diff --git a/hosts/microserver.home.ts.hillion.co.uk/default.nix b/hosts/microserver.home.ts.hillion.co.uk/default.nix
index f4f6b61..3d3e51a 100644
--- a/hosts/microserver.home.ts.hillion.co.uk/default.nix
+++ b/hosts/microserver.home.ts.hillion.co.uk/default.nix
@@ -24,6 +24,8 @@
       preAuthKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
       advertiseRoutes = [ "10.64.50.0/24" "10.239.19.0/24" ];
       advertiseExitNode = true;
+      ipv4Addr = "100.105.131.47";
+      ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6269:832f";
     };
 
     ## Enable IoT VLAN
@@ -47,14 +49,17 @@
     services.iperf3.enable = true;
     services.iperf3.openFirewall = true;
 
-    networking.firewall.interfaces = {
-      "eth0" = {
-        allowedUDPPorts = [
-          5353 # HomeKit
-        ];
-        allowedTCPPorts = [
-          21063 # HomeKit
-        ];
+    networking.firewall = {
+      trustedInterfaces = [ "tailscale0" ];
+      interfaces = {
+        "eth0" = {
+          allowedUDPPorts = [
+            5353 # HomeKit
+          ];
+          allowedTCPPorts = [
+            21063 # HomeKit
+          ];
+        };
       };
     };
   };
diff --git a/modules/backups/homeassistant.nix b/modules/backups/homeassistant.nix
index 8538b1f..d3ed8fc 100644
--- a/modules/backups/homeassistant.nix
+++ b/modules/backups/homeassistant.nix
@@ -26,6 +26,7 @@ in
         passwordFile = config.age.secrets."backups/homeassistant/restic/128G".path;
         paths = [
           config.services.home-assistant.configDir
+          config.services.node-red.userDir
         ];
       };
     };
diff --git a/modules/services/homeassistant.nix b/modules/services/homeassistant.nix
index 7d1f966..660400a 100644
--- a/modules/services/homeassistant.nix
+++ b/modules/services/homeassistant.nix
@@ -34,6 +34,17 @@ in
         '';
       };
 
+      node-red = {
+        enable = true;
+      };
+      caddy = {
+        enable = true;
+        virtualHosts."http://nodered.home.ts.hillion.co.uk" = {
+          listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
+          extraConfig = "reverse_proxy http://localhost:1880";
+        };
+      };
+
       home-assistant = {
         enable = true;
 
@@ -152,5 +163,18 @@ in
         };
       };
     };
+
+    ### HACK: Allow Caddy to restart if it fails. This happens because Tailscale
+    ### is too late at starting. Upstream nixos caddy does restart on failure
+    ### but it's prevented on exit code 1. Set the exit code to 0 (non-failure)
+    ### to override this.
+    systemd.services.caddy = {
+      requires = [ "tailscaled.service" ];
+      after = [ "tailscaled.service" ];
+      serviceConfig = {
+        RestartPreventExitStatus = lib.mkForce 0;
+      };
+    };
+
   };
 }