diff --git a/lib/module/default.nix b/lib/module/default.nix
index ee2a0a8..0691502 100644
--- a/lib/module/default.nix
+++ b/lib/module/default.nix
@@ -154,7 +154,7 @@ rec {
               mkOpt (types.attrsOf types.str) { }
                 "Extra environment variables for code-server";
 
-            reverseProxy = mkReverseProxyOpt;
+            reverseProxy = mkReverseProxyOpt name;
           }
           // options;
         };
@@ -221,12 +221,12 @@ rec {
 
   mkBoolOpt' = mkOpt' types.bool;
 
-  mkReverseProxyOpt = {
+  mkReverseProxyOpt = name: {
     enable = mkBoolOpt false "Enable reverse proxy support";
 
-    subdomain = mkOpt types.str "" "subdomain of the service";
+    subdomain = mkOpt types.str name "subdomain of the service";
 
-    middlewares = mkOpt (types.listOf types.str) [ ] "List of middlewares to use";
+    middlewares = mkOpt (types.listOf types.str) [ "crowdsec" "whitelist-geoblock" ] "List of middlewares to use";
   };
 
   # Standard enable/disable patterns
diff --git a/modules/nixos/services/caddy/default.nix b/modules/nixos/services/caddy/default.nix
new file mode 100644
index 0000000..e0234b0
--- /dev/null
+++ b/modules/nixos/services/caddy/default.nix
@@ -0,0 +1,121 @@
+{
+  config,
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
+with lib;
+let
+  name = "caddy";
+  cfg = config.${namespace}.services.${name};
+
+  caddyPackage = pkgs.caddy.withPlugins {
+    plugins = [ "github.com/caddy-dns/cloudflare@v0.2.2" ];
+    hash = "sha256-dnhEjopeA0UiI+XVYHYpsjcEI6Y1Hacbi28hVKYQURg=";
+  };
+
+  caddy = lib.${namespace}.mkModule {
+    inherit config name;
+    description = "caddy Service";
+    options = { };
+    moduleConfig = {
+      sops = {
+        secrets = {
+          "jallen-nas/traefik/crowdsec/lapi-key" = {
+            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
+            owner = config.users.users.caddy.name;
+            group = config.users.users.caddy.group;
+            restartUnits = [ "caddy.service" ];
+          };
+
+          "jallen-nas/traefik/crowdsec/capi-machine-id" = {
+            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
+            owner = config.users.users.caddy.name;
+            group = config.users.users.caddy.group;
+            restartUnits = [ "caddy.service" ];
+          };
+
+          "jallen-nas/traefik/crowdsec/capi-password" = {
+            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
+            owner = config.users.users.caddy.name;
+            group = config.users.users.caddy.group;
+            restartUnits = [ "caddy.service" ];
+          };
+          "jallen-nas/traefik/cloudflare-dns-api-token" = {
+            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
+            owner = config.users.users.caddy.name;
+            group = config.users.users.caddy.group;
+            restartUnits = [ "caddy.service" ];
+          };
+          "jallen-nas/traefik/cloudflare-zone-api-token" = {
+            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
+            owner = config.users.users.caddy.name;
+            group = config.users.users.caddy.group;
+            restartUnits = [ "caddy.service" ];
+          };
+          "jallen-nas/traefik/cloudflare-api-key" = {
+            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
+            owner = config.users.users.caddy.name;
+            group = config.users.users.caddy.group;
+            restartUnits = [ "caddy.service" ];
+          };
+          "jallen-nas/traefik/cloudflare-email" = {
+            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
+            owner = config.users.users.caddy.name;
+            group = config.users.users.caddy.group;
+            restartUnits = [ "caddy.service" ];
+          };
+        };
+        templates = {
+          "caddy.env" = {
+            content = ''
+              CLOUDFLARE_DNS_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
+              CLOUDFLARE_ZONE_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
+              CLOUDFLARE_API_KEY=${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
+              CLOUDFLARE_EMAIL=${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
+            '';
+            owner = config.users.users.caddy.name;
+            group = config.users.users.caddy.group;
+            restartUnits = [ "caddy.service" ];
+          };
+        };
+      };
+
+      services.caddy = {
+        enable = true;
+        # package = caddyPackage;
+        # environmentFile =  config.sops.templates."caddy.env".path;
+        email = "jalle008@proton.me";
+        enableReload = false;
+        dataDir = "${cfg.configDir}/caddy";
+        globalConfig = ''
+          metrics
+          http_port 80
+          https_port 443
+          default_bind 0.0.0.0
+        ''; # b710da1b0182eadcb1e569408de778f9f3c50
+        virtualHosts = {
+          "gitea.mjallen.dev" = {
+            extraConfig = ''
+              reverse_proxy http://10.0.1.3:3000
+            '';
+          };
+          "jellyfin.mjallen.dev" = {
+            extraConfig = ''
+              reverse_proxy http://10.0.1.3:8096
+            '';
+          };
+          "hass.mjallen.dev" = {
+            extraConfig = ''
+              reverse_proxy http://10.0.1.4:8123
+            '';
+          };
+        };
+      };
+    };
+  };
+in
+{
+  imports = [ caddy ];
+}
diff --git a/modules/nixos/services/traefik/default.nix b/modules/nixos/services/traefik/default.nix
index dff601c..b575f7f 100755
--- a/modules/nixos/services/traefik/default.nix
+++ b/modules/nixos/services/traefik/default.nix
@@ -28,9 +28,16 @@ let
     let
       makeRouter =
         router:
+        let
+          hostRule =
+            if router.subdomain == "" then
+              "Host(`${domain}`)"
+            else
+              "Host(`${router.subdomain}.${domain}`)";
+        in
         nameValuePair router.subdomain {
           entryPoints = router.entryPoints;
-          rule = "Host(`${router.subdomain}.${domain}`)";
+          rule = hostRule;
           service = router.service;
           middlewares = router.middlewares ++ [
             "crowdsec"
diff --git a/systems/x86_64-linux/jallen-nas/apps.nix b/systems/x86_64-linux/jallen-nas/apps.nix
index 0bc82f5..8425e61 100755
--- a/systems/x86_64-linux/jallen-nas/apps.nix
+++ b/systems/x86_64-linux/jallen-nas/apps.nix
@@ -127,7 +127,7 @@ in
       matrix = {
         enable = false;
         port = 8448;
-        reverseProxy.enable = true;
+        reverseProxy.enable = false;
       };
       minecraft = disabled;
       mongodb = disabled;
@@ -143,7 +143,10 @@ in
         enable = true;
         port = 2586;
         createUser = true;
-        reverseProxy.enable = true;
+        reverseProxy = {
+          enable = true;
+          subdomain = "ntfy";
+        };
       };
       ocis = disabled;
       onlyoffice = {
@@ -153,7 +156,7 @@ in
       opencloud = {
         enable = false;
         port = 9200;
-        reverseProxy.enable = true;
+        reverseProxy.enable = false;
       };
       orca-slicer = {
         enable = false;
@@ -187,6 +190,11 @@ in
         serverPort = 8266;
       };
       traefik = enabled;
+
+
+      caddy = disabled;
+
+
       unmanic = {
         enable = true;
         port = 8265;
diff --git a/systems/x86_64-linux/jallen-nas/default.nix b/systems/x86_64-linux/jallen-nas/default.nix
index d9ef56a..7bc2d3a 100755
--- a/systems/x86_64-linux/jallen-nas/default.nix
+++ b/systems/x86_64-linux/jallen-nas/default.nix
@@ -143,6 +143,8 @@ in
         allowPing = true;
         trustedInterfaces = [ "tailscale0" ];
         allowedTCPPorts = [
+          80
+          443
           8008 # restic
           9000 # authentik
           2342 # grafana