diff --git a/modules/extern/nixos/krb5.nix b/modules/extern/nixos/krb5.nix
index e21ee898..073f6bc2 100644
--- a/modules/extern/nixos/krb5.nix
+++ b/modules/extern/nixos/krb5.nix
@@ -152,7 +152,7 @@
         enable = mkEnableOption "IPA";
         httpHost = mkOption {
           type = str;
-          default = "freeipa.${config.domain}";
+          default = "ipa.${config.domain}";
         };
         host = mkOption {
           type = str;
@@ -246,8 +246,8 @@
           servers = optional access.local.enable "idp.local.${config.domain}"
             ++ [ "_srv" ];
           backups = mkMerge [
-            (mkIf access.tail.enabled (mkAlmostOptionDefault [ "freeipa.tail.${config.domain}" ]))
-            (mkIf access.local.enable (mkAlmostOptionDefault [ "freeipa.local.${config.domain}" ]))
+            (mkIf access.tail.enabled (mkAlmostOptionDefault [ "ipa.tail.${config.domain}" ]))
+            (mkIf access.local.enable (mkAlmostOptionDefault [ "ipa.local.${config.domain}" ]))
           ];
         in mkIf config.sssd.enable {
           enable = mkAlmostOptionDefault true;
diff --git a/modules/system/exports/freeipa.nix b/modules/system/exports/freeipa.nix
index 718ba3f2..58efda01 100644
--- a/modules/system/exports/freeipa.nix
+++ b/modules/system/exports/freeipa.nix
@@ -3,7 +3,7 @@
   inherit (lib.attrsets) mapAttrs;
 in {
   config.exports.services.freeipa = {
-    id = mkAlmostOptionDefault "freeipa";
+    id = mkAlmostOptionDefault "ipa";
     ports = mapAttrs (_: mapAlmostOptionDefaults) {
       default = {
         port = 443;
diff --git a/nixos/access/freeipa.nix b/nixos/access/freeipa.nix
index b923e4d3..73b686bd 100644
--- a/nixos/access/freeipa.nix
+++ b/nixos/access/freeipa.nix
@@ -243,7 +243,7 @@ in {
         '';
       in mkIf access.preread.enable preread;
       virtualHosts = let
-        name.shortServer = mkDefault "freeipa";
+        name.shortServer = mkDefault "ipa";
       in {
         freeipa = {
           name.shortServer = mkDefault "idp";
diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix
index 303e9801..dfc9d055 100644
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@@ -63,6 +63,7 @@ in {
       ingress = {
         ${virtualHosts.prox.serverName}.service = localNginx;
         ${virtualHosts.gensokyoZone.serverName}.service = localNginx;
+        ${virtualHosts.freeipa'web.serverName}.service = localNginx;
       };
     };
   };
@@ -224,6 +225,7 @@ in {
       freeipa = {
         ssl.cert.enable = true;
       };
+      freeipa'web.proxied.enable = "cloudflared";
       keycloak = {
         # we're not the real sso record-holder, so don't respond globally..
         local.denyGlobal = true;
diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf
index ab8d7b65..dea3ce34 100644
--- a/tf/cloudflare_records.tf
+++ b/tf/cloudflare_records.tf
@@ -12,11 +12,11 @@ module "hakurei_system_records" {
   net_data  = local.systems.hakurei.network
   local_subdomains = [
     "prox",
-    "id",
     "login",
     "sso",
     "ldap",
-    "freeipa",
+    "krb5",
+    "ipa",
     "unifi",
     "pbx",
     "smb",
@@ -31,8 +31,8 @@ module "hakurei_system_records" {
   global_subdomains = [
     "plex",
     "idp",
-    "freeipa",
     "ldap",
+    "krb5",
     "pbx",
     "smb",
     "mqtt",
diff --git a/tf/cloudflare_tunnels.tf b/tf/cloudflare_tunnels.tf
index 06a252d2..466760ea 100644
--- a/tf/cloudflare_tunnels.tf
+++ b/tf/cloudflare_tunnels.tf
@@ -12,6 +12,7 @@ module "hakurei" {
   subdomains = [
     "@",
     "prox",
+    "ipa",
   ]
 }