diff --git a/modules/servers/tyr/default.nix b/modules/servers/tyr/default.nix
index 01bd0ee..5ef542a 100644
--- a/modules/servers/tyr/default.nix
+++ b/modules/servers/tyr/default.nix
@@ -7,5 +7,6 @@
     ./secrets.nix
     ./nfs-server.nix
     ./dns.nix
+    ./traefik.nix
   ];
 }
diff --git a/modules/servers/tyr/dns.nix b/modules/servers/tyr/dns.nix
index e2af2ee..aee9633 100644
--- a/modules/servers/tyr/dns.nix
+++ b/modules/servers/tyr/dns.nix
@@ -64,6 +64,14 @@
         cache-max-ttl = 60;
         cache-max-negative-ttl = 60;
         serve-original-ttl = true;
+
+        local-zone = [''"home.cronyakatsuki.xyz." transparent''];
+
+        local-data = [
+          ''"glance.home.cronyakatsuki.xyz IN A 192.168.0.5"''
+          ''"syncthing.home.cronyakatsuki.xyz IN A 192.168.0.5"''
+          ''"wallos.home.cronyakatsuki.xyz IN A 192.168.0.5"''
+        ];
       };
     };
   };
diff --git a/modules/servers/tyr/glance.nix b/modules/servers/tyr/glance.nix
index 9b647e4..635b704 100644
--- a/modules/servers/tyr/glance.nix
+++ b/modules/servers/tyr/glance.nix
@@ -1,7 +1,7 @@
 {config, ...}: {
   services.glance = {
     enable = true;
-    openFirewall = true;
+    openFirewall = false;
     settings = {
       server = {
         host = "0.0.0.0";
@@ -594,4 +594,21 @@
   systemd.services.glance.serviceConfig = {
     EnvironmentFile = ["${config.age.secrets.glance.path}"];
   };
+
+  services.traefik.dynamicConfigOptions.http = {
+    services.glance.loadBalancer.servers = [
+      {
+        url = "http://localhost:8080";
+      }
+    ];
+
+    routers.glance = {
+      rule = "Host(`glance.home.cronyakatsuki.xyz`)";
+      tls = {
+        certResolver = "porkbun";
+      };
+      service = "glance";
+      entrypoints = "websecure";
+    };
+  };
 }
diff --git a/modules/servers/tyr/secrets.nix b/modules/servers/tyr/secrets.nix
index 14d10a8..8dbe79d 100644
--- a/modules/servers/tyr/secrets.nix
+++ b/modules/servers/tyr/secrets.nix
@@ -22,6 +22,10 @@
       glance = {
         file = ../../../secrets/glance.age;
       };
+      traefik = {
+        file = ../../../secrets/traefik.age;
+        owner = "traefik";
+      };
     };
   };
 }
diff --git a/modules/servers/tyr/syncthing.nix b/modules/servers/tyr/syncthing.nix
index 44b37c1..821e63d 100644
--- a/modules/servers/tyr/syncthing.nix
+++ b/modules/servers/tyr/syncthing.nix
@@ -5,12 +5,25 @@
     guiAddress = "0.0.0.0:8384";
   };
 
-  networking.firewall = {
-    allowedTCPPorts = [8384];
-  };
-
   services.restic.backups = {
     local.paths = ["/var/lib/syncthing"];
     server.paths = ["/var/lib/syncthing"];
   };
+
+  services.traefik.dynamicConfigOptions.http = {
+    services.syncthing.loadBalancer.servers = [
+      {
+        url = "http://localhost:8384";
+      }
+    ];
+
+    routers.syncthing = {
+      rule = "Host(`syncthing.home.cronyakatsuki.xyz`)";
+      tls = {
+        certResolver = "porkbun";
+      };
+      service = "syncthing";
+      entrypoints = "websecure";
+    };
+  };
 }
diff --git a/modules/servers/tyr/traefik.nix b/modules/servers/tyr/traefik.nix
new file mode 100644
index 0000000..9152e41
--- /dev/null
+++ b/modules/servers/tyr/traefik.nix
@@ -0,0 +1,45 @@
+{config, ...}: {
+  services.traefik = {
+    enable = true;
+    staticConfigOptions = {
+      serversTransport.insecureSkipVerify = true;
+      log = {level = "DEBUG";};
+      certificatesResolvers = {
+        porkbun = {
+          acme = {
+            email = "crony@cronyakatsuki.xyz";
+            storage = "/var/lib/traefik/acme.json";
+            caserver = "https://acme-v02.api.letsencrypt.org/directory";
+            dnsChallenge = {
+              provider = "porkbun";
+              resolvers = ["127.0.0.1"];
+              propagation = {
+                delayBeforeChecks = 60;
+                disableChecks = true;
+              };
+            };
+          };
+        };
+      };
+      api = {};
+      entryPoints = {
+        web = {
+          address = ":80";
+          http.redirections.entryPoint = {
+            to = "websecure";
+            scheme = "https";
+          };
+        };
+        websecure = {
+          address = ":443";
+        };
+      };
+    };
+  };
+
+  systemd.services.traefik.serviceConfig = {
+    EnvironmentFile = ["${config.age.secrets.traefik.path}"];
+  };
+
+  networking.firewall.allowedTCPPorts = [80 443];
+}
diff --git a/modules/servers/tyr/wallos.nix b/modules/servers/tyr/wallos.nix
index de311ea..b0eacf4 100644
--- a/modules/servers/tyr/wallos.nix
+++ b/modules/servers/tyr/wallos.nix
@@ -11,12 +11,25 @@
     ];
   };
 
-  networking.firewall = {
-    allowedTCPPorts = [8282];
-  };
-
   services.restic.backups = {
     local.paths = ["/var/lib/wallos"];
     server.paths = ["/var/lib/wallos"];
   };
+
+  services.traefik.dynamicConfigOptions.http = {
+    services.wallos.loadBalancer.servers = [
+      {
+        url = "http://localhost:8282";
+      }
+    ];
+
+    routers.wallos = {
+      rule = "Host(`wallos.home.cronyakatsuki.xyz`)";
+      tls = {
+        certResolver = "porkbun";
+      };
+      service = "wallos";
+      entrypoints = "websecure";
+    };
+  };
 }