diff --git a/modules/nixos/server/options.nix b/modules/nixos/server/options.nix
index 06e8808..eea6d9d 100644
--- a/modules/nixos/server/options.nix
+++ b/modules/nixos/server/options.nix
@@ -24,7 +24,10 @@ in {
     };
 
     webserver = {
-      caddy.enable = mkEnableOption "";
+      caddy = {
+        enable = mkEnableOption "";
+        cloudflare.enable = mkEnableOption "";
+      };
     };
     database = {
       postgresql.enable = mkEnableOption "";
diff --git a/modules/nixos/server/services/website/default.nix b/modules/nixos/server/services/website/default.nix
index 64a0fa2..f9f64a1 100644
--- a/modules/nixos/server/services/website/default.nix
+++ b/modules/nixos/server/services/website/default.nix
@@ -15,7 +15,10 @@
   };
 in {
   config = mkIf (elem "website" services) {
-    ooknet.server.webserver.caddy.enable = true;
+    ooknet.server.webserver.caddy = {
+      enable = true;
+      cloudflare.enable = true;
+    };
     systemd.tmpfiles.settings.websiteDirs = {
       "/var/www"."d" = websitePermissions;
       "/var/www/ooknet.org"."d" = websitePermissions;
@@ -45,29 +48,31 @@ in {
     };
 
     # using caddy because it makes my life easy
-    services.caddy.virtualHosts = {
-      "ooknet.org".extraConfig =
-        # sh
-        ''
-          encode zstd gzip
+    services.caddy = {
+      virtualHosts = {
+        "ooknet.org".extraConfig =
+          # sh
+          ''
+            encode zstd gzip
 
-          header {
-            Strict-Transport-Security "max-age=31536000;"
-            X-XSS-Protection "1; mode=block"
-            X-Frame-Options "DENY"
-            X-Content-Type-Options "nosniff"
-            -Server
+            header {
+              Strict-Transport-Security "max-age=31536000;"
+              X-XSS-Protection "1; mode=block"
+              X-Frame-Options "DENY"
+              X-Content-Type-Options "nosniff"
+              -Server
 
 
-            Referrer-Policy: no-referrer
-          }
+              Referrer-Policy "no-referrer"
+            }
 
-          root * /var/www/ooknet.org/
-          file_server
+            root * /var/www/ooknet.org/
+            file_server
+          '';
+        "www.ooknet.org".extraConfig = ''
+          redir https://ooknet.org{uri} permanent
         '';
-      "www.ooknet.org".extraConfig = ''
-        redir https://ooknet.org{uri}
-      '';
+      };
     };
   };
 }
diff --git a/modules/nixos/server/webserver/caddy.nix b/modules/nixos/server/webserver/caddy.nix
index 99dd2b2..2d04d65 100644
--- a/modules/nixos/server/webserver/caddy.nix
+++ b/modules/nixos/server/webserver/caddy.nix
@@ -1,16 +1,31 @@
 {
   config,
   lib,
+  self',
   ...
 }: let
-  inherit (lib) mkIf;
+  inherit (lib) mkIf mkMerge;
   inherit (config.ooknet.server.webserver) caddy;
 in {
   config = mkIf caddy.enable {
     users.groups.www = {};
-    services.caddy = {
-      enable = true;
-      group = "www";
-    };
+    services.caddy = mkMerge [
+      {
+        enable = true;
+        group = "www";
+      }
+
+      (mkIf caddy.cloudflare.enable {
+        package = self'.packages.caddy-with-cloudflare;
+        globalConfig = ''
+          servers {
+            trusted_proxies cloudflare {
+            interval 12h
+            timeout 15s
+            }
+          }
+        '';
+      })
+    ];
   };
 }
diff --git a/outputs/pkgs/caddy-with-cloudflare/default.nix b/outputs/pkgs/caddy-with-cloudflare/default.nix
new file mode 100644
index 0000000..1807b3b
--- /dev/null
+++ b/outputs/pkgs/caddy-with-cloudflare/default.nix
@@ -0,0 +1,46 @@
+{
+  buildGoModule,
+  cacert,
+  go,
+  lib,
+  stdenv,
+  xcaddy,
+  caddy,
+}:
+caddy.override {
+  buildGoModule = args:
+    buildGoModule (args
+      // {
+        src = stdenv.mkDerivation rec {
+          pname = "caddy-using-xcaddy-${xcaddy.version}";
+          inherit (caddy) version;
+          dontUnpack = true;
+          dontFixup = true;
+          nativeBuildInputs = [cacert go];
+          plugins = [
+            "github.com/WeidiDeng/caddy-cloudflare-ip"
+          ];
+          configurePhase = ''
+            export GOCACHE=$TMPDIR/go-cache
+            export GOPATH="$TMPDIR/go"
+            export XCADDY_SKIP_BUILD=1
+          '';
+          buildPhase = ''
+            ${xcaddy}/bin/xcaddy build "${caddy.src.rev}" ${
+              lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins
+            }
+            cd buildenv*
+            go mod vendor
+          '';
+          installPhase = ''
+            cp -r --reflink=auto . $out
+          '';
+          outputHash = "sha256-O3QWqgQtLOifsibyB0/UKricEGAx/3NhSjGbgu8+qgY=";
+          outputHashMode = "recursive";
+        };
+        subPackages = ["."];
+        ldflags = ["-s" "-w"];
+        vendorHash = null;
+      });
+}
+
diff --git a/outputs/pkgs/default.nix b/outputs/pkgs/default.nix
index 037b1b3..a89ffa1 100644
--- a/outputs/pkgs/default.nix
+++ b/outputs/pkgs/default.nix
@@ -8,6 +8,7 @@
       repopack = callPackage ./repopack {};
       live-buds-cli = callPackage ./live-buds-cli {};
       website = callPackage ./website {};
+      caddy-with-cloudflare = callPackage ./caddy-with-cloudflare {};
 
       ook-vim = mkNeovim pkgs [ook-vim-config];
     };