diff --git a/container-config/nginx/snippets/local-only.conf b/container-config/nginx/snippets/local-only.conf
index effc582..fc06752 100644
--- a/container-config/nginx/snippets/local-only.conf
+++ b/container-config/nginx/snippets/local-only.conf
@@ -1,4 +1,5 @@
 allow 192.168.0.0/16;
+allow 10.0.0.0/8;
 allow fe80::/10;
 allow fc00::/7;
 deny all;
diff --git a/ignition/home-gw.bu b/ignition/home-gw.bu
index d5b2872..62ec30d 100644
--- a/ignition/home-gw.bu
+++ b/ignition/home-gw.bu
@@ -15,14 +15,14 @@ storage:
           table inet nat {
             chain prerouting {
               type nat hook prerouting priority 0
-              tcp dport 80 dnat ip to 10.0.0.2
-              tcp dport 80 dnat ip6 to [fd00::2]
-              tcp dport 443 dnat ip to 10.0.0.2
-              tcp dport 443 dnat ip6 to [fd00::2]
+              iifname ens* tcp dport 80 dnat ip to 10.0.0.2
+              iifname ens* tcp dport 80 dnat ip6 to [fd00::2]
+              iifname ens* tcp dport 443 dnat ip to 10.0.0.2
+              iifname ens* tcp dport 443 dnat ip6 to [fd00::2]
             }
             chain postrouting {
               type nat hook postrouting priority 0
-              oifname gateway masquerade
+              iifname infra oifname ens* masquerade
             }
           }
 passwd:
diff --git a/server/etc/containers/systemd/certbot.container b/infra/etc/containers/systemd/certbot.container
similarity index 87%
rename from server/etc/containers/systemd/certbot.container
rename to infra/etc/containers/systemd/certbot.container
index f97d2a8..a42cd85 100644
--- a/server/etc/containers/systemd/certbot.container
+++ b/infra/etc/containers/systemd/certbot.container
@@ -7,4 +7,6 @@ Volume=/var/lib/system-config/container-config/certbot/run-certbot:/usr/local/bi
 Tmpfs=/etc/letsencrypt
 Tmpfs=/var/lib/letsencrypt
 Tmpfs=/var/log/letsencrypt
+Environment=CERTBOT_TYPE=home
+Secret=cloudflare
 AutoUpdate=registry
diff --git a/infra/etc/containers/systemd/certbot.container.d/override.conf b/infra/etc/containers/systemd/certbot.container.d/override.conf
deleted file mode 100644
index f968e0e..0000000
--- a/infra/etc/containers/systemd/certbot.container.d/override.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-[Container]
-Environment=CERTBOT_TYPE=home
-Secret=cloudflare
diff --git a/server/etc/systemd/system/certbot.timer b/infra/etc/systemd/system/certbot.timer
similarity index 100%
rename from server/etc/systemd/system/certbot.timer
rename to infra/etc/systemd/system/certbot.timer
diff --git a/setup-vyos.sh b/setup-vyos.sh
index 46711af..211a726 100644
--- a/setup-vyos.sh
+++ b/setup-vyos.sh
@@ -27,7 +27,7 @@ set interfaces ethernet eth2 address 192.168.254.1/24
 set interfaces ethernet eth2 address fc01::1/64
 set interfaces ethernet eth3 address 192.168.253.1/24
 set interfaces ethernet eth3 address fc02::1/64
-set interfaces wireguard wg0 address 10.255.0.1/24
+set interfaces wireguard wg0 address 192.168.252.1/24
 set interfaces wireguard wg0 port 51820
 
 set service ssh disable-password-authentication
@@ -61,7 +61,6 @@ set service dns forwarding name-server 9.9.9.9
 set service dns forwarding dnssec validate
 set service dns forwarding allow-from 127.0.0.1/32
 set service dns forwarding allow-from 192.168.0.0/16
-set service dns forwarding allow-from 10.255.0.0/16
 set service tftp-server directory /config/tftp
 set service tftp-server listen-address 192.168.253.1
 set service monitoring telegraf influxdb url http://home.strypsteen.com
diff --git a/vps/etc/containers/systemd/certbot.container b/vps/etc/containers/systemd/certbot.container
new file mode 100644
index 0000000..8b42e53
--- /dev/null
+++ b/vps/etc/containers/systemd/certbot.container
@@ -0,0 +1,13 @@
+[Container]
+Image=docker.io/certbot/dns-cloudflare
+UserNS=host
+Network=certbot.network
+Entrypoint=run-certbot
+Volume=/etc/certificates:/etc/certificates:z
+Volume=/var/lib/system-config/container-config/certbot/run-certbot:/usr/local/bin/run-certbot:Z,ro
+Tmpfs=/etc/letsencrypt
+Tmpfs=/var/lib/letsencrypt
+Tmpfs=/var/log/letsencrypt
+Environment=CERTBOT_TYPE=vps
+PublishPort=80:80
+AutoUpdate=registry
diff --git a/vps/etc/containers/systemd/certbot.container.d/override.conf b/vps/etc/containers/systemd/certbot.container.d/override.conf
deleted file mode 100644
index af26e08..0000000
--- a/vps/etc/containers/systemd/certbot.container.d/override.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-[Container]
-Network=certbot.network
-Environment=CERTBOT_TYPE=vps
-PublishPort=80:80
diff --git a/vps/etc/systemd/system/certbot.timer b/vps/etc/systemd/system/certbot.timer
new file mode 100644
index 0000000..7d8ad21
--- /dev/null
+++ b/vps/etc/systemd/system/certbot.timer
@@ -0,0 +1,5 @@
+[Timer]
+OnCalendar=monthly
+Unit=certbot.service
+[Install]
+WantedBy=timers.target