diff --git a/.sops.yaml b/.sops.yaml
index 800c542..6b2596f 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -7,6 +7,7 @@ keys:
   - &gitea age1jkj6xrhr3uf52hac4wlda4a8jcegha86jf5lgv58df0xunadz53qpjlpae
   - &heimdall age1z94c897pvq4tx0xwsj6wr8emnlpmk6u0xks75rydga6r33dlapjqyqqacc
   - &minio age1p5hu2l0ys8z2j9rhf0xp5et2wd4222utyn3tk562ksrxmckye9dqu25f49
+  - &proxy age1dg4euuwvqyyuwpjm08psvehgxr5p6q76ht8k4je6z2xc2pv55vksw9ap7m
 creation_rules:
   - path_regex: machines/loki/[^/]+\.yaml$
     key_groups:
@@ -44,3 +45,9 @@ creation_rules:
           - *erwin
           - *erwin_horus
           - *minio
+  - path_regex: machines/proxy/[^/]+\.ya?ml$
+    key_groups:
+      - age:
+          - *erwin
+          - *erwin_horus
+          - *proxy
diff --git a/flake.nix b/flake.nix
index e4dccf9..b6209a9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -78,6 +78,12 @@
       inputs.rust-overlay.follows = "rust-overlay";
     };
 
+    caddy-with-plugins = {
+      url = "github:eboskma/caddy-with-plugins";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-parts.follows = "flake-parts";
+    };
+
     ha-now-playing = {
       url = "git+https://git.datarift.nl/erwin/ha-now-playing.git?ref=main";
       inputs.nixpkgs.follows = "nixpkgs";
diff --git a/machines/proxy/configuration.nix b/machines/proxy/configuration.nix
index 0c64604..aef83c6 100644
--- a/machines/proxy/configuration.nix
+++ b/machines/proxy/configuration.nix
@@ -1,5 +1,5 @@
-{ self, ... }:
-{ modulesPath, ... }: {
+{ self, caddy-with-plugins, ... }:
+{ modulesPath, pkgs, ... }: {
   imports = [
     (modulesPath + "/virtualisation/proxmox-lxc.nix")
     ../../users/root
@@ -15,7 +15,15 @@
       enable = true;
       remote-builders = true;
     };
-    nginx-proxy-manager.enable = true;
+    nginx-proxy-manager.enable = false;
+    caddy-proxy = {
+      enable = true;
+      package = caddy-with-plugins.lib.caddyWithPackages {
+        inherit (pkgs) caddy buildGoModule;
+        plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ];
+        vendorSha256 = "juhzEaAv3s8KAcyloSNotAddOqgMBqjOcTkbA15Gj/U=";
+      };
+    };
   };
 
   boot.isContainer = true;
@@ -52,7 +60,9 @@
   security.sudo.execWheelOnly = true;
 
   sops.defaultSopsFile = ./secrets.yaml;
-  sops.secrets = { };
+  sops.secrets = {
+    caddy-env = { };
+  };
 
   system.stateVersion = "21.11";
 }
diff --git a/machines/proxy/hardware-configuration.nix b/machines/proxy/hardware-configuration.nix
deleted file mode 100644
index c2c38a9..0000000
--- a/machines/proxy/hardware-configuration.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ modulesPath
-, ...
-}: {
-  imports = [
-    (modulesPath + "/virtualisation/lxc-container.nix")
-  ];
-}
diff --git a/machines/proxy/secrets.yaml b/machines/proxy/secrets.yaml
new file mode 100644
index 0000000..56b82e6
--- /dev/null
+++ b/machines/proxy/secrets.yaml
@@ -0,0 +1,39 @@
+caddy-env: ENC[AES256_GCM,data:wtnl9YIyeLa9mYywihEWGrTiFXjzyAB6eUNDTVHKVNU213zYqcoe+n1r57wtC5qNRdNeEHMi,iv:Q5qtSyIyV55omNmXFxguyslWB1lRAxQpGQlN9NKRmAE=,tag:mDJF/3jEjsS1V3Zk8cnMbQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMDh2aUZrNjFrb0FoOUN2
+            Q0ZYUGJUaVh0QnU4NWV1bzU3OEJNUU1iZzNRCkgxYnN4NzJnaldrSXZsY2VPM1ZF
+            YlR4eVlmRG9yVU1ieWJEbU13bnljV2sKLS0tIFFIODJtRFZ4SjFMbWZDZVFCMUUv
+            VjBpQUY2OWRpNWNpcDVXVUhTQnFvMXcKF6T0r4jS+mtmsm0oG48n8GTrIh6K6QFB
+            rLa2LMjqXJFv1PohM3/oRdznHKLV8sW1mr/GQ+DgNmh/8i0J1RH/vA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUDVGaTFzdTNpdkJaQ1Qw
+            ZGRWNHBEcHo5VHh1SXIxUHJjVHhlVWV6Y3g4CjJGTlQ2M1JXMi8wamREQ29ud0ho
+            anVaV2FtUkp4SGt2ZlFwSmpyMUxQclUKLS0tIDIrVGhZUkRzMG42RXFIdFVybFZO
+            K1FiL21YTTh5RVZ4eEZaN0FjNmZmeXcK2cC+7TXmiXlcfbYelTjqpTMBMYh255Du
+            g82xFVcvd404xnnrDuYp5hHFnz3D3Gg6IQoVjJv6H+t5I2x/gJiQZg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dg4euuwvqyyuwpjm08psvehgxr5p6q76ht8k4je6z2xc2pv55vksw9ap7m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MGM0K1FJbmdvMUJWd2wz
+            djBRMWxML2dBQ2ZBTjN1S0gwWDlSUytWeERnCmZteWFZRnpKcEt5aXo3R00zWUkx
+            RGVCdFhVYVR2RjZaZGJ0YnAvVnpBcGcKLS0tIHpUV25RcmFjMENTQWI5OVdVZ2Zz
+            RW5kVVdlTmxsalB1TFVRd2dUOU5kL00KP4f1FGMxnWJajfdQqeTXr1ADu6HCTcto
+            yUbbhHkhwS8IBUM0ETbEaY76o3y9WufAye37Lp3Vg44GN5IozURpOg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-08-09T22:09:02Z"
+    mac: ENC[AES256_GCM,data:PxSVqIFldfaMf/XGV+eHwEGZoSLDBCc+Vmgt9EMMMA9CrJLniMXdBWCfDyoIal3JOPy7RekwMHsw56D56vaX7Fe0g80/IK+xoUv8a6nrXW1T58bOuQbSliuKI3MbGHYrqDkZXr+7+A8rugg3ENwmGdunQx02CzS5v3RraCzr/L4=,iv:avU85FslUGNdLRRyCgrlfS+WvAES1MGqyJ5Yy3fUPHU=,tag:b6reWUEKxIUQNystlRRYNA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/modules/caddy-proxy/default.nix b/modules/caddy-proxy/default.nix
new file mode 100644
index 0000000..4c76614
--- /dev/null
+++ b/modules/caddy-proxy/default.nix
@@ -0,0 +1,63 @@
+{ pkgs, config, lib, ... }:
+with lib;
+let
+  cfg = config.eboskma.caddy-proxy;
+
+  mkProxyHost = target: {
+    extraConfig = ''
+      reverse_proxy ${target}
+
+      tls {
+        dns cloudflare {env.CF_API_TOKEN}
+      }
+    '';
+  };
+
+  mkLocalProxyHost = target: {
+    extraConfig = ''
+      @local_or_ts {
+        remote_ip 10.0.0.0/24 100.64.0.0/10
+      }
+      handle @local_or_ts {
+        reverse_proxy ${target}
+      }
+      handle {
+        error "Nope." 401
+      }
+
+      tls {
+        dns cloudflare {env.CF_API_TOKEN}
+      }
+    '';
+  };
+in
+{
+  options.eboskma.caddy-proxy = {
+    enable = mkEnableOption "Caddy proxy";
+    package = mkPackageOption pkgs "caddy" { };
+  };
+
+  config = mkIf cfg.enable {
+    services.caddy = {
+      enable = true;
+      package = cfg.package;
+
+      email = "erwin@datarift.nl";
+
+      # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
+
+      virtualHosts = {
+        "home.datarift.nl" = mkProxyHost "homeassistant.barn-beaver.ts.net:8123";
+        "drone.datarift.nl" = mkProxyHost "drone.barn-beaver.ts.net:8100";
+        "frigate.datarift.nl" = mkLocalProxyHost "frigate.barn-beaver.ts.net:5000";
+        "git.datarift.nl" = mkProxyHost "gitea.barn-beaver.ts.net:3000";
+        "minio.datarift.nl" = mkProxyHost "minio.barn-beaver.ts.net:9000";
+        "minio-admin.datarift.nl" = mkLocalProxyHost "minio.barn-beaver.ts.net:9001";
+      };
+    };
+
+    systemd.services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+  };
+}