diff --git a/dnsconfig.js b/dnsconfig.js
index e7df78c..e28c2a5 100644
--- a/dnsconfig.js
+++ b/dnsconfig.js
@@ -68,8 +68,9 @@ D("serguzim.me", REG_OVH, DnsProvider(DSP_OVH),
 
 	TLSA("_25._tcp.mail", 3, 1, 1, "e66a608a3ec459bda7fb1f2d500b8abeb78f2910f26641204b6bc454b8aa2a49"),
 
-	acme_challenge("db", "ca2c86c0-ff3d-458a-89e0-11bcfd2543e4"),
 	acme_challenge("auth", "18a42983-3d19-4c17-8213-fc275a8be721"),
+	acme_challenge("db", "ca2c86c0-ff3d-458a-89e0-11bcfd2543e4"),
+	acme_challenge("paas", "92924f7c-0859-4941-9e3d-2ecedfb21c1b"),
 
 	verify_amazon_ses(dkim_ses["serguzim.me"]),
 
diff --git a/playbooks/for-ansible-lint.yml b/playbooks/for-ansible-lint.yml
index ec44b2b..1a84708 100644
--- a/playbooks/for-ansible-lint.yml
+++ b/playbooks/for-ansible-lint.yml
@@ -9,8 +9,8 @@
     - authentik
     - backup
     - caddy
+    - dokku
     - extra_services
-    - faas
     - forgejo
     - forgejo_runner
     - gatus
diff --git a/playbooks/roles/dokku/tasks/main.yml b/playbooks/roles/dokku/tasks/main.yml
new file mode 100644
index 0000000..dfc5337
--- /dev/null
+++ b/playbooks/roles/dokku/tasks/main.yml
@@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ role_name }}
+  vars:
+    svc: "{{ dokku_svc }}"
+    env: "{{ dokku_env }}"
+    compose: "{{ dokku_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
diff --git a/playbooks/roles/dokku/vars/main.yml b/playbooks/roles/dokku/vars/main.yml
new file mode 100644
index 0000000..1c3d999
--- /dev/null
+++ b/playbooks/roles/dokku/vars/main.yml
@@ -0,0 +1,35 @@
+---
+dokku_svc:
+  domain: "{{ all_services | service_get_domain(role_name) }}"
+  additional_domains:
+    - "*.paas.serguzim.me"
+  caddy_extra: import acmedns
+  docker_host: host.docker.internal
+  port: 3080
+  extra_svcs:
+    - domain: serguzim.me
+      www_domain: true
+      hsts: true
+      docker_host: host.docker.internal
+      port: 3080
+
+
+dokku_env:
+  DOKKU_HOSTNAME: "{{ dokku_svc.domain }}"
+  DOKKU_HOST_ROOT: /var/lib/dokku/home/dokku
+  DOKKU_LIB_HOST_ROOT: /var/lib/dokku/var/lib/dokku
+
+dokku_compose:
+  watchtower: false
+  network: false
+  image: dokku/dokku:0.35.8
+  volumes:
+    - "/var/lib/dokku:/mnt/dokku"
+    - "/var/run/docker.sock:/var/run/docker.sock"
+  file:
+    services:
+      app:
+        network_mode: bridge
+        ports:
+          - "3022:22"
+          - "3080:80"
diff --git a/playbooks/roles/faas/tasks/main.yml b/playbooks/roles/faas/tasks/main.yml
deleted file mode 100644
index 85e7c33..0000000
--- a/playbooks/roles/faas/tasks/main.yml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-- name: Set common facts
-  ansible.builtin.import_tasks: tasks/set-default-facts.yml
-
-- name: Deploy {{ role_name }}
-  vars:
-    svc: "{{ faas_svc }}"
-  block:
-    - name: Import tasks to template the site and functions for the reverse proxy
-      ansible.builtin.import_tasks: tasks/steps/template-site-config.yml
diff --git a/playbooks/roles/faas/vars/main.yml b/playbooks/roles/faas/vars/main.yml
deleted file mode 100644
index fce3f0f..0000000
--- a/playbooks/roles/faas/vars/main.yml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-faas_svc:
-  domain: "{{ all_services | service_get_domain(role_name) }}"
-  docker_host: host.docker.internal
-  port: 8080
-  extra_svcs:
-    - domain: serguzim.me
-      faas_function: webpage-serguzim-me
-      www_domain: true
-      hsts: true
-      caddy_extra: |
-        header /.well-known/* Access-Control-Allow-Origin *
-
-        handle /.well-known/webfinger {
-            map {query.resource} {user} {
-                acct:tobias@msrg.cc serguzim
-                acct:serguzim@msrg.cc serguzim
-            }
-            rewrite * /.well-known/webfinger/{user}.json
-            import faas webpage-msrg-cc
-        }
diff --git a/playbooks/roles/synapse/vars/main.yml b/playbooks/roles/synapse/vars/main.yml
index d17e736..f1e62ed 100644
--- a/playbooks/roles/synapse/vars/main.yml
+++ b/playbooks/roles/synapse/vars/main.yml
@@ -12,8 +12,6 @@ synapse_svc:
     }
   extra_svcs:
     - domain: matrix.serguzim.me:8448
-      additional_domains:
-        - serguzim.me:8448
       docker_host: synapse
       port: 8008
   db:
diff --git a/services.auto.tfvars b/services.auto.tfvars
index 6fb5ad0..ac3252d 100644
--- a/services.auto.tfvars
+++ b/services.auto.tfvars
@@ -60,32 +60,34 @@ services = {
     s3 = false
   },
 
-  "extra_services" = {
+  "dokku" = {
     host = "node001"
-    auth = false
-    database = false
-    s3 = false
-  },
-
-  "faas" = {
-    host = "node002"
     dns = [
       {
-        domain = "faas.serguzim.me"
+        domain = "paas.serguzim.me"
+      },
+      {
+        domain = "*.paas.serguzim.me"
+        name = "dokku-wildcard"
+        alias = "dokku"
       },
       {
         domain = "serguzim.me"
         name = "webpage-serguzim"
-        alias = "faas"
+        alias = "dokku"
       },
       {
         domain = "www.serguzim.me"
         name = "webpage-serguzim-www"
         alias = "webpage-serguzim"
-      }
+      },
     ]
+    backup = [{
+      name = "dokku"
+      type = "directory"
+      path = "/var/lib/dokku"
+    }]
     monitoring = {
-      url = "/healthz"
       group = "7-support"
     }
     auth = false
@@ -93,6 +95,13 @@ services = {
     s3 = false
   },
 
+  "extra_services" = {
+    host = "node001"
+    auth = false
+    database = false
+    s3 = false
+  },
+
   "forgejo" = {
     host = "node001"
     dns = [{
@@ -278,7 +287,7 @@ services = {
   },
 
   "minio" = {
-    host = "node002"
+    host = "node001"
     dns = [
       {
         domain = "s3.serguzim.me"
diff --git a/variables.tf b/variables.tf
index 89db8ea..fb508e5 100644
--- a/variables.tf
+++ b/variables.tf
@@ -151,6 +151,7 @@ variable "services" {
     backup = optional(list(object({
       name = string
       type = string
+      path = optional(string)
     })))
     monitoring = optional(object({
       url   = optional(string)
diff --git a/visualize.py b/visualize.py
index b187341..13b2d5c 100755
--- a/visualize.py
+++ b/visualize.py
@@ -9,8 +9,8 @@ import hcl2
 icon_overrides = {
     "acme_dns": "lets-encrypt",
     "backup": "restic",
+    "dokku": None,
     "extra_services": None,
-    "faas": None,
     "forgejo_runner": "forgejo",
     "healthcheck": "healthchecks",
     "lego": "lets-encrypt",