diff --git a/flake/nixosModules/deployer.nix b/flake/nixosModules/deployer.nix
index fae2906..b8742b0 100644
--- a/flake/nixosModules/deployer.nix
+++ b/flake/nixosModules/deployer.nix
@@ -1,5 +1,7 @@
-{
+{config, ...}: {
   flake.nixosModules.deployer = {pkgs, ...}: {
+    imports = [config.flake.nixosModules.serve-runs];
+
     aws.instance.tags.Role = "deployer";
 
     fileSystems."/home" = {
diff --git a/flake/nixosModules/serve-runs.nix b/flake/nixosModules/serve-runs.nix
new file mode 100644
index 0000000..f534ce0
--- /dev/null
+++ b/flake/nixosModules/serve-runs.nix
@@ -0,0 +1,28 @@
+{config, ...}: {
+  flake.nixosModules.serve-runs = system: {
+    sops.secrets.caddy-environment = {
+      sopsFile = ../../secrets/caddy-environment.enc;
+      restartUnits = ["caddy.service"];
+    };
+
+    systemd.services.caddy.serviceConfig = {
+      EnvironmentFile =
+        system.config.sops.secrets.caddy-environment.path;
+      # ProtectHome = system.lib.mkForce false;
+      BindReadOnlyPaths = "/home/dev/nomad-ssd/run:/var/lib/caddy/run";
+    };
+
+    services.caddy = {
+      enable = true;
+      email = "m.fellinger+cardano-perf-deployer@iohk.io";
+      virtualHosts."deployer.${config.flake.cluster.domain}" = {
+        extraConfig = ''
+          encode zstd gzip
+          basicauth { dev {$PASSWORD} }
+          root * /var/lib/caddy/run
+          file_server browse
+        '';
+      };
+    };
+  };
+}
diff --git a/flake/terraform/cluster.nix b/flake/terraform/cluster.nix
index 847fc8f..90c9fe3 100644
--- a/flake/terraform/cluster.nix
+++ b/flake/terraform/cluster.nix
@@ -235,6 +235,16 @@ in {
                     from_port = 22;
                     to_port = 22;
                   })
+                  (mkRule {
+                    description = "Allow HTTP";
+                    from_port = 80;
+                    to_port = 80;
+                  })
+                  (mkRule {
+                    description = "Allow HTTPS";
+                    from_port = 443;
+                    to_port = 443;
+                  })
                   (mkRule {
                     description = "Allow Rsync";
                     from_port = 32000;
diff --git a/secrets/caddy-environment.enc b/secrets/caddy-environment.enc
new file mode 100644
index 0000000..af295c4
--- /dev/null
+++ b/secrets/caddy-environment.enc
@@ -0,0 +1,22 @@
+{
+	"data": "ENC[AES256_GCM,data:Q+Gw7sBMcBzEAxPjwcbKvk20Rts/DM3DAyZHLWig9BYcexXBCJ7UKBeYEttXYdRLGG8+b/vvk22FAwBELtr/apDbL9sMNQ==,iv:cZaHop3FBi04cuvC1Ckww1PV0vId58yLDSSu3Ss4ts8=,tag:rZljnrgmXKU/rMw+vR9cRA==,type:str]",
+	"sops": {
+		"kms": [
+			{
+				"arn": "arn:aws:kms:eu-central-1:634968354090:alias/kmsKey",
+				"created_at": "2024-04-16T12:59:51Z",
+				"enc": "AQICAHjERJSkkd02ChDwvtPUUy9LjCMyl4XTwUygBtpfDd/1pAEW9+LokUn4a/435Atw9mW9AAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM7pE1QpBEvZKEpGDGAgEQgDvDvGyCT5rLrY0r+VOuv5t+DwEdFqRkhsfYjb18hBT73F6tWWZTPX1CoBOoQJ5bJcqDZqKv19oU1qhkIA==",
+				"aws_profile": ""
+			}
+		],
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2024-04-16T13:00:08Z",
+		"mac": "ENC[AES256_GCM,data:ljv7F9ieNlW3KLI2A/O4wQYGhUmAxk4FvyqQQLjeaRaPY9+7dsOCVbZARtnLHRRMhzI5LVtW5Vso8fxmqLH9GN3wOdrTTZTn0Ye72rdtXVeZxx8epRnePoPoGVRytWNJrVSCdV1DB9ju+De3yBdpusaeMEIyHfllyYrjITK0c10=,iv:V/zIcr0tT3GOtgS2eABg6g7gfwrs7n7KK//Mk11ORZI=,tag:LCiutUgBfZWEP04H1F5PEg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
\ No newline at end of file