diff --git a/sys/machines/hopper/lab/caddy.nix b/sys/machines/hopper/lab/caddy.nix
index 94aee36..d6b2fb7 100644
--- a/sys/machines/hopper/lab/caddy.nix
+++ b/sys/machines/hopper/lab/caddy.nix
@@ -23,12 +23,15 @@ in {
     enable = true;
     globalConfig = "metrics";
     virtualHosts = let
+      blockNonCloudflare = ''
+        @blocked not remote_ip ${builtins.replaceStrings ["\n"] [" "] (builtins.foldl' (res: ip-ver: "${res} ${builtins.readFile inputs."cloudflare-${ip-ver}".outPath}") "" ["ipv4" "ipv6"])}
+        respond @blocked "Access only allowed through cloudflare" 403
+      '';
       mkPublicEntry = name: destination: {
         useACMEHost = domain;
         hostName = "${name}.${domain}:${toString caddyPort}";
         extraConfig = ''
-          @blocked not remote_ip ${builtins.replaceStrings ["\n"] [" "] (builtins.foldl' (res: ip-ver: "${res} ${builtins.readFile inputs."cloudflare-${ip-ver}".outPath}") "" ["ipv4" "ipv6"])}
-          respond @blocked "Access only allowed through cloudflare" 403
+          ${blockNonCloudflare}
           reverse_proxy {
             header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
             to ${destination}
@@ -56,6 +59,7 @@ in {
         useACMEHost = domain;
         hostName = "${domain}:${toString caddyPort}";
         extraConfig = ''
+          ${blockNonCloudflare}
           root * ${inputs.own-website.packages.${pkgs.system}.default}
           file_server
         '';