diff --git a/Makefile b/Makefile
index bfcca3a..56e710e 100644
--- a/Makefile
+++ b/Makefile
@@ -6,4 +6,4 @@ rebuild-pi:
 	NIX_SSHOPTS="-o IdentitiesOnly=yes -i ~/.ssh/id_rsa" nixos-rebuild switch --flake .#pi --target-host pi --build-host server --use-remote-sudo
 
 deploy-server:
-	nixos-rebuild switch --flake .#server --target-host server --build-host server --use-remote-sudo
+	nixos-rebuild switch --flake .#server --target-host server --build-host server --use-remote-sudo --ask-sudo-password
diff --git a/devices/pi/configuration.nix b/devices/pi/configuration.nix
index 98ff71f..b3be1d7 100644
--- a/devices/pi/configuration.nix
+++ b/devices/pi/configuration.nix
@@ -44,11 +44,9 @@ in {
     firewall.allowedTCPPorts = [80 443];
   };
 
-  services.caddy = {
+  services.pihole-ftl = {
     enable = true;
-    virtualHosts."mealie.polensky.me".extraConfig = ''
-      reverse_proxy http://192.168.1.242:9000
-    '';
+    openFirewallDHCP = true;
   };
 
   services.prometheus.exporters = {
@@ -73,7 +71,7 @@ in {
     users."${user}" = {
       isNormalUser = true;
       #hashedPasswordFile = config.sops.secrets.pi_user_pass.path;
-      extraGroups = ["wheel" "docker"];
+      extraGroups = ["wheel" "pihole"];
     };
   };
 
diff --git a/devices/server/configuration.nix b/devices/server/configuration.nix
index 860e8f7..ad5269b 100644
--- a/devices/server/configuration.nix
+++ b/devices/server/configuration.nix
@@ -21,6 +21,13 @@ in {
 
   services.openssh.enable = true;
 
+  services.caddy = {
+    enable = true;
+    virtualHosts."mealie.polensky.me".extraConfig = ''
+      reverse_proxy http://127.0.0.1:9000
+    '';
+  };
+
   # observability
   services = {
     grafana = {
@@ -41,12 +48,12 @@ in {
         {
           job_name = "node-exporters-lan";
           static_configs = [
-            {
-              targets = ["192.168.1.241:9100"];
-              labels = {
-                instance = "pi";
-              };
-            }
+            #{
+            #  targets = ["192.168.1.241:9100"];
+            #  labels = {
+            #    instance = "pi";
+            #  };
+            #}
             {
               targets = ["127.0.0.1:9100"];
               labels = {
@@ -94,6 +101,8 @@ in {
   networking = {
     hostName = "server";
     firewall.allowedTCPPorts = [
+      80
+      443
       9090 # prometheus
       3000 # grafana
       8096 # jellyfin
diff --git a/flake.lock b/flake.lock
index d443ea0..fe97afa 100644
--- a/flake.lock
+++ b/flake.lock
@@ -193,11 +193,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1747744144,
-        "narHash": "sha256-W7lqHp0qZiENCDwUZ5EX/lNhxjMdNapFnbErcbnP11Q=",
+        "lastModified": 1752480373,
+        "narHash": "sha256-JHQbm+OcGp32wAsXTE/FLYGNpb+4GLi5oTvCxwSoBOA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2795c506fe8fb7b03c36ccb51f75b6df0ab2553f",
+        "rev": "62e0f05ede1da0d54515d4ea8ce9c733f12d9f08",
         "type": "github"
       },
       "original": {