diff --git a/modules/system/exports/cockpit.nix b/modules/system/exports/cockpit.nix
new file mode 100644
index 00000000..575326aa
--- /dev/null
+++ b/modules/system/exports/cockpit.nix
@@ -0,0 +1,15 @@
+{lib, gensokyo-zone, ...}: let
+  inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
+  inherit (lib.attrsets) mapAttrs;
+in {
+  # fedora server web ui
+  config.exports.services.cockpit = {
+    defaults.port.listen = mkAlmostOptionDefault "lan";
+    ports = mapAttrs (_: mapAlmostOptionDefaults) {
+      default = {
+        port = 9090;
+        protocol = "https";
+      };
+    };
+  };
+}
diff --git a/nixos/access/freeipa.nix b/nixos/access/freeipa.nix
index 3c027a65..25b8437c 100644
--- a/nixos/access/freeipa.nix
+++ b/nixos/access/freeipa.nix
@@ -35,7 +35,6 @@ let
           fromScheme = xvars.get.proxy_scheme;
         };
       };
-      recommendedProxySettings = false;
     };
   };
   ldapsPort = 636;
@@ -80,12 +79,22 @@ in {
   config = {
     services.nginx = {
       # TODO: ssl.preread.enable = mkDefault true;
-      upstreams'.freeipa = {config, ...}: {
-        ssl.host = mkDefault (access.systemFor config.servers.access.accessService.system).access.fqdn;
-        host = mkDefault config.ssl.host;
-        servers.access = {
-          accessService = {
-            name = "freeipa";
+      upstreams' = {
+        freeipa = {config, ...}: {
+          ssl.host = mkDefault (access.systemFor config.servers.access.accessService.system).access.fqdn;
+          host = mkDefault config.ssl.host;
+          servers.access = {
+            accessService = {
+              name = "freeipa";
+            };
+          };
+        };
+        freeipa'cockpit = {upstream, ...}: {
+          servers.access = {
+            accessService = {
+              inherit (nginx.upstreams'.freeipa.servers.access.accessService) system;
+              name = "cockpit";
+            };
           };
         };
       };
@@ -192,6 +201,7 @@ in {
       ];
       virtualHosts = let
         name.shortServer = mkDefault "ipa";
+        name'cockpit.shortServer = mkDefault "ipa-cock";
       in {
         freeipa = {
           name.shortServer = mkDefault "idp";
@@ -223,7 +233,24 @@ in {
         freeipa'web'local = {
           ssl.cert.copyFromVhost = "freeipa'web";
           local.enable = true;
-          inherit name locations;
+          inherit name locations extraConfig;
+        };
+        freeipa'cockpit = {
+          name = name'cockpit;
+          vouch.enable = mkDefault true;
+          ssl = {
+            force = mkDefault virtualHosts.freeipa'web.ssl.force;
+            cert.copyFromVhost = "freeipa'web";
+          };
+          proxy.upstream = "freeipa'cockpit";
+          locations."/".proxy.enable = true;
+        };
+        freeipa'cockpit'local = {
+          name = name'cockpit;
+          ssl.cert.copyFromVhost = "freeipa'cockpit";
+          proxy.copyFromVhost = "freeipa'cockpit";
+          local.enable = true;
+          locations."/".proxy.enable = true;
         };
         freeipa'ldap = {
           serverName = mkDefault ldap.domain;
diff --git a/systems/freeipa/default.nix b/systems/freeipa/default.nix
index 743b539e..ae880a52 100644
--- a/systems/freeipa/default.nix
+++ b/systems/freeipa/default.nix
@@ -36,6 +36,7 @@ _: {
         enable = true;
         ports.public.enable = false;
       };
+      cockpit.enable = true;
       freeipa.enable = true;
       ldap.enable = true;
       kerberos.enable = true;
diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix
index 2cc22d03..c5929aa4 100644
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@@ -62,6 +62,7 @@ in {
       credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path;
       ingress = mkMerge [
         (virtualHosts.freeipa'web.proxied.cloudflared.getIngress {})
+        (virtualHosts.freeipa'cockpit.proxied.cloudflared.getIngress {})
         (virtualHosts.prox.proxied.cloudflared.getIngress {})
         (virtualHosts.gensokyoZone.proxied.cloudflared.getIngress {})
       ];
@@ -166,6 +167,8 @@ in {
         virtualHosts.freeipa.otherServerNames
         virtualHosts.freeipa'web.allServerNames
         virtualHosts.freeipa'web'local.allServerNames
+        virtualHosts.freeipa'cockpit.allServerNames
+        virtualHosts.freeipa'cockpit'local.allServerNames
         virtualHosts.freeipa'ldap.allServerNames
         virtualHosts.freeipa'ldap'local.allServerNames
         (mkIf virtualHosts.freeipa'ldap'tail.enable virtualHosts.freeipa'ldap'tail.allServerNames)
@@ -237,6 +240,7 @@ in {
         ssl.cert.enable = true;
       };
       freeipa'web.proxied.enable = "cloudflared";
+      freeipa'cockpit.proxied.enable = "cloudflared";
       keycloak = {
         # we're not the real sso record-holder, so don't respond globally..
         local.denyGlobal = true;
diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf
index a7484bd7..9bf1444f 100644
--- a/tf/cloudflare_records.tf
+++ b/tf/cloudflare_records.tf
@@ -17,6 +17,7 @@ module "hakurei_system_records" {
     "ldap",
     "krb5",
     "ipa",
+    "ipa-cock",
     "unifi",
     "pbx",
     "smb",
diff --git a/tf/cloudflare_tunnels.tf b/tf/cloudflare_tunnels.tf
index 466760ea..a2aa0bff 100644
--- a/tf/cloudflare_tunnels.tf
+++ b/tf/cloudflare_tunnels.tf
@@ -13,6 +13,7 @@ module "hakurei" {
     "@",
     "prox",
     "ipa",
+    "ipa-cock",
   ]
 }