diff --git a/shared/services.nix b/shared/services.nix
index ebd51de..d267792 100644
--- a/shared/services.nix
+++ b/shared/services.nix
@@ -8,7 +8,6 @@
       name = "kanidm";
       domain = "auth.baduhai.dev";
       host = "alexandria";
-      public = false;
       lanIP = "192.168.15.142";
       tailscaleIP = "100.76.19.50";
       port = 8443;
@@ -43,7 +42,6 @@
       name = "jellyfin";
       domain = "jellyfin.baduhai.dev";
       host = "alexandria";
-      public = false;
       lanIP = "192.168.15.142";
       tailscaleIP = "100.76.19.50";
       port = 8096;
diff --git a/terranix/cloudflare/baduhai.dev.nix b/terranix/cloudflare/baduhai.dev.nix
index b74484c..3a5e6ee 100644
--- a/terranix/cloudflare/baduhai.dev.nix
+++ b/terranix/cloudflare/baduhai.dev.nix
@@ -3,7 +3,38 @@
 #   AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage
 #   AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage
 
-{ config, ... }:
+{ config, lib, ... }:
+
+let
+  inherit (import ../../shared/services.nix) services;
+
+  # Helper to extract subdomain from full domain (e.g., "git.baduhai.dev" -> "git")
+  getSubdomain = domain: lib.head (lib.splitString "." domain);
+
+  # Generate DNS records for services
+  # Public services point to trantor's public IP
+  # Private services point to their tailscale IP
+  mkServiceRecords = lib.listToAttrs (
+    lib.imap0 (i: svc:
+      let
+        subdomain = getSubdomain svc.domain;
+        targetIP = if svc.public or false
+          then config.data.terraform_remote_state.trantor "outputs.instance_public_ip"
+          else svc.tailscaleIP;
+      in {
+        name = "service_${toString i}";
+        value = {
+          zone_id = config.variable.zone_id.default;
+          name = subdomain;
+          type = "A";
+          content = targetIP;
+          proxied = false;
+          ttl = 3600;
+        };
+      }
+    ) services
+  );
+in
 
 {
   terraform.required_providers.cloudflare = {
@@ -48,31 +79,24 @@
   };
 
   resource = {
-    cloudflare_dns_record.root = {
-      zone_id = config.variable.zone_id.default;
-      name = "@";
-      type = "A";
-      content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip";
-      proxied = false;
-      ttl = 3600;
-    };
+    cloudflare_dns_record = mkServiceRecords // {
+      root = {
+        zone_id = config.variable.zone_id.default;
+        name = "@";
+        type = "A";
+        content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip";
+        proxied = false;
+        ttl = 3600;
+      };
 
-    cloudflare_dns_record.www = {
-      zone_id = config.variable.zone_id.default;
-      name = "www";
-      type = "A";
-      content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip";
-      proxied = false;
-      ttl = 3600;
-    };
-
-    cloudflare_dns_record.wildcard = {
-      zone_id = config.variable.zone_id.default;
-      name = "*";
-      type = "A";
-      content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip";
-      proxied = false;
-      ttl = 3600;
+      www = {
+        zone_id = config.variable.zone_id.default;
+        name = "www";
+        type = "A";
+        content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip";
+        proxied = false;
+        ttl = 3600;
+      };
     };
   };
 }