diff --git a/playbooks/roles/authentik/vars/main.yml b/playbooks/roles/authentik/vars/main.yml
index 6318eda..03d4755 100644
--- a/playbooks/roles/authentik/vars/main.yml
+++ b/playbooks/roles/authentik/vars/main.yml
@@ -2,6 +2,7 @@
 authentik_svc:
   domain: "{{ all_services | service_get_domain(role_name) }}"
   port: 9000
+  caddy_proxy_extra: "header_up X-Forwarded-Host {http.request.header.X-Forward-Auth-Host}"
   image_tag: 2025.2
   db:
     host: "{{ postgres.host }}"
diff --git a/playbooks/roles/caddy/files/snippets b/playbooks/roles/caddy/files/snippets
index 1de7f22..84b3a8a 100644
--- a/playbooks/roles/caddy/files/snippets
+++ b/playbooks/roles/caddy/files/snippets
@@ -1,16 +1,19 @@
 (auth_serguzim_me) {
     # always forward outpost path to actual outpost
-    reverse_proxy /outpost.goauthentik.io/* authentik:9000
+    reverse_proxy /outpost.goauthentik.io/* https://auth.serguzim.me {
+				header_up Host {http.reverse_proxy.upstream.hostport}
+				header_up X-Forward-Auth-Host {http.request.host}
+		}
 
     # forward authentication to outpost
-    forward_auth authentik:9000 {
+    forward_auth https://auth.serguzim.me {
         uri /outpost.goauthentik.io/auth/caddy
 
+				header_up Host {http.reverse_proxy.upstream.hostport}
+				header_up X-Forward-Auth-Host {http.request.host}
+
         # capitalization of the headers is important, otherwise they will be empty
         copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
-
-        # optional, in this config trust all private ranges, should probably be set to the outposts IP
-        trusted_proxies private_ranges
     }
 }
 
diff --git a/playbooks/roles/caddy/templates/Caddyfile.j2 b/playbooks/roles/caddy/templates/Caddyfile.j2
index 882ef0f..dddf9a0 100644
--- a/playbooks/roles/caddy/templates/Caddyfile.j2
+++ b/playbooks/roles/caddy/templates/Caddyfile.j2
@@ -1,7 +1,7 @@
 {
 	email {{ admin_email }}
 
-    metrics
+	metrics
 
 	servers {
 		strict_sni_host on
@@ -11,9 +11,9 @@
 import /etc/caddy/snippets
 
 http://{{ host_vpn.domain }} {
-    import vpn_only
+	import vpn_only
 
-    metrics
+	metrics
 }
 
 *.serguzim.me {
diff --git a/playbooks/templates/caddy_site.conf.j2 b/playbooks/templates/caddy_site.conf.j2
index 0ed1ac0..4612ea7 100644
--- a/playbooks/templates/caddy_site.conf.j2
+++ b/playbooks/templates/caddy_site.conf.j2
@@ -21,7 +21,9 @@
 {% elif svc.redirect|default(false) %}
 		redir "{{ svc.redirect }}"
 {% else %}
-		reverse_proxy {{ svc.docker_host|default(role_name) }}:{{ svc.port }}
+		reverse_proxy {{ svc.docker_host|default(role_name) }}:{{ svc.port }} {
+			{{ svc.caddy_proxy_extra | indent(width='\t', first=False) if svc.caddy_proxy_extra|default(false) }}
+		}
 {% endif %}
 	}
 {% endif %}
diff --git a/scripts/visualize.py b/scripts/visualize.py
index dacec8f..a0ee108 100755
--- a/scripts/visualize.py
+++ b/scripts/visualize.py
@@ -9,7 +9,7 @@ import hcl2
 icon_overrides = {
     "acme_dns": "lets-encrypt",
     "backup": "restic",
-    "deploy": "webhook",
+    "deploy": "adnanh-webhook",
     "extra_services": None,
     "forgejo_runner": "forgejo",
     "healthcheck": "healthchecks",