile/directives/header#examples
+
+		?Content-Security-Policy "default-src https: blob: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
+		?Permissions-Policy interest-Hpcohort=()
+		?Strict-Transport-Security max-age=31536000;
+		?X-Content-Type-Options nosniff
+		?X-Frame-Options DENY
+	}
+
+	handle_path /robots.txt {
+		file_server * {
+			root /var/www/robots/robots.txt
+		}
+	}
+}
+
+http://mastodon.ny4.dev:80 {
+	import default
+	handle_path /system/* {
+		file_server * {
+			root /var/lib/mastodon/public-system
+		}
+	}
+
+	handle /api/v1/streaming/* {
+		reverse_proxy unix//run/mastodon-streaming/streaming-1.socket {
+			header_up X-Forwarded-Proto "https"
+		}
+	}
+
+	route * {
+		file_server * {
+			root @mastodon@/public
+			pass_thru
+		}
+		reverse_proxy * unix//run/mastodon-web/web.socket {
+			header_up X-Forwarded-Proto "https"
+		}
+	}
+
+	handle_errors {
+		root * @mastodon@/public
+		rewrite 500.html
+		file_server
+	}
+}
+
+http://matrix.ny4.dev:80 {
+	import default
+	reverse_proxy /_matrix/* unix//run/matrix-synapse/synapse.sock
+	reverse_proxy /_synapse/client/* unix//run/matrix-synapse/synapse.sock
+	reverse_proxy /health unix//run/matrix-synapse/synapse.sock
+}
+
+http://syncv3.ny4.dev:80 {
+	import default
+	reverse_proxy unix//run/matrix-sliding-sync/sync.sock
+}
diff --git a/hosts/blacksteel/default.nix b/hosts/blacksteel/default.nix
index 1d08dc9..71bd45e 100644
--- a/hosts/blacksteel/default.nix
+++ b/hosts/blacksteel/default.nix
@@ -42,8 +42,9 @@
       "mastodon/environment" = {
         restartUnits = ["mastodon-web.service"];
       };
-      "frp/environment" = {
-        restartUnits = ["frp.service"];
+      "cloudflared/secret" = {
+        restartUnits = ["cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41.service"];
+        owner = config.systemd.services."cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41".serviceConfig.User;
       };
     };
   };
@@ -56,70 +57,42 @@
     openFirewall = true;
   };
 
-  services.frp = {
+  services.cloudflared = {
     enable = true;
-    role = "client";
-    settings = {
-      serverAddr = "18.177.132.61"; # TODO: can I use a domain name?
-      serverPort = 7000;
-      auth.method = "token";
-      auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
-      proxies = [
-        {
-          name = "synapse";
-          type = "tcp";
-          remotePort = 8600;
-          plugin = {
-            type = "unix_domain_socket";
-            unixPath = "/run/matrix-synapse/synapse.sock";
-          };
-        }
-        {
-          name = "syncv3";
-          type = "tcp";
-          remotePort = 8700;
-          plugin = {
-            type = "unix_domain_socket";
-            unixPath = "/run/matrix-sliding-sync/sync.sock";
-          };
-        }
-        {
-          name = "mastodon-web";
-          type = "tcp";
-          remotePort = 8900;
-          plugin = {
-            type = "unix_domain_socket";
-            unixPath = "/run/mastodon-web/web.socket";
-          };
-        }
-        {
-          name = "mastodon-streaming";
-          type = "tcp";
-          remotePort = 9000;
-          plugin = {
-            type = "unix_domain_socket";
-            unixPath = "/run/mastodon-streaming/streaming-1.socket";
-          };
-        }
-        {
-          name = "mastodon-system";
-          type = "tcp";
-          remotePort = 9100;
-          plugin = {
-            # FIXME:
-            type = "static_file";
-            localPath = "/var/lib/mastodon/public-system";
-          };
-        }
-      ];
+    tunnels = {
+      "6222a3e0-98da-4325-be19-0f86a7318a41" = {
+        credentialsFile = config.sops.secrets."cloudflared/secret".path;
+        default = "http_status:404";
+        ingress = {
+          # TODO: is this safe?
+          # browser <-> cloudflare cdn <-> cloudflared <-> caddy <-> mastodon
+          #                                             ^ no tls in this part?
+          "mastodon.ny4.dev" = "http://localhost:80";
+          "matrix.ny4.dev" = "http://localhost:80";
+          "syncv3.ny4.dev" = "http://localhost:80";
+        };
+      };
     };
   };
 
-  systemd.services.frp.serviceConfig = {
-    EnvironmentFile = [config.sops.secrets."frp/environment".path];
+  services.caddy = {
+    enable = true;
+    configFile = pkgs.substituteAll {
+      src = ./Caddyfile;
+      inherit (pkgs) mastodon;
+    };
+  };
+
+  systemd.services.caddy.serviceConfig = {
     SupplementaryGroups = ["mastodon" "matrix-synapse"];
   };
 
+  systemd.tmpfiles.settings = {
+    "10-www" = {
+      "/var/www/robots/robots.txt".C.argument = toString ../lightsail-tokyo/robots.txt;
+    };
+  };
+
   services.postgresql = {
     enable = true;
     settings = {
diff --git a/hosts/blacksteel/secrets.yaml b/hosts/blacksteel/secrets.yaml
index e84685f..d2516e0 100644
--- a/hosts/blacksteel/secrets.yaml
+++ b/hosts/blacksteel/secrets.yaml
@@ -5,8 +5,8 @@ syncv3:
     environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str]
 mastodon:
     environment: ENC[AES256_GCM,data:9RjpYXbGo8lBsXKg71Vbp2iTJlvXEGhn8hTl37o8G1E28JWF5Io7+evfqUv+N7QfSk1zbA==,iv:ejfe7f941QB7iiREXx1T9Vej43cW/S9nr03P5lkw9Yg=,tag:odI7xsxoPGBrxd0GnCsnOg==,type:str]
-frp:
-    environment: ENC[AES256_GCM,data:TLVqVpVMTFzvs8JS31cPhhqeLRGcUOQBeGENvBd8e1RRt2mQY5VTP8lQYrgtXMRGMHLu0ByPjmL8aFZRlukBc77wAIhtETo238Hn62vJz3I=,iv:kMRF5BAzvhKWtKQyPSIWGeSjgmcEfvcbCJa9wQxSjjU=,tag:DViCejZvRo4cqJosE28lsA==,type:str]
+cloudflared:
+    secret: ENC[AES256_GCM,data:QXIl0MqreqPH4LP7IQdA5qQCQdizjFixbOHjqQi/3RjYDt9zt0OejW9rIYnkIRyVj4hnkJBqd1ov/VgdSoNmy/iafIgwqwgsMH0e4R9J6n255p3JG3XBmiYry89xXvQ1SXyzWdUF6p3qgevwzjZnKYyYHT9TbLWc/BkTyyA8g1EGg0O1WfDXhq7u9kOPV4CaU1UX1MMpvZQnsV389PJEWYuK,iv:ASGw5dGOuukRREZ8vMLw5hgZmJhDZSJxDqvfWaxXKJk=,tag:75jf48BEDd4uHkb+2LV5Tg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -31,8 +31,8 @@ sops:
             bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
             hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-20T14:23:30Z"
-    mac: ENC[AES256_GCM,data:cgDwV6lXR+eTOFcfytKDc2cCs+w/PGDS3fASoKw5VQ95StbmvVNt0go4yAt1D86LXa5p1ReW8dVaciDovuhCFd/jZ+zJpA7sNwKBNrlye7sURW6zDiVM7ITyslPd31bSeIL5/qtiwyT+1tdnthSTjtJPrnPu9NfsRrkUsITT7WA=,iv:ComILTHFTb8lHooVemIg+Nx9ZDWr6SyweZTtmsjWALQ=,tag:7Bj38htDNkoHZdVDMgEiBA==,type:str]
+    lastmodified: "2024-06-21T07:19:43Z"
+    mac: ENC[AES256_GCM,data:pKWUM3uhmtrwTOlR2jZauWsGSY1d//z+cojpWLFAAKedGjotLB6cmektyAVRHhw3waiM4WR5+BNZ6ghp7qBrM0z2WanJCdSmXqdyxJEydUC9CCFXZG+7SmIZS+7+/LsqejzdYSAMf9DijN74E1EJVS5F0mHhw8QuRmDy3wU789M=,iv:IrOm1Maz8os9Q/ez+TbOxOTr1zwB1loDVHcPbN8kMvg=,tag:AAKp3OH/s2c7u8lp6vkLVg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/hosts/lightsail-tokyo/Caddyfile b/hosts/lightsail-tokyo/Caddyfile
index 76edaec..034c17b 100644
--- a/hosts/lightsail-tokyo/Caddyfile
+++ b/hosts/lightsail-tokyo/Caddyfile
@@ -6,7 +6,9 @@
 	}
 }
 
-(header) {
+(default) {
+	encode zstd gzip
+
 	header {
 		# https://observatory.mozilla.org/analyze/ny4.dev
 		# https://infosec.mozilla.org/guidelines/web_security
@@ -18,13 +20,7 @@
 		?X-Content-Type-Options nosniff
 		?X-Frame-Options DENY
 	}
-}
 
-(compression) {
-	encode zstd gzip
-}
-
-(robots) {
 	handle_path /robots.txt {
 		file_server * {
 			root /var/www/robots/robots.txt
@@ -32,12 +28,6 @@
 	}
 }
 
-(default) {
-	import header
-	import compression
-	import robots
-}
-
 www.ny4.dev {
 	import default
 	redir https://ny4.dev
@@ -91,13 +81,6 @@ pixiv.ny4.dev {
 	reverse_proxy unix//run/pixivfe/pixiv.sock
 }
 
-matrix.ny4.dev {
-	import default
-	reverse_proxy /_matrix/* localhost:8600
-	reverse_proxy /_synapse/client/* localhost:8600
-	reverse_proxy /health localhost:8600
-}
-
 syncv3.ny4.dev {
 	import default
 	reverse_proxy localhost:8700
@@ -114,31 +97,6 @@ element.ny4.dev {
 	file_server
 }
 
-mastodon.ny4.dev {
-	import default
-	handle_path /system/* {
-		reverse_proxy localhost:9100
-	}
-
-	handle /api/v1/streaming/* {
-		reverse_proxy localhost:9000
-	}
-
-	route * {
-		file_server * {
-			root @mastodon@/public
-			pass_thru
-		}
-		reverse_proxy * localhost:8900
-	}
-
-	handle_errors {
-		root * @mastodon@/public
-		rewrite 500.html
-		file_server
-	}
-}
-
 git.ny4.dev {
 	import default
 	reverse_proxy unix//run/forgejo/forgejo.sock
diff --git a/hosts/lightsail-tokyo/default.nix b/hosts/lightsail-tokyo/default.nix
index 4ac3a87..6397f6e 100644
--- a/hosts/lightsail-tokyo/default.nix
+++ b/hosts/lightsail-tokyo/default.nix
@@ -39,9 +39,6 @@
       "searx/environment" = {
         restartUnits = ["searx.service"];
       };
-      "frp/environment" = {
-        restartUnits = ["frp.service"];
-      };
     };
 
     templates = {
@@ -69,9 +66,6 @@
     # caddy
     80
     443
-
-    # frp
-    7000
   ];
 
   systemd.tmpfiles.settings = {
@@ -118,20 +112,6 @@
     ];
   };
 
-  services.frp = {
-    enable = true;
-    role = "server";
-    settings = {
-      bindPort = 7000;
-      auth.method = "token";
-      auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
-    };
-  };
-
-  systemd.services.frp.serviceConfig = {
-    EnvironmentFile = [config.sops.secrets."frp/environment".path];
-  };
-
   # `journalctl -u murmur.service | grep Password`
   services.murmur = {
     enable = true;
diff --git a/hosts/lightsail-tokyo/secrets.yaml b/hosts/lightsail-tokyo/secrets.yaml
index 700d288..766f03e 100644
--- a/hosts/lightsail-tokyo/secrets.yaml
+++ b/hosts/lightsail-tokyo/secrets.yaml
@@ -4,8 +4,6 @@ searx:
     environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
 pixivfe:
     environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str]
-frp:
-    environment: ENC[AES256_GCM,data:6XWjUPuJt6fPiIO7mrMjIoR0VHsiy77GqJu/CXVqMEi+EEmXgUN2l6m5vTkttmZICXb5M9ANpdTYOB3nEwCYBJvmFe8kFIZ77rYRVt3C4l0=,iv:5UHJQTanNvk5BsZzH0JeGKP8sDFjTIuc7sGRcReF1+4=,tag:sBYa9RFaMGrh6HZudqZVVA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -30,8 +28,8 @@ sops:
             R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
             3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-20T08:14:22Z"
-    mac: ENC[AES256_GCM,data:hqCsHztVoTvRoJ+HyODPrYJKwCWusLzap0tVRxnQlAaqIp1ln9AyxLRuQetDkF5nN97S0BW1z1Uf910wlAe5VxsENrIDMYeUq1PnbQ2ijLttGOnLJVS0aJgcFqNOir2tbflH3fbzDCiSmrT+xQ8ytgX+MEtXpxH7OlVFohjXBCo=,iv:ztALlEtd9cGBY0Sx9yzSngNMaHX3kgkRMTruXDXXVHQ=,tag:hztHafyj4nu3npWyBPhxGw==,type:str]
+    lastmodified: "2024-06-21T07:19:35Z"
+    mac: ENC[AES256_GCM,data:1zG5at1zfjbnnHcZ1Vy7aJxMjaZpE9aL3QlAaxyQ7GYle05z/4PqIdampd7p1WrMWNWqkxkUFazTCpQF9faR0qbnZ2zyOWk45ZtBGZSEhvHRFke6JjwPv4fi35ozHL4JiuP76kGivegvR2OgQ7NH6HJBoZgEqduu+YISJlrvJVs=,iv:p/v8BnUmOCYsaXtUeaVq5MKLk69as3XkQsG688tYkiE=,tag:if6U/qbzrNdYaqLcQbGe6Q==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1