diff --git a/config/services/akkoma/default.nix b/config/services/akkoma/default.nix
index 0b2316e9..f7c8dabc 100644
--- a/config/services/akkoma/default.nix
+++ b/config/services/akkoma/default.nix
@@ -7,6 +7,13 @@
   system,
   ...
 }: let
+  purge_url_script = pkgs.writeScript "purge-url" ''
+    access_key=$(cat ${config.sops.secrets."services/bunny-key".path})
+    for url in $@; do
+      url=$(echo $url | ${pkgs.python3}/bin/python3 -c "import sys; import urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))")
+      ${pkgs.curl}/bin/curl -H "Authorization: Bearer $access_key" -X POST "https://api.bunny.net/purge?url=$url&async=false"
+    done
+  '';
   emoji_set_names = ["volpeon-blobfox-flip" "volpeon-blobfox" "volpeon-bunhd-flip" "volpeon-bunhd" "volpeon-drgn" "volpeon-fox" "volpeon-raccoon" "volpeon-vlpn" "lotte" "caro"];
   emoji_sets = builtins.listToAttrs (map (name: {
       inherit name;
@@ -141,9 +148,17 @@
       };
       ":media_proxy" = {
         enabled = true;
+        base_url = "https://mediaproxy.chir.rs";
         proxy_opts = {
           redirect_on_failure = true;
         };
+        invalidation = {
+          enabled = true;
+          provider = mkRaw "Pleroma.Web.MediaProxy.Invalidation.Script";
+        };
+      };
+      "Pleroma.Web.MediaProxy.Invalidation.Script" = {
+        script_path = "${purge_url_script}";
       };
       "Pleroma.Repo" = {
         adapter = mkRaw "Ecto.Adapters.Postgres";
@@ -214,6 +229,7 @@ in {
     }
   ];
   sops.secrets."services/akkoma.exs" = {owner = "akkoma";};
+  sops.secrets."services/bunny-key".owner = "akkoma";
   services.caddy.virtualHosts."akko.chir.rs" = {
     useACMEHost = "chir.rs";
     extraConfig = ''
diff --git a/secrets/nixos-8gb-fsn1-1.yaml b/secrets/nixos-8gb-fsn1-1.yaml
index fb4b0566..079255f9 100644
--- a/secrets/nixos-8gb-fsn1-1.yaml
+++ b/secrets/nixos-8gb-fsn1-1.yaml
@@ -10,6 +10,7 @@ security:
 services:
     nix:
         cache-key: ENC[AES256_GCM,data:aLUW21G4ubmxS97LOwvUY+9ovrk02tZwq3D6tSO5tK9DwhySEuquQIHKsmuhsQtuCZRDLPgRh+T1XIKykWxv0S42NhdMGiE6GuRs8SbnEwcYMHwEPwHHMppG38G+EEKmTA==,iv:nm0yWYS8xk2C5mn3lpSEocqmCFOx2rL57euMfcXOXHA=,tag:WXEAMiMS9S/0hKrd63mBLQ==,type:str]
+    bunny-key: ENC[AES256_GCM,data:Jby03Y/0MjzED+fGNn8dLQkVhR9D5mhz8gzkG27hxQ1UezdzhxaPV56fIeCmn8yDespwMLMjEXPiIsM/GFS0y58ctl7OHuEW,iv:3R8+z/KuRaqybs4KbfZtrXiIAMZ5oCIH8tZhFN8MjWs=,tag:VIb442EBs0TlLfwWNvMmng==,type:str]
     peertube: ENC[AES256_GCM,data:7ZFddxNg4bgXnn56OhcY23aU7Yz6qIyQgOxXg0wDgG7jOyefU2VAQwupmr0OUmD6I1C12gGLv0JymktVSLcZ4pEIhx/cbSmn2dHrWqHDyzp/xRfUYFjTxtc+rKQUpH4vX9hnqC0dx7Hp9/7kIPGQOTkUneg/f9amw2zZlMj/XsuUpzSF5g==,iv:KdaWy211C2H5QTVweLWmE8/r3GV2StTJUE0fXrudo4U=,tag:5WMWhJMgH11byV7EHIHn2w==,type:str]
     akkoma.exs: ENC[AES256_GCM,data:snEg7wZKp0Oa+tQnZjjeMwUbsFXdFHP2g4UwjPIHit2YYuR7HJQGra6RP+2mnmr9v8rceWyEXx8JQi5zbveT/NAg6Hp9WZ3gI2ClwazchiAeJ35wMHi49AgfSaRIVjDam1EI2uOfxjOUi5nsgTqb5raQDmwFV/NsK8qCUwzHb9oGoaT+PV3kl601Ua6gWWVoB7vX/X5NIxfxx3cTvzYPRdlJqNQUHCHLIrGO6qkeu0iVeJiU8iTCG/7ZFSP5mbO8d/H3LmRQbenPpCYSTdRy1zNwHCk5THtmcoMiytpj8/AmMJS0Yq8JcKST0fdgevU0eV4c6B34ZbRS4hKBG/ppnGy/WnnN1i/R14YP6SPmbsHoYJ/4ksAMS7TvQFnes1HEMoMkM5gwCyoiEV9GLcs/NhWwVxKZnLtb1S/hwYWJ32WnJuQxzcspR+n7dPawD31bxO1sT4tfmRxU3eFtO53g9TkNDLVV8ntZHZlnc6WKOVW6eeVHmrACaJO1zfJpnc6oEAiay5fK0xMRlmLvhZcDu8USHj7IGvaEn5G2HgmDjxmOJeM9T9S5+yZUkfGkbQSAKzPbcXZQdvdepqqHibBNSYgiIvIHojqLUy/cjQwB7Yek13EwsC2KJR2j/IsrdPr6Qef6Cru4aUh1IN+IiBVseo/ohOGKJADf0gGfW4ul84SrAIuMGM+nKN0LFv1XLXXlkSYcBCiyUfwoO0rfeU/a53NZKR+Vk7MvMF3n1DW6KZ3Nlo2/8VMZAgBdPk3AHjpcAYqMMjbuYg8QJ8XKgs2u7f9LmIcVWbmHR48ZdzswUGHGVSb+Uf+/gu2J7sEFFu2vqZb9Kzwglmo1tmN7ZvElU3EsolqVX3ybs/PEOtwIISbfHBFLgiYiUwm0Qu/BoMMRs8mRA6USDRxdCjD4OWeqJ5m6XfZN+qJne+rz1B+FmQo8uXBoVLiGbpymGX4nIGl61rfdfsrAYMtgCPL9xky5BiieSUb8C27/P0XXMp4=,iv:HRszf3GE1/4xFwdWpTF7sz9TIKXO/2Y8j5Qd+Dk3zj0=,tag:iLSSIiOG4m+YuEcfCXyf/g==,type:str]
     matrix-media-repo:
@@ -76,8 +77,8 @@ sops:
             N1lNTTRhSDFsczd4VjNudUU2NEt4MUEKdVJIJmaoGcwUHa0BGB45jqYnm9aPVZxP
             dl1vkMx8EAiKhWKbBwQm5fFZcNh371rspGE7KOXmwNbNWef5bVfHpQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-11-27T09:42:45Z"
-    mac: ENC[AES256_GCM,data:qnicU8esh7GytPm4v2PdZ2f8MEL+u/VkSnU/Zutnj+qKBfT91/MVxHV24mX9ozZhvTv/qFv0cl2hhBj4FOY/nnm2xGTJZ9TpkyFy69rg1c860uaqhTu3MnNNtmDAb13ywXNfri9rUG4xqXtJZMnvSUeQHjhns8KXjvC7Aj1Dvrs=,iv:zSpE/1kKLc9fL2mAD2ByZWGqJ1wE6JuxChMifjs1q0c=,tag:o8g+taLxtnZb3mF72sxrbA==,type:str]
+    lastmodified: "2022-12-04T12:33:55Z"
+    mac: ENC[AES256_GCM,data:32UzO0QJVp1YtEaL67k9BCckx3G2E7eX7Sa+MORwidjGCEg2UrEzn15DlBuLKHr/iaZzOO3eQSODnJXBGCv6h5m8WOCFyieCHClC3HpiOGPAaUPSZjx5xD5Lnvaziy6q5sZe7a+3DnQf3G8ajb2YSwB+CsjuRjAulnZJzxvKCQA=,iv:K795ZLX86GekNWlkJUmVZSaclEL3URABH33nD+/TG5E=,tag:R33H43tw1zUta7Pqu1nEWQ==,type:str]
     pgp:
         - created_at: "2022-02-02T17:50:42Z"
           enc: |
diff --git a/zones/chir.rs.nix b/zones/chir.rs.nix
index e0df1759..e4beb27b 100644
--- a/zones/chir.rs.nix
+++ b/zones/chir.rs.nix
@@ -102,7 +102,7 @@ with dns.lib.combinators; let
     SOA = {
       nameServer = "ns1.chir.rs.";
       adminEmail = "lotte@chir.rs";
-      serial = 19;
+      serial = 20;
     };
     NS = [
       "ns1.chir.rs."
@@ -171,7 +171,7 @@ with dns.lib.combinators; let
       _keybase.TXT = [
         (ttl zoneTTL (txt "keybase-site-verification=r044cwg0wOTW-ws35BA5MMRLNwjdTNJ4uOu6kgdTopI"))
       ];
-
+      
       www = createZone {};
       api = createZone {};
       git = createZone {};
@@ -193,6 +193,7 @@ with dns.lib.combinators; let
         "cache-chir-rs.b-cdn.net."
       ];
       peertube = createZone {};
+      mediaproxy.CNAME = [ "mediaproxy-chir-rs.b-cdn.net." ];
 
       int =
         delegateTo [