diff --git a/caddy/.gitignore b/caddy/.gitignore
new file mode 100644
index 0000000..ee96d5c
--- /dev/null
+++ b/caddy/.gitignore
@@ -0,0 +1 @@
+/config/conf-hidden.d/
diff --git a/caddy/config/Caddyfile b/caddy/config/Caddyfile
new file mode 100644
index 0000000..7ee03fe
--- /dev/null
+++ b/caddy/config/Caddyfile
@@ -0,0 +1,12 @@
+{
+	email tobias@msrg.cc
+}
+
+db.serguzim.me:80,
+dns.serguzim.me:80 {
+	reverse_proxy host.docker.internal:4444
+}
+
+import /etc/caddy/snippets
+import /etc/caddy/conf.d/*.conf
+import /etc/caddy/conf-hidden.d/*.conf
diff --git a/caddy/config/conf.d/analytics.serguzim.me.conf b/caddy/config/conf.d/analytics.serguzim.me.conf
new file mode 100644
index 0000000..c64b462
--- /dev/null
+++ b/caddy/config/conf.d/analytics.serguzim.me.conf
@@ -0,0 +1,3 @@
+analytics.serguzim.me {
+    reverse_proxy umami:3000
+}
diff --git a/caddy/config/conf.d/auth.serguzim.me.conf b/caddy/config/conf.d/auth.serguzim.me.conf
new file mode 100644
index 0000000..16ba524
--- /dev/null
+++ b/caddy/config/conf.d/auth.serguzim.me.conf
@@ -0,0 +1,3 @@
+auth.serguzim.me {
+    reverse_proxy authentik:9000
+}
diff --git a/caddy/config/conf.d/ci.serguzim.me.conf b/caddy/config/conf.d/ci.serguzim.me.conf
new file mode 100644
index 0000000..0c39976
--- /dev/null
+++ b/caddy/config/conf.d/ci.serguzim.me.conf
@@ -0,0 +1,3 @@
+ci.serguzim.me {
+    reverse_proxy woodpecker:8000
+}
diff --git a/caddy/config/conf.d/cloud.serguzim.me.conf b/caddy/config/conf.d/cloud.serguzim.me.conf
new file mode 100644
index 0000000..36a5e63
--- /dev/null
+++ b/caddy/config/conf.d/cloud.serguzim.me.conf
@@ -0,0 +1,11 @@
+cloud.serguzim.me {
+    reverse_proxy host.docker.internal:3015
+
+    redir /.well-known/host-meta         /public.php?service=host-meta 301
+    redir /.well-known/host-meta.json    /public.php?service=host-meta-json 301
+    redir /.well-known/webfinger         /public.php?service=webfinger 301
+    redir /.well-known/carddav           /remote.php/dav/ 301
+    redir /.well-known/caldav            /remote.php/dav/ 301
+
+    header Strict-Transport-Security "max-age=15552000; includeSubdomains;"
+}
diff --git a/caddy/config/conf.d/faas.serguzim.me.conf b/caddy/config/conf.d/faas.serguzim.me.conf
new file mode 100644
index 0000000..2aef81a
--- /dev/null
+++ b/caddy/config/conf.d/faas.serguzim.me.conf
@@ -0,0 +1,3 @@
+faas.serguzim.me {
+    reverse_proxy host.docker.internal:8080
+}
diff --git a/caddy/config/conf.d/git.serguzim.me.conf b/caddy/config/conf.d/git.serguzim.me.conf
new file mode 100644
index 0000000..70bab21
--- /dev/null
+++ b/caddy/config/conf.d/git.serguzim.me.conf
@@ -0,0 +1,5 @@
+git.serguzim.me {
+    header /attachments/* Access-Control-Allow-Origin *
+
+    reverse_proxy gitea:3000
+}
diff --git a/caddy/config/conf.d/graph.serguzim.me.conf b/caddy/config/conf.d/graph.serguzim.me.conf
new file mode 100644
index 0000000..a945974
--- /dev/null
+++ b/caddy/config/conf.d/graph.serguzim.me.conf
@@ -0,0 +1,3 @@
+graph.serguzim.me {
+    reverse_proxy grafana:3000
+}
diff --git a/caddy/config/conf.d/hook.serguzim.me.conf b/caddy/config/conf.d/hook.serguzim.me.conf
new file mode 100644
index 0000000..41147c8
--- /dev/null
+++ b/caddy/config/conf.d/hook.serguzim.me.conf
@@ -0,0 +1,3 @@
+hook.serguzim.me {
+    reverse_proxy host.docker.internal:3002
+}
diff --git a/caddy/config/conf.d/matrix.msrg.cc.conf b/caddy/config/conf.d/matrix.msrg.cc.conf
new file mode 100644
index 0000000..1167380
--- /dev/null
+++ b/caddy/config/conf.d/matrix.msrg.cc.conf
@@ -0,0 +1,16 @@
+matrix.msrg.cc {
+  reverse_proxy /_matrix/* synapse:8008
+  reverse_proxy /_synapse/* synapse:8008
+
+  handle_path /admin/* {
+	rewrite * {path}
+	reverse_proxy synapse-admin:80
+}
+}
+
+msrg.cc:8008,
+msrg.cc:8448,
+matrix.msrg.cc:8008,
+matrix.msrg.cc:8448 {
+  reverse_proxy synapse:8008
+}
diff --git a/caddy/config/conf.d/media.serguzim.me.conf b/caddy/config/conf.d/media.serguzim.me.conf
new file mode 100644
index 0000000..656f526
--- /dev/null
+++ b/caddy/config/conf.d/media.serguzim.me.conf
@@ -0,0 +1,3 @@
+media.serguzim.me {
+    reverse_proxy host.docker.internal:3014
+}
diff --git a/caddy/config/conf.d/msrg.cc.conf b/caddy/config/conf.d/msrg.cc.conf
new file mode 100644
index 0000000..c9643d7
--- /dev/null
+++ b/caddy/config/conf.d/msrg.cc.conf
@@ -0,0 +1,8 @@
+msrg.cc {
+    header /.well-known/openpgpkey/* Access-Control-Allow-Origin *
+
+    rewrite * /function/webpage-msrg-cc{uri}
+    reverse_proxy https://faas.serguzim.me {
+        header_up Host {http.reverse_proxy.upstream.hostport}
+    }
+}
diff --git a/caddy/config/conf.d/prometheus.serguzim.me.conf b/caddy/config/conf.d/prometheus.serguzim.me.conf
new file mode 100644
index 0000000..65f99c6
--- /dev/null
+++ b/caddy/config/conf.d/prometheus.serguzim.me.conf
@@ -0,0 +1,9 @@
+prometheus.serguzim.me {
+    import auth_serguzim_me
+
+    reverse_proxy host.docker.internal:9090
+}
+
+prometheus.internal.serguzim.net:80 {
+    reverse_proxy host.docker.internal:9090
+}
diff --git a/caddy/config/conf.d/recipies.serguzim.me.conf b/caddy/config/conf.d/recipies.serguzim.me.conf
new file mode 100644
index 0000000..e27f122
--- /dev/null
+++ b/caddy/config/conf.d/recipies.serguzim.me.conf
@@ -0,0 +1,3 @@
+recipies.serguzim.me {
+    reverse_proxy tandoor:80
+}
diff --git a/caddy/config/conf.d/registry.serguzim.me.conf b/caddy/config/conf.d/registry.serguzim.me.conf
new file mode 100644
index 0000000..57c6dbf
--- /dev/null
+++ b/caddy/config/conf.d/registry.serguzim.me.conf
@@ -0,0 +1,4 @@
+registry.serguzim.me {
+    reverse_proxy /metrics host.docker.internal:3029
+    reverse_proxy host.docker.internal:3021
+}
diff --git a/caddy/config/conf.d/rss.serguzim.me.conf b/caddy/config/conf.d/rss.serguzim.me.conf
new file mode 100644
index 0000000..51e646a
--- /dev/null
+++ b/caddy/config/conf.d/rss.serguzim.me.conf
@@ -0,0 +1,3 @@
+rss.serguzim.me {
+    reverse_proxy tt-rss:80
+}
diff --git a/caddy/config/conf.d/serguzim.me.conf b/caddy/config/conf.d/serguzim.me.conf
new file mode 100644
index 0000000..0056cd1
--- /dev/null
+++ b/caddy/config/conf.d/serguzim.me.conf
@@ -0,0 +1,11 @@
+serguzim.me {
+    header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
+    redir https://www.serguzim.me{uri}
+}
+
+www.serguzim.me {
+    rewrite * /function/webpage-serguzim-me{uri}
+    reverse_proxy https://faas.serguzim.me {
+        header_up Host {http.reverse_proxy.upstream.hostport}
+    }
+}
diff --git a/caddy/config/conf.d/soeder.stream.conf b/caddy/config/conf.d/soeder.stream.conf
new file mode 100644
index 0000000..6020847
--- /dev/null
+++ b/caddy/config/conf.d/soeder.stream.conf
@@ -0,0 +1,6 @@
+xn--sder-5qa.stream {
+    rewrite * /function/webpage-soeder-stream{uri}
+    reverse_proxy https://faas.serguzim.me {
+        header_up Host {http.reverse_proxy.upstream.hostport}
+    }
+}
diff --git a/caddy/config/conf.d/stream.serguzim.me.conf b/caddy/config/conf.d/stream.serguzim.me.conf
new file mode 100644
index 0000000..77f2dbd
--- /dev/null
+++ b/caddy/config/conf.d/stream.serguzim.me.conf
@@ -0,0 +1,5 @@
+stream.serguzim.me {
+    import auth_serguzim_me
+
+    reverse_proxy host.docker.internal:8888
+}
diff --git a/caddy/config/conf.d/tick.serguzim.me.conf b/caddy/config/conf.d/tick.serguzim.me.conf
new file mode 100644
index 0000000..1a0fe67
--- /dev/null
+++ b/caddy/config/conf.d/tick.serguzim.me.conf
@@ -0,0 +1,3 @@
+tick.serguzim.me {
+    reverse_proxy host.docker.internal:8086
+}
diff --git a/caddy/config/conf.d/wiki.serguzim.me.conf b/caddy/config/conf.d/wiki.serguzim.me.conf
new file mode 100644
index 0000000..25d0781
--- /dev/null
+++ b/caddy/config/conf.d/wiki.serguzim.me.conf
@@ -0,0 +1,3 @@
+wiki.serguzim.me {
+    reverse_proxy wiki-js:3000
+}
diff --git a/caddy/config/snippets b/caddy/config/snippets
new file mode 100644
index 0000000..e6cd914
--- /dev/null
+++ b/caddy/config/snippets
@@ -0,0 +1,15 @@
+(auth_serguzim_me) {
+    # always forward outpost path to actual outpost
+    reverse_proxy /outpost.goauthentik.io/* authentik:9000
+
+    # forward authentication to outpost
+    forward_auth authentik:9000 {
+        uri /outpost.goauthentik.io/auth/caddy
+
+        # capitalization of the headers is important, otherwise they will be empty
+        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+
+        # optional, in this config trust all private ranges, should probably be set to the outposts IP
+        trusted_proxies private_ranges
+    }
+}
diff --git a/caddy/docker-compose.yml b/caddy/docker-compose.yml
new file mode 100644
index 0000000..092e842
--- /dev/null
+++ b/caddy/docker-compose.yml
@@ -0,0 +1,26 @@
+version: "3.7"
+
+services:
+  app:
+    image: caddy:2-alpine
+    restart: always
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+      - "8008:8008"
+      - "8448:8448"
+    volumes:
+      - ./config:/etc/caddy/
+      - data:/data
+    extra_hosts:
+      - host.docker.internal:host-gateway
+    networks:
+      services:
+
+volumes:
+  data:
+
+networks:
+  services:
+    external: true
diff --git a/tt-rss/docker-compose.yml b/tt-rss/docker-compose.yml
index 7592f14..ab39fac 100644
--- a/tt-rss/docker-compose.yml
+++ b/tt-rss/docker-compose.yml
@@ -4,8 +4,6 @@ services:
   app:
     image: cthulhoo/ttrss-fpm-pgsql-static
     restart: always
-    labels:
-      com.centurylinklabs.watchtower.enable: true
     env_file:
       - .env
       - .secret.env
@@ -19,8 +17,6 @@ services:
   updater:
     image: cthulhoo/ttrss-fpm-pgsql-static
     restart: always
-    labels:
-      com.centurylinklabs.watchtower.enable: true
     env_file:
       - .env
       - .secret.env
@@ -35,8 +31,6 @@ services:
   web-nginx:
     image: cthulhoo/ttrss-web-nginx
     restart: always
-    labels:
-      com.centurylinklabs.watchtower.enable: true
     volumes:
       - app:/var/www/html:ro
       - ./nginx.conf:/etc/nginx/nginx.conf