diff --git a/caddy/Caddyfile b/caddy/Caddyfile
index fb7be84..79cb639 100644
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@@ -1,15 +1,23 @@
-*.herderin.veenboer.xyz \
-*.uitgeest.veenboer.xyz \
+{
+	import conf/dynamic_dns.caddy
+}
+
+(unprotected) {
+	{args[0]}.{$SUBDOMAIN}.{$DOMAIN} {
+		log {
+			output file /var/log/{args[0]}.log
+		}
+		reverse_proxy {args[1]}
+	}
+}
+
 herderin.veenboer.xyz \
 uitgeest.veenboer.xyz \
 peter.veenboer.xyz \
-bewind.veenboer.xyz \
-{
-    reverse_proxy nginx
-    tls {
-      dns route53 {
-        access_key_id {$AWS_ACCESS_KEY_ID}
-        secret_access_key {$AWS_SECRET_ACCESS_KEY}
-      }
-    }
+ {
+	reverse_proxy nginx
 }
+
+import unprotected esp host:6052
+import unprotected grafana host:3333
+import unprotected ha host:8123
diff --git a/caddy/conf/auth.caddy b/caddy/conf/auth.caddy
new file mode 100644
index 0000000..e3e3870
--- /dev/null
+++ b/caddy/conf/auth.caddy
@@ -0,0 +1,59 @@
+order authenticate before respond
+order authorize before reverse_proxy
+security {
+	local identity store localdb {
+		realm local
+		path /data/caddy/users.json
+	}
+	oauth identity provider generic {
+		realm remote
+		driver generic
+		client_id {$OAUTH_CLIENT_ID}
+		client_secret {$OAUTH_CLIENT_SECRET}
+		scopes openid email profile seafile joh
+
+		enable logout
+		# extract all from userinfo
+		extract seafile_email from userinfo
+
+		delay_start 5
+		retry_attempts 3
+		retry_interval 10
+
+		base_auth_url https://authentik.{$DOMAIN}
+		metadata_url https://authentik.{$DOMAIN}/application/o/caddy/.well-known/openid-configuration
+	}
+	authentication portal myportal {
+		enable identity store localdb
+		enable identity provider generic
+		cookie domain {$DOMAIN}
+		ui {
+			links {
+				"My Identity" "/whoami" icon "las la-user"
+				"Jellyfin" https://jellyfin.{$SUBDOMAIN}.{$DOMAIN} icon "las la-play"
+			}
+		}
+		transform user {
+			match realm remote
+			action add role authp/user
+			action add iets "Zo iets!" as string
+
+		}
+		transform user {
+			match origin local
+			action add role authp/user
+		}
+	}
+	authorization policy mypolicy {
+		set auth url https://auth.{$SUBDOMAIN}.{$DOMAIN}/oauth2/generic
+		allow roles authp/admin authp/user
+		validate bearer header
+
+		set user identity seafile_id
+
+		inject headers with claims
+		inject header "X-Seafile-Email" from "user|email"
+		inject header "X-Test" from "userinfo|seafile_email"
+		inject header "X-Onzin" from "realm"
+	}
+}
diff --git a/caddy/conf/authentik.caddy b/caddy/conf/authentik.caddy
new file mode 100644
index 0000000..497100d
--- /dev/null
+++ b/caddy/conf/authentik.caddy
@@ -0,0 +1,25 @@
+reverse_proxy /outpost.goauthentik.io/* http://host:19000
+forward_auth http://host:19000 {
+	uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri}
+	copy_headers {
+		X-Authentik-Username
+		X-Authentik-Groups
+		X-Authentik-Email
+		X-Authentik-Name
+		X-Authentik-Uid
+		X-Authentik-Jwt
+		X-Authentik-Meta-Jwks
+		X-Authentik-Meta-Outpost
+		X-Authentik-Meta-Provider
+		X-Authentik-Meta-App
+		X-Authentik-Meta-Version
+		X-Authentik-Other
+		X-Authentik-Password
+		X-Authentik-This
+		X-Authentik-What
+		Authorization>X-Custom-Authorization
+		X-Custom-User
+		X-Custom-Password
+		X-User-Header
+	}
+}
diff --git a/caddy/conf/dynamic_dns.caddy b/caddy/conf/dynamic_dns.caddy
new file mode 100644
index 0000000..a27aea6
--- /dev/null
+++ b/caddy/conf/dynamic_dns.caddy
@@ -0,0 +1,7 @@
+dynamic_dns {
+	provider route53
+	domains {
+		{$DOMAIN}. {$SUBDOMAIN}
+	}
+	versions ipv4
+}
diff --git a/caddy/conf/geoip2.caddy b/caddy/conf/geoip2.caddy
new file mode 100644
index 0000000..0aa49c7
--- /dev/null
+++ b/caddy/conf/geoip2.caddy
@@ -0,0 +1,10 @@
+order geoip2_vars first
+geoip2 {
+	#	accountId {$GEO_ACCOUNT_ID}
+	#	licenseKey {$GEO_API_KEY}
+	databaseDirectory /data/caddy/geoip/
+	lockFile /data/caddy/geoip/geoip2.lock
+	editionID GeoLite2-City
+	updateUrl https://updates.maxmind.com
+	updateFrequency 86400 # in seconds
+}
diff --git a/caddy/conf/layer4.caddy b/caddy/conf/layer4.caddy
new file mode 100644
index 0000000..748a202
--- /dev/null
+++ b/caddy/conf/layer4.caddy
@@ -0,0 +1,8 @@
+layer4 {
+	:443 {
+		@openvpn openvpn
+		route @openvpn {
+			proxy host:444 # Proxy OpenVPN traffic to its backend
+		}
+	}
+}
diff --git a/caddy/sites/ha.caddy b/caddy/sites/ha.caddy
new file mode 100644
index 0000000..5fbfcdb
--- /dev/null
+++ b/caddy/sites/ha.caddy
@@ -0,0 +1,26 @@
+ha.{$SUBDOMAIN}.{$DOMAIN} {
+	log {
+		output file /var/log/ha.log
+	}
+
+	route {
+		@app <<CEL
+				header({'X-Requested-With': 'io.homeassistant.companion.android'}) ||
+				header_regexp('User-Agent', '^Home Assistant') ||
+				header_regexp('User-Agent', 'Android')
+		CEL
+		handle @app {
+			reverse_proxy host:8123
+		}
+		handle {
+			reverse_proxy /outpost.goauthentik.io/* http://host:19000
+			forward_auth http://host:19000 {
+				uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri}
+				copy_headers {
+					X-Homeassistant-User
+				}
+			}
+			reverse_proxy host:8123
+		}
+	}
+}
diff --git a/docker-compose.caddy.yml b/docker-compose.caddy.yml
index 6b4ba16..4f88426 100644
--- a/docker-compose.caddy.yml
+++ b/docker-compose.caddy.yml
@@ -17,4 +17,9 @@ services:
         restart: unless-stopped
         volumes:
         - /opt/caddy/Caddyfile:/etc/caddy/Caddyfile
-        - /opt/caddy/data:/data
+        - /opt/caddy/conf:/etc/caddy/conf
+        - /opt/caddy/sites:/etc/caddy/sites
+        - /opt/caddy/data:/data/caddy
+        - /opt/caddy/logs:/var/log
+        extra_hosts:
+        - host:192.168.2.150
diff --git a/nginx/etc/nginx/conf.d/global.conf b/nginx/etc/nginx/conf.d/global.conf
index 9a492f7..d06e675 100644
--- a/nginx/etc/nginx/conf.d/global.conf
+++ b/nginx/etc/nginx/conf.d/global.conf
@@ -14,31 +14,3 @@ server {
         root /host/var/www/seafile;
     }
 }
-
-server { # homeassistant
-  listen 80;
-	server_name ha.herderin.veenboer.xyz;
-	location / {
-		proxy_pass http://host:8123;
-		include /etc/nginx/conf/proxy.conf;
-	}
-}
-
-server { # esphome
-	# listen 443 ssl;
-    listen 80;
-	server_name esp.herderin.veenboer.xyz;
-	location / {
-		proxy_pass http://host:6052;
-		include /etc/nginx/conf/proxy.conf;
-	}
-}
-
-server { # grafana
-  listen 80;
-	server_name grafana.herderin.veenboer.xyz;
-	location / {
-		proxy_pass http://host:3333;
-		include /etc/nginx/conf/proxy.conf;
-	}
-}