diff --git a/modules/nixos/cloudflared.nix b/modules/nixos/cloudflared.nix
index 378ce453..ca5cefab 100644
--- a/modules/nixos/cloudflared.nix
+++ b/modules/nixos/cloudflared.nix
@@ -4,6 +4,7 @@
   inherit (lib.modules) mkIf mkMerge mkForce;
   inherit (lib.options) mkOption mkEnableOption;
   cfg = config.services.cloudflared;
+  settingsFormat = pkgs.formats.json { };
 in {
   options.services.cloudflared = with lib.types; {
     tunnels = let
@@ -14,7 +15,7 @@ in {
               default = config.extraTunnel.ingress != { };
             };
             ingress = mkOption {
-              type = attrs;
+              inherit (settingsFormat) type;
               default = { };
             };
           };
diff --git a/nixos/reisen-ct/network.nix b/nixos/reisen-ct/network.nix
index 8787aeb2..4d170faa 100644
--- a/nixos/reisen-ct/network.nix
+++ b/nixos/reisen-ct/network.nix
@@ -1,9 +1,10 @@
 {
   lib,
   config,
+  options,
   ...
 }: let
-  inherit (lib) mkDefault;
+  inherit (lib.modules) mkIf mkDefault;
 in {
   services.resolved.enable = true;
   services.avahi = {
@@ -17,4 +18,14 @@ in {
     };
     wideArea = mkDefault false;
   };
+  systemd.services.avahi-daemon = mkIf (options ? proxmoxLXC && config.services.avahi.enable) {
+    serviceConfig.ExecStartPre = mkIf config.services.resolved.enable [
+      "+-${config.systemd.package}/bin/resolvectl mdns eth0 yes"
+    ];
+  };
+  systemd.network.networks.eth0 = mkIf (! options ? proxmoxLXC) {
+    matchConfig.Name = "eth0";
+    linkConfig.Multicast = true;
+    networkConfig.MulticastDNS = true;
+  };
 }
diff --git a/systems/tewi/cloudflared.nix b/systems/tewi/cloudflared.nix
index 00b3a32f..3dca5b83 100644
--- a/systems/tewi/cloudflared.nix
+++ b/systems/tewi/cloudflared.nix
@@ -1,34 +1,62 @@
 {
+  meta,
   config,
   lib,
   ...
 }: let
-  inherit (config) services;
+  inherit (lib.modules) mkMerge;
+  inherit (lib.attrsets) listToAttrs nameValuePair;
+  inherit (config.networking) hostName;
+  cfg = config.services.cloudflared;
   apartment = "131222b0-9db0-4168-96f5-7d45ec51c3be";
+  systemFor = hostName: if hostName == config.networking.hostName
+    then config
+    else meta.network.nodes.${hostName};
+  accessHostFor = { hostName, access ? "local", ... }: let
+    host = {
+      local = "${hostName}.local";
+      tail = "${hostName}.tail.cutie.moe";
+    }.${access} or (throw "unsupported access ${access}");
+  in if hostName == config.networking.hostName then "localhost" else host;
+  ingressForNginx = { host ? system.networking.fqdn, port ? 80, hostName, system ? systemFor hostName }@args: nameValuePair host {
+    service = "http://${accessHostFor args}:${toString port}";
+  };
+  ingressForHass = { host ? system.services.home-assistant.domain, port ? system.services.home-assistant.config.http.server_port, hostName, system ? systemFor hostName, ... }@args: nameValuePair host {
+    service = "http://${accessHostFor args}:${toString port}";
+  };
+  ingressForVouch = { host ? system.services.vouch-proxy.domain, port ? system.services.vouch-proxy.settings.vouch.port, hostName, system ? systemFor hostName, ... }@args: nameValuePair host {
+    service = "http://${accessHostFor args}:${toString port}";
+  };
+  ingressForKanidm = { host ? system.services.kanidm.server.frontend.domain, port ? system.services.kanidm.server.frontend.port, hostName, system ? systemFor hostName, ... }@args: nameValuePair host {
+    service = "https://${accessHostFor args}:${toString port}";
+    originRequest.noTLSVerify = true;
+  };
+  ingressForDeluge = { host, port ? system.services.deluge.web.port, hostName, system ? systemFor hostName, ... }@args: nameValuePair host {
+    service = "http://${accessHostFor args}:${toString port}";
+  };
 in {
-  sops.secrets.cloudflared-tunnel-apartment.owner = services.cloudflared.user;
-  sops.secrets.cloudflared-tunnel-apartment-deluge.owner = services.cloudflared.user;
+  sops.secrets.cloudflared-tunnel-apartment.owner = cfg.user;
+  sops.secrets.cloudflared-tunnel-apartment-deluge.owner = cfg.user;
   services.cloudflared = {
     tunnels = {
       ${apartment} = {
         credentialsFile = config.sops.secrets.cloudflared-tunnel-apartment.path;
         default = "http_status:404";
-        ingress = {
-          ${config.networking.domain}.service = "http://localhost:80";
-          ${services.home-assistant.domain}.service = "http://localhost:${toString services.home-assistant.config.http.server_port}";
-          ${services.zigbee2mqtt.domain}.service = "http://localhost:80";
-          ${services.vouch-proxy.domain}.service = "http://localhost:${toString services.vouch-proxy.settings.vouch.port}";
-          ${services.kanidm.server.frontend.domain} = {
-            service = "https://127.0.0.1:${toString services.kanidm.server.frontend.port}";
-            originRequest.noTLSVerify = true;
-          };
-        };
-        extraTunnel.ingress = {
-          deluge = {
-            hostname._secret = config.sops.secrets.cloudflared-tunnel-apartment-deluge.path;
-            service = "http://localhost:${toString services.deluge.web.port}";
-          };
-        };
+        ingress = listToAttrs [
+          (ingressForNginx { host = config.networking.domain; inherit hostName; })
+          (ingressForNginx { host = config.services.zigbee2mqtt.domain; inherit hostName; })
+          (ingressForHass { inherit hostName; })
+          (ingressForVouch { inherit hostName; })
+          (ingressForKanidm { inherit hostName; })
+        ];
+        extraTunnel.ingress = mkMerge [
+          (listToAttrs [
+            (ingressForDeluge { host = "deluge"; inherit hostName; })
+          ])
+          {
+            deluge.hostname._secret = config.sops.secrets.cloudflared-tunnel-apartment-deluge.path;
+          }
+        ];
       };
     };
   };