diff --git a/terranix/containers/ingress-blowhole/default.nix b/terranix/containers/ingress-blowhole/default.nix
new file mode 100644
index 0000000..1d8557e
--- /dev/null
+++ b/terranix/containers/ingress-blowhole/default.nix
@@ -0,0 +1,21 @@
+{ elib, ... }:
+let
+  inherit (elib)
+    nomadJob;
+
+  flake_host = "";
+  flake_rev = "";
+  flake_ref = "";
+  flake_sha = "";
+in
+{
+  resource."nomad_job"."ingress" = nomadJob {
+    jobspec = ./job.hcl;
+
+    vars = {
+      flake_ref = "${flake_host}?rev=${flake_rev}&ref=${flake_ref}";
+      flake_sha = flake_sha;
+      upstreams = "\${file(\"${./upstreams.conf}\")}";
+    };
+  };
+}
diff --git a/terranix/containers/ingress-blowhole/job.hcl b/terranix/containers/ingress-blowhole/job.hcl
new file mode 100644
index 0000000..0ed7010
--- /dev/null
+++ b/terranix/containers/ingress-blowhole/job.hcl
@@ -0,0 +1,284 @@
+variable "flake_ref" {
+  type = string
+}
+
+variable "flake_sha" {
+  type = string
+}
+
+variable "upstreams" {
+  type = string
+}
+
+job "ingress" {
+  datacenters = [ "homelab-1" ]
+  type = "service"
+
+  group "ingress" {
+    count = 1
+
+    constraint {
+      attribute = "${attr.unique.hostname}"
+      value = "blowhole"
+    }
+
+    network {
+      mode = "bridge"
+      port "http" {
+        host_network = "mesh"
+        static = 80
+        to = 80
+      }
+
+      port "https" {
+        host_network = "mesh"
+        static = 443
+        to = 443
+      }
+
+      port "imap" {
+        host_network = "mesh"
+        static = 143
+        to = 143
+      }
+    }
+
+    service {
+      name = "ingress-blowhole"
+      port = "80"
+
+      check {
+        type = "http"
+        path = "/health"
+        name = "jellyfin"
+        port = "http"
+        interval = "5s"
+        timeout = "5s"
+        header {
+          Host = [ "jellyfin.in.redalder.org" ]
+        }
+      }
+
+      check {
+        type = "http"
+        path = "/"
+        name = "zigbee2mqtt"
+        port = "http"
+        interval = "5s"
+        timeout = "5s"
+        header {
+          Host = [ "zigbee2mqtt.in.redalder.org" ]
+        }
+      }
+
+      check {
+        type = "http"
+        path = "/"
+        name = "home-assistant"
+        port = "http"
+        interval = "5s"
+        timeout = "5s"
+        header {
+          Host = [ "hass.in.redalder.org" ]
+        }
+      }
+
+      # check {
+      #   type = "http"
+      #   path = "/"
+      #   name = "syncthing"
+      #   port = "http"
+      #   interval = "5s"
+      #   timeout = "5s"
+      #   header {
+      #     Host = [ "syncthing.in.redalder.org" ]
+      #   }
+      # }
+
+      check {
+        type = "http"
+        path = "/api/health"
+        name = "grafana"
+        port = "http"
+        interval = "5s"
+        timeout = "5s"
+        header {
+          Host = [ "grafana.in.redalder.org" ]
+        }
+      }
+
+      check {
+        type = "http"
+        path = "/health"
+        name = "influx"
+        port = "http"
+        interval = "5s"
+        timeout = "5s"
+        header {
+          Host = [ "influx.in.redalder.org" ]
+        }
+      }
+
+      check {
+        type = "http"
+        path = "/"
+        name = "mainsail"
+        port = "http"
+        interval = "5s"
+        timeout = "5s"
+        header {
+          Host = [ "mainsail.in.redalder.org" ]
+        }
+      }
+
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "jellyfin"
+              local_bind_port  = 8001
+            }
+
+            upstreams {
+              destination_name = "zigbee2mqtt"
+              local_bind_port  = 8002
+            }
+
+            upstreams {
+              destination_name = "home-assistant"
+              local_bind_port  = 8003
+            }
+
+            upstreams {
+              destination_name = "syncthing"
+              local_bind_port  = 8004
+            }
+
+            upstreams {
+              destination_name = "dovecot-imap"
+              local_bind_port  = 8005
+            }
+
+            upstreams {
+              destination_name = "grafana"
+              local_bind_port  = 8006
+            }
+
+            upstreams {
+              destination_name = "influx"
+              local_bind_port  = 8007
+            }
+
+            upstreams {
+              destination_name = "mainsail"
+              local_bind_port  = 8008
+            }
+
+            upstreams {
+              destination_name = "matrix-synapse"
+              local_bind_port  = 8009
+            }
+
+            upstreams {
+              destination_name = "matrix-mautrix-facebook"
+              local_bind_port  = 8010
+            }
+          }
+        }
+
+        sidecar_task {
+          resources {
+            cpu = 75
+            memory = 48
+          }
+
+          config {
+            memory_hard_limit = 96
+          }
+        }
+      }
+    }
+
+    task "nginx" {
+      driver = "docker"
+
+      config {
+        nix_flake_ref = "${var.flake_ref}#nixngSystems.ingressBlowhole.config.system.build.toplevel"
+        nix_flake_sha = var.flake_sha
+        entrypoint = [ "init" ]
+      }
+
+      resources {
+        cpu = 200
+        memory = 32
+        memory_max = 128
+      }
+
+      template {
+        data = <<EOF
+ssl_certificate_key /etc/letsencrypt/live/redalder.org/privkey.pem;
+ssl_certificate /etc/letsencrypt/live/redalder.org/fullchain.pem;
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+EOF
+        destination   = "local/ssl.conf"
+        change_mode   = "signal"
+        change_signal = "SIGHUP"
+      }
+
+      template {
+        data = <<EOF
+proxy_set_header Host $host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+EOF
+        destination   = "local/headers.conf"
+        change_mode   = "signal"
+        change_signal = "SIGHUP"
+      }
+
+      template {
+        data = <<EOF
+add_header X-Frame-Options "SAMEORIGIN";
+add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+EOF
+        destination   = "local/security.conf"
+        change_mode   = "signal"
+        change_signal = "SIGHUP"
+      }
+
+      template {
+        data = var.upstreams
+
+        destination   = "local/upstreams.conf"
+        change_mode   = "signal"
+        change_signal = "SIGHUP"
+      }
+
+      template {
+        data = <<EOF
+upstream dovecot-imap {
+  server {{ env "NOMAD_UPSTREAM_ADDR_dovecot-imap" }};
+}
+
+server {
+  listen 143;
+
+  proxy_pass dovecot-imap;
+}
+EOF
+        destination   = "local/streams.conf"
+        change_mode   = "signal"
+        change_signal = "SIGHUP"
+      }
+    }
+  }
+}
diff --git a/terranix/containers/ingress-blowhole/upstreams.conf b/terranix/containers/ingress-blowhole/upstreams.conf
new file mode 100644
index 0000000..29cffc6
--- /dev/null
+++ b/terranix/containers/ingress-blowhole/upstreams.conf
@@ -0,0 +1,276 @@
+upstream jellyfin {
+  server {{ env "NOMAD_UPSTREAM_ADDR_jellyfin" }};
+}
+
+upstream zigbee2mqtt {
+  server {{ env "NOMAD_UPSTREAM_ADDR_zigbee2mqtt" }};
+}
+
+upstream home-assistant {
+  server {{ env "NOMAD_UPSTREAM_ADDR_home-assistant" }};
+}
+
+upstream syncthing {
+  server {{ env "NOMAD_UPSTREAM_ADDR_syncthing" }};
+}
+
+upstream influx {
+  server {{ env "NOMAD_UPSTREAM_ADDR_influx" }};
+}
+
+upstream grafana {
+  server {{ env "NOMAD_UPSTREAM_ADDR_grafana" }};
+}
+
+upstream mainsail {
+  server {{ env "NOMAD_UPSTREAM_ADDR_mainsail" }};
+}
+
+upstream matrix-synapse {
+  server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse" }};
+}
+
+upstream matrix-mautrix-facebook {
+  server {{ env "NOMAD_UPSTREAM_ADDR_matrix-mautrix-facebook" }};
+}
+
+server {
+  listen 80;
+
+  server_name jellyfin.in.redalder.org;
+
+  include /local/security.conf;
+
+  client_max_body_size 100M;
+
+  location / {
+     # Proxy main Jellyfin traffic
+
+     # The / at the end is significant.
+     # https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/
+
+     proxy_pass http://jellyfin/;
+
+     proxy_pass_request_headers on;
+
+     proxy_set_header Host $host;
+
+     proxy_set_header X-Real-IP $remote_addr;
+     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+     proxy_set_header X-Forwarded-Proto $scheme;
+     proxy_set_header X-Forwarded-Host $http_host;
+
+     proxy_set_header Upgrade $http_upgrade;
+     proxy_set_header Connection $http_connection;
+
+     # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+     proxy_buffering off;
+  }
+}
+
+server {
+  listen 80;
+
+  server_name syncthing.in.redalder.org;
+
+  include /local/security.conf;
+
+  location / {
+    include /local/headers.conf;
+
+    proxy_pass http://syncthing/;
+  }
+}
+
+server {
+  listen 80;
+
+  server_name hass.in.redalder.org;
+
+  include /local/security.conf;
+
+  location / {
+    include /local/headers.conf;
+
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    proxy_pass http://home-assistant/;
+
+    # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+    proxy_buffering off;
+  }
+}
+
+server {
+  listen 80;
+
+  server_name zigbee2mqtt.in.redalder.org;
+
+  include /local/security.conf;
+
+  location / {
+    include /local/headers.conf;
+
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    proxy_pass http://zigbee2mqtt/;
+  }
+}
+
+server {
+  listen 80;
+
+  server_name grafana.in.redalder.org;
+
+  # Grafana really doesn't like that CSP policy
+  # include /local/security.conf;
+
+  location / {
+    include /local/headers.conf;
+
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    proxy_pass http://grafana/;
+  }
+}
+
+server {
+  listen 80;
+
+  server_name influx.in.redalder.org;
+
+  # Influx doesn't like it either
+  # include /local/security.conf;
+
+  location / {
+    include /local/headers.conf;
+
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    proxy_pass http://influx/;
+  }
+}
+
+server {
+  listen 80;
+
+  server_name mainsail.in.redalder.org;
+
+  # Influx doesn't like it either
+  include /local/security.conf;
+
+  location / {
+    include /local/headers.conf;
+
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    proxy_pass http://mainsail/;
+  }
+}
+
+server {
+  listen 80;
+
+  server_name matrix.in.redalder.org;
+
+  location ~ ^/_synapse/admin  {
+      # note: do not add a path (even a single /) after the port in `proxy_pass`,
+      # otherwise nginx will canonicalise the URI and cause signature verification
+      # errors.
+      proxy_pass http://matrix-synapse;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $host;
+
+      # Nginx by default only allows file uploads up to 1M in size
+      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+      client_max_body_size 50M;
+
+      # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+      proxy_http_version 1.1;
+  }
+
+  location /mufb/ {
+      proxy_pass http://matrix-mautrix-facebook$request_uri;
+      proxy_set_header Host $http_host;
+      proxy_buffering off;
+  }
+}
+
+server {
+  listen 80;
+
+  server_name nomad.in.redalder.org;
+
+  location / {
+    proxy_pass http://blowhole.hosts.in.redalder.org:4646;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Host $host;
+
+    proxy_http_version 1.1;
+  }
+}
+
+server {
+  listen 80;
+
+  server_name consul.in.redalder.org;
+
+  location / {
+    proxy_pass http://blowhole.hosts.in.redalder.org:8500;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Host $host;
+
+    proxy_http_version 1.1;
+  }
+}
+
+server {
+  listen 80;
+
+  server_name vault.in.redalder.org;
+
+  location / {
+    proxy_pass http://blowhole.hosts.in.redalder.org:8200;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Host $host;
+
+    proxy_http_version 1.1;
+  }
+}
+
+server {
+  listen 80;
+
+  server_name _;
+  include /local/security.conf;
+
+  location / {
+    return 404;
+  }
+}
+
+# server {
+#   listen 443;
+
+#   server_name _;
+
+#   include /local/security.conf;
+
+#   location / {
+#     return 404;
+#   }
+# }