diff --git a/nixos/hosts/flandre-m5p/networking.nix b/nixos/hosts/flandre-m5p/networking.nix
index c82a803..406edf0 100644
--- a/nixos/hosts/flandre-m5p/networking.nix
+++ b/nixos/hosts/flandre-m5p/networking.nix
@@ -2,8 +2,6 @@
   profiles,
   lib,
   config,
-  hostData,
-  mylib,
   ...
 }:
 {
@@ -11,6 +9,12 @@
     services.enthalpy.customer-dualstack
   ];
 
+  systemd.services.nix-daemon = {
+    inherit (config.networking.netns.enthalpy) serviceConfig;
+    after = [ "netns-enthalpy.service" ];
+    requires = [ "netns-enthalpy.service" ];
+  };
+
   services.enthalpy = {
     ipsec.interfaces = [ "enp2s0" ];
     clat.segment = lib.singleton "fde3:3be3:a244:f876::2";
@@ -75,47 +79,4 @@
       }
     '';
   };
-
-  sops.secrets."wireguard/reimu-aston/private-key" = {
-    sopsFile = config.sops.secretFiles.host;
-  };
-
-  sops.secrets."wireguard/reimu-aston/preshared-key" = {
-    sopsFile = config.sops.secretFiles.host;
-  };
-
-  networking.wireguard = {
-    enable = true;
-    interfaces = {
-      reimu-aston = {
-        privateKeyFile = config.sops.secrets."wireguard/reimu-aston/private-key".path;
-        interfaceNamespace = "enthalpy";
-        listenPort = config.networking.ports.enthalpy-wireguard-reimu-aston;
-        peers = lib.singleton {
-          publicKey = "Phf1usg7i2vW5gawA1C44ZIydCFFCUqyP01w9j4/bEY=";
-          presharedKeyFile = config.sops.secrets."wireguard/reimu-aston/preshared-key".path;
-          allowedIPs = [
-            "172.16.0.1/32"
-            "${mylib.network.cidr.host 1 (mylib.network.cidr.subnet 4 15 hostData.enthalpy_node_prefix)}/128"
-          ];
-        };
-      };
-    };
-  };
-
-  networking.netns.enthalpy = {
-    enableIPv4Forwarding = lib.mkForce true;
-    nftables = {
-      enable = true;
-      tables.wireguard-reimu-aston = {
-        family = "ip";
-        content = ''
-          chain postrouting {
-            type nat hook postrouting priority srcnat; policy accept;
-            iifname reimu-aston oifname clat counter masquerade
-          }
-        '';
-      };
-    };
-  };
 }
diff --git a/nixos/profiles/services/caddy/default.nix b/nixos/profiles/services/caddy/default.nix
index fccc2bb..936d323 100644
--- a/nixos/profiles/services/caddy/default.nix
+++ b/nixos/profiles/services/caddy/default.nix
@@ -29,5 +29,9 @@
 
   services.caddy.globalConfig = ''
     admin 127.0.0.1:${toString config.networking.ports.caddy-admin}
+
+    servers {
+      metrics
+    }
   '';
 }
diff --git a/nixos/profiles/services/prometheus/node-exporter.nix b/nixos/profiles/services/prometheus/node-exporter.nix
index a76e13a..9d601e7 100644
--- a/nixos/profiles/services/prometheus/node-exporter.nix
+++ b/nixos/profiles/services/prometheus/node-exporter.nix
@@ -27,6 +27,13 @@
         }
         reverse_proxy ${listenAddress}:${toString port}
       }
+
+      route /caddy {
+        basic_auth {
+          prometheus {$PROM_PASSWD}
+        }
+        metrics
+      }
     '';
   };
 }
diff --git a/nixos/profiles/services/prometheus/server.nix b/nixos/profiles/services/prometheus/server.nix
index 6a88915..1f09b1f 100644
--- a/nixos/profiles/services/prometheus/server.nix
+++ b/nixos/profiles/services/prometheus/server.nix
@@ -64,6 +64,16 @@ in
         };
         static_configs = [ { inherit targets; } ];
       }
+      {
+        job_name = "caddy";
+        scheme = "https";
+        metrics_path = "/caddy";
+        basic_auth = {
+          username = "prometheus";
+          password_file = config.sops.secrets."prometheus/password".path;
+        };
+        static_configs = [ { inherit targets; } ];
+      }
       {
         job_name = "dns";
         scheme = "http";