diff --git a/hosts/containers/bind/default.nix b/hosts/containers/bind/default.nix
index 71a3ab62..3dddad18 100644
--- a/hosts/containers/bind/default.nix
+++ b/hosts/containers/bind/default.nix
@@ -3,6 +3,7 @@ let
   systemctl = "${pkgs.systemd}/bin/systemctl";
   deployCommand = "${systemctl} start deploy-c3d2-dns";
   reloadCommand = "${systemctl} reload bind";
+  restartCommand = "${systemctl} restart bind";
 in
 {
   c3d2 = {
@@ -19,13 +20,17 @@ in
   networking.defaultGateway = "172.20.73.1";
 
   networking.firewall.allowedTCPPorts = [
+    # DNS
     53
+    # HTTP(s)
     80 443
   ];
   networking.firewall.allowedUDPPorts = [
+    # DNS
     53
   ];
 
+  # DNS server
   services.bind = {
     enable = true;
     extraConfig = ''
@@ -37,6 +42,14 @@ in
       };
     '';
   };
+  systemd.services.bind = {
+    serviceConfig = {
+      Restart = "always";
+      RestartSec = "1s";
+    };
+  };
+
+  # BIND statistics in Grafana
   services.collectd.plugins.bind = ''
     URL "http://127.0.0.1:8053/";
     ParseTime       false
@@ -48,20 +61,6 @@ in
     MemoryStats     true
   '';
 
-  # Web server
-  services.nginx = {
-    enable = true;
-    virtualHosts = {
-      # hooks, logs
-      "bind.serv.zentralwerk.org" = {
-        default = true;
-        enableACME = true;
-        forceSSL = true;
-        locations."/hooks/".proxyPass = "http://localhost:9000/hooks/";
-      };
-    };
-  };
-
   # Build user
   users.groups.c3d2-dns = {};
   users.users.c3d2-dns = {
@@ -108,15 +107,25 @@ in
           -H "Content-Type: application/json" \
           -d "{ \"context\": \"c3d2-dns\", \"description\": \"reloading...\", \"state\": \"pending\"}"
 
+        # Fix legacy paths (TODO)
         for f in *.conf ; do
           sed -e 's#/home/git/#${config.users.users.c3d2-dns.home}/#g' -i $f
         done
-        /run/wrappers/bin/sudo systemctl reload bind
+        # Allow creation of .jnl files by BIND for DynDNS
+        chmod a+w zones
+        # Take action
+        if systemctl is-active -q bind; then
+          /run/wrappers/bin/sudo ${reloadCommand}
+          MSG=reload
+        else
+          /run/wrappers/bin/sudo ${restartCommand}
+          MSG=restart
+        fi
 
         if [ $? = 0 ]; then
-          STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"deployed\", \"state\": \"success\"}"
+          STATUS="{ \"context\": \"c3d2-dns\", \"description\": \""$MSG"ed\", \"state\": \"success\"}"
         else
-          STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"build failure\", \"state\": \"failure\"}"
+          STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"$MSG failure\", \"state\": \"failure\"}"
         fi
         curl -X POST \
           "https://gitea.c3d2.de/api/v1/repos/c3d2-admins/c3d2-dns/statuses/$REV?token=${giteaToken}" \
@@ -137,12 +146,7 @@ in
     };
   };
 
-  systemd.timers.deploy-c3d2-dns = {
-    partOf = [ "deploy-c3d2-dns.service" ];
-    wantedBy = [ "timers.target" ];
-    timerConfig.OnCalendar = "hourly";
-  };
-
+  # Privileged commands triggered by webhook/deploy-c3d2-dns
   security.sudo.extraRules = [ {
     users = [ "c3d2-dns" ];
     commands = [ {
@@ -151,9 +155,27 @@ in
     } {
       command = reloadCommand;
       options = [ "NOPASSWD" ];
+    } {
+      command = restartCommand;
+      options = [ "NOPASSWD" ];
     } ];
   } ];
 
+  # Web server just for the webhook
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      # hooks, logs
+      "bind.serv.zentralwerk.org" = {
+        default = true;
+        enableACME = true;
+        forceSSL = true;
+        locations."/hooks/".proxyPass = "http://localhost:9000/hooks/";
+      };
+    };
+  };
+
+  # Webhook service
   systemd.services.webhook =
     let
       hooksJson = pkgs.writeText "hooks.json" (builtins.toJSON [ {