diff --git a/nix/hosts/hetznix/modules/acme.nix b/nix/hosts/hetznix/modules/acme.nix
index c96c68b..efabb9a 100644
--- a/nix/hosts/hetznix/modules/acme.nix
+++ b/nix/hosts/hetznix/modules/acme.nix
@@ -3,13 +3,16 @@
 {
   security.acme = {
     acceptTerms = true;
-    defaults.email = "oliver@oliverdavies.uk";
-    defaults.environmentFile = config.age.secrets.cloudflare.path;
+
+    defaults = {
+      dnsProvider = "cloudflare";
+      email = "oliver@oliverdavies.uk";
+      environmentFile = config.age.secrets.cloudflare.path;
+      webroot = null;
+    };
 
     certs."oliverdavies.uk" = {
       domain = "oliverdavies.uk";
-      dnsProvider = "cloudflare";
-      webroot = null;
 
       extraDomainNames = [
         # TODO Refactor to use a wildcard certificate.
diff --git a/nix/hosts/nixedo/configuration.nix b/nix/hosts/nixedo/configuration.nix
index 7895a15..635a22f 100644
--- a/nix/hosts/nixedo/configuration.nix
+++ b/nix/hosts/nixedo/configuration.nix
@@ -2,11 +2,13 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running â€˜nixos-helpâ€™).
 
-{ inputs, pkgs, ... }:
+{ inputs, ... }:
 
 {
   imports = [
     ./hardware-configuration.nix
+
+    ./modules/acme.nix
   ];
 
   nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
@@ -30,4 +32,6 @@
     80
     443
   ];
+
+  services.caddy.enable = true;
 }
diff --git a/nix/hosts/nixedo/default.nix b/nix/hosts/nixedo/default.nix
index 7367d69..9c64fdf 100644
--- a/nix/hosts/nixedo/default.nix
+++ b/nix/hosts/nixedo/default.nix
@@ -23,7 +23,5 @@
     ./configuration.nix
     ./secrets.nix
     ./extra.nix
-
-    ./modules/nginx.nix
   ];
 }
diff --git a/nix/hosts/nixedo/modules/acme.nix b/nix/hosts/nixedo/modules/acme.nix
new file mode 100644
index 0000000..352b753
--- /dev/null
+++ b/nix/hosts/nixedo/modules/acme.nix
@@ -0,0 +1,19 @@
+{ config, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+
+    certs = {
+      "opdavies.uk" = {
+        domain = "opdavies.uk";
+        dnsProvider = "cloudflare";
+        email = "oliver@oliverdavies.uk";
+        environmentFile = config.age.secrets.cloudflare-opdavies-uk.path;
+        webroot = null;
+
+        extraDomainNames = [ "*.opdavies.uk" ];
+      };
+    };
+  };
+}
diff --git a/nix/hosts/nixedo/modules/nginx.nix b/nix/hosts/nixedo/modules/nginx.nix
deleted file mode 100644
index 34ca2d8..0000000
--- a/nix/hosts/nixedo/modules/nginx.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ config, ... }:
-
-{
-  services.nginx = {
-    enable = true;
-
-    virtualHosts = {
-      "syncthing.localhost".locations."/".proxyPass = "http://localhost:8384/";
-    };
-  };
-}
diff --git a/nix/hosts/nixedo/secrets.nix b/nix/hosts/nixedo/secrets.nix
index 325699d..b4448de 100644
--- a/nix/hosts/nixedo/secrets.nix
+++ b/nix/hosts/nixedo/secrets.nix
@@ -1,5 +1,6 @@
 {
   age.secrets = {
+    cloudflare-opdavies-uk.file = ../../secrets/cloudflare-opdavies-uk.age;
     tubearchivist.file = ../../secrets/tubearchivist.age;
   };
 }
diff --git a/nix/modules/nixos/features/homelab/audiobookshelf.nix b/nix/modules/nixos/features/homelab/audiobookshelf.nix
index 79537dc..a0012a3 100644
--- a/nix/modules/nixos/features/homelab/audiobookshelf.nix
+++ b/nix/modules/nixos/features/homelab/audiobookshelf.nix
@@ -9,21 +9,17 @@ in
   options.features.homelab.audiobookshelf.enable = mkEnableOption "Enable audiobookshelf";
 
   config = mkIf cfg.enable {
-    services.audiobookshelf = {
-      enable = true;
+    services = {
+      audiobookshelf = {
+        enable = true;
 
-      host = "audiobookshelf.oliverdavies.uk";
-      port = 4001;
-    };
+        port = 4001;
+      };
 
-    services.nginx = {
-      enable = true;
+      caddy.virtualHosts."audiobookshelf.opdavies.uk" = {
+        useACMEHost = "opdavies.uk";
 
-      virtualHosts."audiobookshelf.oliverdavies.uk" = {
-        locations."/" = {
-          proxyPass = "http://localhost:${toString config.services.audiobookshelf.port}/";
-          proxyWebsockets = true;
-        };
+        extraConfig = "reverse_proxy localhost:${toString config.services.audiobookshelf.port}";
       };
     };
   };
diff --git a/nix/modules/nixos/features/homelab/forgejo.nix b/nix/modules/nixos/features/homelab/forgejo.nix
index e89f203..509c34c 100644
--- a/nix/modules/nixos/features/homelab/forgejo.nix
+++ b/nix/modules/nixos/features/homelab/forgejo.nix
@@ -2,9 +2,6 @@
 
 with lib;
 
-let
-  port = 2223;
-in
 {
   options.features.homelab.forgejo.enable = mkEnableOption "Enable forgejo";
 
@@ -17,7 +14,8 @@ in
 
         settings = {
           server = {
-            HTTP_PORT = port;
+            DOMAIN = "forgejo.opdavies.uk";
+            HTTP_PORT = 2223;
           };
 
           service = {
@@ -26,11 +24,10 @@ in
         };
       };
 
-      nginx = {
-        enable = true;
+      caddy.virtualHosts."${config.services.forgejo.settings.server.DOMAIN}" = {
+        useACMEHost = "opdavies.uk";
 
-        virtualHosts."forgejo.oliverdavies.uk".locations."/".proxyPass =
-          "http://localhost:${toString port}/";
+        extraConfig = "reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";
       };
     };
   };
diff --git a/nix/modules/nixos/features/homelab/freshrss.nix b/nix/modules/nixos/features/homelab/freshrss.nix
index d353be3..706624d 100644
--- a/nix/modules/nixos/features/homelab/freshrss.nix
+++ b/nix/modules/nixos/features/homelab/freshrss.nix
@@ -95,11 +95,10 @@ in
       wantedBy = [ "multi-user.target" ];
     };
 
-    services.nginx = {
-      enable = true;
+    services.caddy.virtualHosts."freshrss.opdavies.uk" = {
+      useACMEHost = "opdavies.uk";
 
-      virtualHosts."freshrss.oliverdavies.uk".locations."/".proxyPass =
-        "http://localhost:${toString port}/";
+      extraConfig = "reverse_proxy localhost:${toString port}";
     };
   };
 }
diff --git a/nix/modules/nixos/features/homelab/gitea.nix b/nix/modules/nixos/features/homelab/gitea.nix
index 8ff4f58..dadf227 100644
--- a/nix/modules/nixos/features/homelab/gitea.nix
+++ b/nix/modules/nixos/features/homelab/gitea.nix
@@ -26,10 +26,10 @@ in
         };
       };
 
-      nginx = {
-        enable = true;
+      caddy.virtualHosts."gitea.opdavies.uk" = {
+        useACMEHost = "opdavies.uk";
 
-        virtualHosts."gitea.oliverdavies.uk".locations."/".proxyPass = "http://localhost:${toString port}/";
+        extraConfig = "reverse_proxy localhost:${toString port}";
       };
     };
   };
diff --git a/nix/modules/nixos/features/homelab/immich.nix b/nix/modules/nixos/features/homelab/immich.nix
index 4726c3b..82b89dd 100644
--- a/nix/modules/nixos/features/homelab/immich.nix
+++ b/nix/modules/nixos/features/homelab/immich.nix
@@ -19,11 +19,10 @@ with lib;
 
     environment.systemPackages = [ pkgs.immich-cli ];
 
-    services.nginx = {
-      enable = true;
+    services.caddy.virtualHosts."immich.opdavies.uk" = {
+      useACMEHost = "opdavies.uk";
 
-      virtualHosts."immich.oliverdavies.uk".locations."/".proxyPass =
-        "http://localhost:${toString config.services.immich.port}/";
+      extraConfig = "reverse_proxy localhost:${toString config.services.immich.port}";
     };
   };
 }
diff --git a/nix/modules/nixos/features/homelab/jellyfin.nix b/nix/modules/nixos/features/homelab/jellyfin.nix
index 1397fda..4804a78 100644
--- a/nix/modules/nixos/features/homelab/jellyfin.nix
+++ b/nix/modules/nixos/features/homelab/jellyfin.nix
@@ -13,10 +13,10 @@ with lib;
       configDir = "/mnt/media/jellyfin";
     };
 
-    services.nginx = {
-      enable = true;
+    services.caddy.virtualHosts."jellyfin.opdavies.uk" = {
+      useACMEHost = "opdavies.uk";
 
-      virtualHosts."jellyfin.oliverdavies.uk".locations."/".proxyPass = "http://localhost:8096/";
+      extraConfig = "reverse_proxy localhost:8096";
     };
   };
 }
diff --git a/nix/modules/nixos/features/homelab/paperless.nix b/nix/modules/nixos/features/homelab/paperless.nix
index 8d97a8d..99ec00e 100644
--- a/nix/modules/nixos/features/homelab/paperless.nix
+++ b/nix/modules/nixos/features/homelab/paperless.nix
@@ -6,8 +6,20 @@ with lib;
   options.features.homelab.paperless.enable = mkEnableOption "Enable paperless";
 
   config = mkIf config.features.homelab.paperless.enable {
-    services.paperless = {
-      enable = true;
+    services = {
+      paperless = {
+        enable = true;
+
+        settings = {
+          PAPERLESS_URL = "https://paperless.opdavies.uk";
+        };
+      };
+
+      caddy.virtualHosts."paperless.opdavies.uk" = {
+        useACMEHost = "opdavies.uk";
+
+        extraConfig = "reverse_proxy localhost:28981";
+      };
     };
   };
 }
diff --git a/nix/modules/nixos/features/homelab/pi-hole.nix b/nix/modules/nixos/features/homelab/pi-hole.nix
index d8cc070..80a6f8d 100644
--- a/nix/modules/nixos/features/homelab/pi-hole.nix
+++ b/nix/modules/nixos/features/homelab/pi-hole.nix
@@ -95,9 +95,5 @@ in
         wantedBy = [ "multi-user.target" ];
       };
     };
-
-    services.nginx.virtualHosts."pihole.localhost" = {
-      locations."/".proxyPass = "http://localhost:${toString port}/";
-    };
   };
 }
diff --git a/nix/modules/nixos/features/homelab/tubearchivist-container.nix b/nix/modules/nixos/features/homelab/tubearchivist-container.nix
index 300b3e9..d78afaf 100644
--- a/nix/modules/nixos/features/homelab/tubearchivist-container.nix
+++ b/nix/modules/nixos/features/homelab/tubearchivist-container.nix
@@ -10,7 +10,7 @@ with lib;
 let
   cfg = config.features.homelab.tubearchivist-container;
 
-  port = 8000;
+  port = 8085;
 in
 {
   options.features.homelab.tubearchivist-container = {
@@ -286,11 +286,10 @@ in
       wantedBy = [ "multi-user.target" ];
     };
 
-    services.nginx = {
-      enable = true;
+    services.caddy.virtualHosts."tubearchivist.opdavies.uk" = {
+      useACMEHost = "opdavies.uk";
 
-      virtualHosts."tubearchivist.oliverdavies.uk".locations."/".proxyPass =
-        "http://localhost:${toString port}/";
+      extraConfig = "reverse_proxy localhost:${toString port}";
     };
   };
 }
diff --git a/nix/secrets/cloudflare-opdavies-uk.age b/nix/secrets/cloudflare-opdavies-uk.age
new file mode 100644
index 0000000..835ebf7
--- /dev/null
+++ b/nix/secrets/cloudflare-opdavies-uk.age
@@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> ssh-ed25519 IsVD3g kacSrvgn/CGIwU05AkK6UGhxVm5oO/FRK2jgH1qHVg0
+JXzp1+Al5O8sBw3a4td7RA3HVP6C9tIdvvgZFZ9Se5w
+-> ssh-rsa +vTWQw
+ndPfUjqCzN5uqcrRvb/OGKmBouyM6qwf5ZmnfMg49NXcxt7bwCK0v7iPtOOOgDI2
+34Oi1EGgjkJ/YY+nxKuHZtRlq+wySbqeLVXUmb52reW4sj4PHEZOsFIO8Dnxmx9P
+9AtISLIrdJd3V39v4+pXOo9tBvBcTAs7JKqDGFcfp7gcVH0vLga0l3jLUspZiNB9
+DXW6Gbttg8Z6El9J1fAqVXcDE3q7pPZE//zu/cIRyt4/kbK76bx7yEaKAy2GycZS
+SCjjxsRtkBHOKQEQnFdKfWD/AG1USNmoiv4zHx1G9pIVJJA47yNWLwsx8Q7VrfNS
+CXpxQt+ElOH5pRTpXMAx1/rHs/NpXMMUm0EVvWKTNbrbHvepTUvEYABo+DKicRVI
+3H6RYWedXZ9ggpfID66CbF4HFtVJTXwHhvdzGfdna8J1Dy7nJyevT/fCz8tqlVIa
+EFEFqUardSWj0zFL3PQgk2qmrC9W1+isp83Rioi/n/ow8O0Q+XlzO3rQjNYWtEgp
+jufzw+3YI9HuNLPXB0xBfSgwP8Ao6iYskE+8IL+xu4ITCec/ItpoYk1Yeb38G2HQ
+6JlIseQIgpOzw8DlMMWtWjO4U+9JAZh5XOlEgwFPFL25m//24UM7RB3/Yd1/it8i
+cNaHR1L2/P8k5FnbR2jhxcTb2tEzlFo422brC0r/Ilc
+--- MqcbFcs1myK1Dn1h/PQKZ59BdgYXIifkp0DkvoNQaL4
+€ÒWÙ±à·¹Üy
+šj`šÊ$ÜEŠ¬n¥ï‡_<‡íý¤²í%s`#¦d,x¿MGëdf:õÄ*`z‰öR‹X–¯>ýÄKJâ¶0ž€ÙB’ÄØDÂj<Å£¤´§=%
\ No newline at end of file
diff --git a/nix/secrets/secrets.nix b/nix/secrets/secrets.nix
index 795609b..0bfbf80 100644
--- a/nix/secrets/secrets.nix
+++ b/nix/secrets/secrets.nix
@@ -13,11 +13,15 @@ in
 {
   "cloudflare.age".publicKeys = [
     hosts.hetznix
-    hosts.nixedo
     hosts.t490
     users.opdavies
   ];
 
+  "cloudflare-opdavies-uk.age".publicKeys = [
+    hosts.nixedo
+    users.opdavies
+  ];
+
   "tubearchivist.age".publicKeys = [
     hosts.lemp11
     hosts.nixedo