diff --git a/services/caddy.yaml b/services/caddy.yaml
index e0d5a6b..8eb0ca3 100644
--- a/services/caddy.yaml
+++ b/services/caddy.yaml
@@ -2,19 +2,31 @@ version: "3.7"
 
 services:
   caddy:
-    image: caddy
+    image: lucaslorentz/caddy-docker-proxy:ci-alpine
     restart: unless-stopped
     ports:
       - "80:80"
       - "443:443"
       - "443:443/udp"
+    privileged: true
     volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./caddy/Caddyfile:/etc/caddy/Caddyfile
       - ../data/caddy/site:/site
       - ../data/caddy/data:/data
       - caddy_config:/config
     environment:
       - DOMAIN
+      - CADDY_INGRESS_NETWORKS=caddy
+    labels:
+      caddy: ${DOMAIN}
+      caddy.file_server.root: /site
+    networks:
+      - caddy
+
+networks:
+  caddy:
+    external: true
 
 volumes:
   caddy_config:
diff --git a/services/caddy/Caddyfile b/services/caddy/Caddyfile
index 0853e90..bedbb8f 100644
--- a/services/caddy/Caddyfile
+++ b/services/caddy/Caddyfile
@@ -4,6 +4,3 @@
 	}
 }
 
-web.{$DOMAIN} {
-	reverse_proxy services-web-1:4431
-}
diff --git a/services/web.yaml b/services/web.yaml
index 170f5a7..45ecf9e 100644
--- a/services/web.yaml
+++ b/services/web.yaml
@@ -2,21 +2,37 @@ version: "3.7"
 
 services:
   web:
+    depends_on:
+      - caddy
     build:
       context: ./web
       dockerfile: Containerfile
     restart: unless-stopped
+    privileged: true
     ports:
       - "8081:80"
       - "4431:443"
       - "4431:443/udp"
     volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./web/Caddyfile:/etc/caddy/Caddyfile
       - ../data/web/site:/site
       - ../data/web/data:/data
       - caddy_config:/config
     environment:
       - DOMAIN
+    networks:
+      - caddy
+    labels:
+      caddy: web.${DOMAIN}
+#      caddy.reverse_proxy: "{{upstreams 4431}}"
+      caddy.reverse_proxy: services-web-1:4431
+    #security_opt:
+    #  - label=disable
+
+networks:
+  caddy:
+    external: true
 
 volumes:
   caddy_config:
diff --git a/services/zitadel.yaml b/services/zitadel.yaml
index 39b1c02..b2bb0be 100644
--- a/services/zitadel.yaml
+++ b/services/zitadel.yaml
@@ -4,7 +4,8 @@ services:
   zitadel:
     restart: 'always'
     networks:
-      - 'zitadel'
+      - zitadel
+      - caddy
     image: 'ghcr.io/zitadel/zitadel:latest'
     command: 'start-from-init --masterkey "6cd52ccbc4da912319f0fdc016d68575dd391bd932ebdc045c89b2dce9e90315" --tlsMode disabled'
     environment:
@@ -15,11 +16,15 @@ services:
         condition: 'service_healthy'
     ports:
       - '8123:8080'
+    labels:
+      - caddy: login.${DOMAIN}
+      - caddy.reverse_proxy: "{{upstreams}}"
 
   crdb:
     restart: 'always'
     networks:
-      - 'zitadel'
+      - zitadel
+      - caddy
     image: 'cockroachdb/cockroach:v22.2.2'
     command: 'start-single-node --insecure'
     healthcheck:
@@ -33,4 +38,7 @@ services:
       - '26257:26257'
 
 networks:
+  caddy:
+    external: true
   zitadel:
+