diff --git a/machines/moritz-server/configuration.nix b/machines/moritz-server/configuration.nix
index 40b4535..a2e4b52 100644
--- a/machines/moritz-server/configuration.nix
+++ b/machines/moritz-server/configuration.nix
@@ -3,6 +3,8 @@
     ../../modules/zfs_unencrypted.nix
     ../../modules/shared.nix
     ../../modules/moritz/shared.nix
+    ./reverse-proxy.nix
+    ./ddns.nix
   ];
 
   time.timeZone = "Europe/Berlin";
@@ -39,44 +41,4 @@
       ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHlemuKagHwz2T5rEwgJNlVUdUdOXyPtCEzD73CrwY2zmpR4AMj7y9u3Rm7HwHUDjLap1ZFwg+53bAsVP6HFZccCXoIfO/8BL0WDGQJrfgb+A+UiRhSqSvyZ77bGJkadbBkadguz3qR3PHcb41DOlhuqVcHxsY8ceHMxAuyb0pLJVJLeytMD+CHS/r7hoj2hckTNAZ+VhCXBtdZfZ7uPUBxLfluYRNNMmdwCglsg3RUS242nJUzy3A84+CXIGeWmNG9Fu45IDkwMthxSW9klyU9R38R9DBDcugkyb6vz+JKSuRVAa47qh/kmtsYekfL3ul9D2JN32P8S+6ZoXx+gXupGJ0ltwJWAFkhLJ+yeXj9kCOv/mIUmCB14jMGsvKiSwV25O/twyjqe2LEkMVgimgrjEYoHu+ZTyp0iFtUvSrFo4tsAhfWPV9yj4F/hUksW7xKIwq5Niyx7he5M/XddudtnAximyiBDGCdJm1Ejl0UaGa6ZQv7y6VZdx0PyZuraT7l9ub8so6JlE4cVgSSU9vE0IS2QqBuHhsIjh8RVksoTR2NQbeDdGaGpGnq2C8y0rDXwE/EJA4LK45khX/GPn73n8F0kBG8dBrWgRDAEODpmebScO7d5mCeM0z3lPcRmh+3e3DPnVVOl+uR7udlc7NauLzl7q913UtxZaF1PlD7Q== cardno:15_584_308
     ''
   ];
-
-  networking.firewall.allowedTCPPorts = [80 443];
-  services.nginx.enable = true;
-  services.nginx.recommendedProxySettings = true;
-  services.nginx.virtualHosts = {
-    "moritzboeh.me" = {
-      serverAliases = ["*.moritzboeh.me"];
-      locations."/" = {
-        proxyPass = "http://192.168.0.6";
-      };
-    };
-    "moritz.foo" = {
-      locations."/" = {
-        return = "200 'Hello World!'";
-      };
-    };
-  };
-  services.nginx.streamConfig = ''
-    upstream diskstation {
-        server 192.168.0.6:443;
-    }
-
-    upstream self {
-        server 127.0.0.1:443;
-    }
-
-    map $ssl_preread_server_name $name {
-        *.moritz.foo self;
-        moritz.foo self;
-        *.moritzboeh.me diskstation;
-        moritzboeh.me diskstation;
-        default diskstation;
-    }
-
-    server {
-        listen 443;
-        ssl_preread on;
-        proxy_pass $name;
-    }
-  '';
 }
diff --git a/machines/moritz-server/ddns.nix b/machines/moritz-server/ddns.nix
new file mode 100644
index 0000000..c1ef44a
--- /dev/null
+++ b/machines/moritz-server/ddns.nix
@@ -0,0 +1,32 @@
+{
+  config,
+  pkgs,
+  inputs,
+  ...
+}: {
+  services.ddns-updater = {
+    enable = true;
+    package = inputs.stable.legacyPackages.${pkgs.system}.ddns-updater;
+    environment = {
+      # LOG_LEVEL = "debug";
+      CONFIG_FILEPATH = config.clan.core.vars.generators.ddns-updater-conf.files."config.json".path;
+    };
+  };
+  systemd.services.ddns-updater = {
+    serviceConfig = {
+      User = "ddns-updater";
+      Group = "ddns-updater";
+    };
+  };
+  users.users.ddns-updater = {
+    name = "ddns-updater";
+    group = "ddns-updater";
+    isSystemUser = true;
+  };
+  users.groups.ddns-updater = {};
+  clan.core.vars.generators.ddns-updater-conf.prompts."config.json" = {
+    persist = true;
+    type = "multiline";
+  };
+  clan.core.vars.generators.ddns-updater-conf.files."config.json".owner = "ddns-updater";
+}
diff --git a/machines/moritz-server/reverse-proxy.nix b/machines/moritz-server/reverse-proxy.nix
new file mode 100644
index 0000000..8635ebe
--- /dev/null
+++ b/machines/moritz-server/reverse-proxy.nix
@@ -0,0 +1,93 @@
+{
+  services.fail2ban = {
+    enable = true;
+    bantime-increment.enable = true;
+    jails = let
+      nginx_error_log = "/var/log/nginx/access.log";
+    in {
+      nginx-botsearch.settings = {
+        enabled = true;
+        port = "http,https";
+        filter = "nginx-botsearch";
+        backend = "auto";
+        logpath = nginx_error_log;
+      };
+      nginx-forbidden.settings = {
+        enabled = true;
+        port = "http,https";
+        filter = "nginx-forbidden";
+        backend = "auto";
+        logpath = nginx_error_log;
+      };
+      nginx-http-auth.settings = {
+        enabled = true;
+        port = "http,https";
+        filter = "nginx-http-auth";
+        backend = "auto";
+        logpath = nginx_error_log;
+      };
+      nginx-4xx.settings = {
+        enabled = true;
+        port = "http,https";
+        filter = "nginx-4xx";
+        backend = "auto";
+        logpath = nginx_error_log;
+      };
+    };
+    ignoreIP = [
+      "192.168.0.0/24"
+    ];
+  };
+  environment.etc = {
+    "fail2ban/filter.d/nginx-4xx.conf".text = ''
+      [Definition]
+      failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
+
+      ignoreregex = .*(robots.txt|favicon.ico|jpg|png)
+
+      journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [80 443];
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "moritzboeh.me" = {
+        serverAliases = ["*.moritzboeh.me"];
+        locations."/" = {
+          proxyPass = "http://192.168.0.6";
+        };
+      };
+      "moritz.foo" = {
+        locations."/" = {
+          return = "200 'Hello World!'";
+        };
+      };
+    };
+    streamConfig = ''
+      upstream diskstation {
+          server 192.168.0.6:443;
+      }
+
+      upstream self {
+          server 127.0.0.1:443;
+      }
+
+      map $ssl_preread_server_name $name {
+          *.moritz.foo self;
+          moritz.foo self;
+          *.moritzboeh.me diskstation;
+          moritzboeh.me diskstation;
+          default diskstation;
+      }
+
+      server {
+          listen 443;
+          ssl_preread on;
+          proxy_pass $name;
+      }
+    '';
+  };
+}