diff --git a/README.md b/README.md
index 08042cf..24433c1 100644
--- a/README.md
+++ b/README.md
@@ -2,10 +2,31 @@
 
 Work-in-progress NixOS Server Infrastructure based on [valerie's NixOS setup](https://git.dessa.dev/valnyx/nixos/src/branch/main).
 
-## WARNING
+## WIP
 
 This is a work-in-progress and currently DOES NOT WORK. Please check back later.
 
+### Checklist
+
+  - [x] Get basic install working
+  - [x] Configure reverse proxy
+  - [x] Configure firewall
+  - [x] Install Docker
+  - [x] Configure NFS mount
+  - [x] Configure Traefik & its dashboard
+  - [ ] Configure Caddy for internal service port forwarding (difficult!)
+  - [ ] Install Portainer for other servers & basic admin tasks
+  - [ ] Install Forgejo
+  - [ ] Install Personal Website
+  - [ ] Install Passbolt
+  - [ ] Install Pterodactyl Panel
+  - [ ] Install Immich
+  - [ ] Restore Forgejo
+  - [ ] Restore Passbolt
+  - [ ] Restore Pterodactyl Panel
+  - [ ] Restore Immich (difficult!)
+  - [ ] Get myself a treat :3
+
 ## Setup
 
 ### Setting up Sops
diff --git a/hosts/andromeda/configuration.nix b/hosts/andromeda/configuration.nix
index d2492c7..a4ee75a 100755
--- a/hosts/andromeda/configuration.nix
+++ b/hosts/andromeda/configuration.nix
@@ -17,6 +17,7 @@
 
     # Docker stacks
     ./stacks/traefik/docker-compose.nix
+    ./stacks/caddy/docker-compose.nix
   ];
 
   users.mutableUsers = false;
diff --git a/hosts/andromeda/stacks/caddy/docker-compose.nix b/hosts/andromeda/stacks/caddy/docker-compose.nix
new file mode 100644
index 0000000..461e44d
--- /dev/null
+++ b/hosts/andromeda/stacks/caddy/docker-compose.nix
@@ -0,0 +1,84 @@
+# Auto-generated using compose2nix v0.3.1.
+{ pkgs, lib, ... }:
+
+{
+  imports = [
+    ../../../../system/sops.nix
+  ];
+
+  # Containers
+  virtualisation.oci-containers.containers."caddy-web" = {
+    environmentFiles = [ config.sops.secrets.caddy_docker_env.path ];
+    image = "caddy-custom:2.10.0-builder";
+    volumes = [
+      "${./volume}:/etc/caddy:ro"
+      "caddy_caddy:/data:rw"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--health-cmd=curl -sS -k https://127.0.0.1 || exit 1"
+      "--health-interval=10s"
+      "--health-retries=3"
+      "--health-timeout=10s"
+      "--network=host"
+    ];
+  };
+
+  systemd.services."docker-caddy-web" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "on-failure";
+      RestartMaxDelaySec = lib.mkOverride 90 "1m";
+      RestartSec = lib.mkOverride 90 "100ms";
+      RestartSteps = lib.mkOverride 90 9;
+    };
+    after = [
+      "docker-volume-caddy_caddy.service"
+    ];
+    requires = [
+      "docker-volume-caddy_caddy.service"
+    ];
+    partOf = [
+      "docker-compose-caddy-root.target"
+    ];
+    wantedBy = [
+      "docker-compose-caddy-root.target"
+    ];
+  };
+
+  # Volumes
+  systemd.services."docker-volume-caddy_caddy" = {
+    path = [ pkgs.docker ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      docker volume inspect caddy_caddy || docker volume create caddy_caddy
+    '';
+    partOf = [ "docker-compose-caddy-root.target" ];
+    wantedBy = [ "docker-compose-caddy-root.target" ];
+  };
+
+  # Builds
+  systemd.services."docker-build-caddy-web" = {
+    path = [ pkgs.docker pkgs.git ];
+    serviceConfig = {
+      Type = "oneshot";
+      TimeoutSec = 300;
+    };
+    script = ''
+      cd /home/tera/Documents/ops/misc-git/nix-infra/hosts/andromeda/stacks/caddy/caddy
+      docker build -t caddy-custom:2.10.0-builder -f ${./volume/Dockerfile} .
+    '';
+  };
+
+  # Root service
+  # When started, this will automatically create all resources and start
+  # the containers. When stopped, this will teardown all resources.
+  systemd.targets."docker-compose-caddy-root" = {
+    unitConfig = {
+      Description = "Root target generated by compose2nix.";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+}
diff --git a/hosts/andromeda/stacks/caddy/volume/Caddyfile b/hosts/andromeda/stacks/caddy/volume/Caddyfile
new file mode 100644
index 0000000..48c4828
--- /dev/null
+++ b/hosts/andromeda/stacks/caddy/volume/Caddyfile
@@ -0,0 +1,8 @@
+hofers.cloud, *.hofers.cloud {
+    tls {
+        dns cloudflare {env.CF_API_TOKEN}
+        resolvers 1.1.1.1
+    }
+
+    reverse_proxy /* 127.0.0.1:8000
+}
diff --git a/hosts/andromeda/stacks/caddy/volume/Dockerfile b/hosts/andromeda/stacks/caddy/volume/Dockerfile
new file mode 100644
index 0000000..1e3d856
--- /dev/null
+++ b/hosts/andromeda/stacks/caddy/volume/Dockerfile
@@ -0,0 +1,8 @@
+FROM caddy:2.10.0-builder AS caddy-builder
+
+RUN xcaddy build \
+    --with github.com/caddy-dns/cloudflare
+
+FROM caddy:2.10.0-alpine
+
+COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy
diff --git a/secrets b/secrets
index 7851d29..05d59e8 160000
--- a/secrets
+++ b/secrets
@@ -1 +1 @@
-Subproject commit 7851d29bba582893f904cf7b9244abd7adaa0068
+Subproject commit 05d59e8bdcd23b9877443bebb1e5894992d786fa
diff --git a/system/sops.nix b/system/sops.nix
index 9eec1ae..88dcb68 100755
--- a/system/sops.nix
+++ b/system/sops.nix
@@ -20,6 +20,7 @@ in
         neededForUsers = true;
       };
       reverse_proxy_client_privkey = {};
+      caddy_docker_env = {};
     };
   };
 }