diff --git a/caddy/Caddyfile b/caddy/Caddyfile
new file mode 100644
index 0000000..63e228b
--- /dev/null
+++ b/caddy/Caddyfile
@@ -0,0 +1,37 @@
+rik.veenboer.xyz \
+*.rik.veenboer.xyz \
+ {
+	reverse_proxy nginx
+	tls {
+		dns route53 {
+			access_key_id {$AWS_ACCESS_KEY_ID}
+			secret_access_key {$AWS_SECRET_ACCESS_KEY}
+		}
+	}
+}
+
+authentik.rik.veenboer.xyz {
+	route {
+		reverse_proxy host:19000
+	}
+}
+
+(authentik) {
+	reverse_proxy /outpost.goauthentik.io/* http://host:19000
+	forward_auth http://host:19000 {
+		uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri}
+		copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+	}
+}
+
+(proxy) {
+	{args[0]}.rik.veenboer.xyz {
+		route {
+			import authentik
+			reverse_proxy {args[1]}
+		}
+	}
+}
+
+import proxy app host:12345
+import proxy daggos host:3000
diff --git a/caddy/Dockerfile b/caddy/Dockerfile
new file mode 100644
index 0000000..b230ad0
--- /dev/null
+++ b/caddy/Dockerfile
@@ -0,0 +1,8 @@
+FROM caddy:2.7-builder AS builder
+
+RUN xcaddy build \
+    --with github.com/caddy-dns/route53
+
+FROM caddy:2.7-alpine
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy