diff --git a/scripts/caddy/Caddyfile.templ b/scripts/caddy/Caddyfile.templ
index b80a752..229359c 100644
--- a/scripts/caddy/Caddyfile.templ
+++ b/scripts/caddy/Caddyfile.templ
@@ -2,8 +2,14 @@
 	acme_dns hetzner $hetzner_secret
 }
 
-https://$domain {
-    respond "Hello world"
+(blocked_matcher) {
+    @blocked not remote_ip 10.0.0.0/24 10.0.89.0/24 127.0.0.1
+}
+(internal_only) {
+    import blocked_matcher
+    handle @blocked {
+        abort
+    }
 }
 
 import /etc/caddy/conf.d/*
diff --git a/scripts/caddy/caddy.service b/scripts/caddy/caddy.service.templ
similarity index 97%
rename from scripts/caddy/caddy.service
rename to scripts/caddy/caddy.service.templ
index 618eaf7..cfb25c6 100644
--- a/scripts/caddy/caddy.service
+++ b/scripts/caddy/caddy.service.templ
@@ -32,6 +32,7 @@ PrivateDevices=yes
 PrivateTmp=true
 ProtectSystem=full
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+Environment="DOMAIN=$domain"
 
 [Install]
 WantedBy=multi-user.target
diff --git a/scripts/caddy/index.html b/scripts/caddy/index.html
new file mode 100644
index 0000000..f0751f4
--- /dev/null
+++ b/scripts/caddy/index.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html lang="en">
+    <head>
+        <title>hangar.in</title>
+        <meta charset="UTF-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <style>
+        body {
+            background: #1a1a1a;
+            font-family: monospace;
+            color: #fefefe;
+        }
+        h1 {
+            font-size: large;
+        }
+        .container {
+            position: absolute;
+            top: 50%;
+            left: 50%;
+            width: min(50ch, 95vw);
+            transform: translate(-50%, -50%);
+        }
+        </style>
+    </head>
+    <body>
+        <div class="container">
+            <h1>
+                Welcome to the hangar! Your connection does not come from inside our network.
+                Please turn on the VPN, or hop on the next train to Prague :)
+            </h1>
+            <p>~ Admins, with ❤️</p>
+        </div>
+    </body>
+</html>
diff --git a/scripts/caddy/landing.Caddyfile b/scripts/caddy/landing.Caddyfile
new file mode 100644
index 0000000..616a832
--- /dev/null
+++ b/scripts/caddy/landing.Caddyfile
@@ -0,0 +1,10 @@
+https://{$DOMAIN} {
+    import blocked_matcher
+    handle @blocked {
+        file_server {
+            root /var/www
+            status 403
+        }
+    }
+    respond "Hello from the inside!"
+}
diff --git a/scripts/caddy/script.sh b/scripts/caddy/script.sh
index af9d562..aaa647b 100644
--- a/scripts/caddy/script.sh
+++ b/scripts/caddy/script.sh
@@ -10,19 +10,8 @@ _ch_001-download_binary() {
     sudo chmod +x /usr/bin/caddy;
 }
 
-# fill and copy config
-_ch_002-add_config() {
-    sudo mkdir -p /etc/caddy/conf.d;
-    sudo cp $(_fill Caddyfile.templ) /etc/caddy/Caddyfile;
-    sudo chmod a+rx /etc/caddy;
-    sudo chgrp $USER /etc/caddy/Caddyfile;
-    sudo chmod a+r,g+w /etc/caddy/Caddyfile;
-    sudo chgrp $USER /etc/caddy/conf.d;
-    sudo chmod a+rx,g+w /etc/caddy/conf.d;
-}
-
 # create data folder with correct perms
-_ch_003-create_user() {
+_ch_002-create_user() {
     sudo groupadd --system caddy;
     sudo useradd --system \
         --gid caddy \
@@ -33,13 +22,30 @@ _ch_003-create_user() {
         caddy;
 }
 
-_ch_004-create_service() {
-    sudo cp caddy.service /etc/systemd/system/caddy.service;
+# fill and copy default config
+_ch_003-add_config() {
+    # create configuration directories and make sure
+    # only caddy and we have access to them
+    sudo mkdir -p /etc/caddy/conf.d;
+    sudo chown -R $USER:caddy /etc/caddy;
+    chmod g+s a-rwx /etc/caddy /etc/caddy/conf.d;
+
+    cp $(_fill Caddyfile.templ) /etc/caddy/Caddyfile;
+}
+
+_ch_004-add_default_landing_page() {
+    sudo mkdir -p /var/www;
+    sudo cp index.html /var/www;
+    cp landing.Caddyfile /etc/caddy/conf.d;
+}
+
+_ch_005-create_service() {
+    sudo cp $(_fill caddy.service.templ) /etc/systemd/system/caddy.service;
     sudo systemctl daemon-reload;
     sudo systemctl enable --now caddy;
 }
 
-_ch_005-allow_firewall() {
+_ch_006-allow_firewall() {
     if command -v ufw &> /dev/null; then
         sudo ufw allow 80;
         sudo ufw allow 443;