diff --git a/roles/server/caddy.nix b/roles/server/caddy.nix
new file mode 100644
index 0000000..d963527
--- /dev/null
+++ b/roles/server/caddy.nix
@@ -0,0 +1,11 @@
+{...}: {
+  services.caddy = {
+    enable = true;
+    extraConfig = ''
+      (tailscale) {
+        tls internal
+        bind 100.73.96.48
+      }
+    '';
+  };
+}
diff --git a/roles/server/default.nix b/roles/server/default.nix
index 7468b3c..5e32379 100755
--- a/roles/server/default.nix
+++ b/roles/server/default.nix
@@ -11,7 +11,7 @@
     ./ddclient.nix
     ./beep.nix
     ./tailscale.nix
-    ./traefik.nix
+    ./caddy.nix
     ./dns.nix
     ./rust_motd.nix
   ];
diff --git a/roles/server/forgejo.nix b/roles/server/forgejo.nix
index cc16a44..65fbf83 100644
--- a/roles/server/forgejo.nix
+++ b/roles/server/forgejo.nix
@@ -47,20 +47,12 @@ in {
   # Add a cname for forgejo
   services.dnsmasq.settings.cname = ["git.everest.tailscale,everest"];
 
-  # Set up traefik as the reverse proxy for Forgejo
-  services.traefik = {
-    dynamicConfigOptions = {
-      http = {
-        routers = {
-          forgejo-subpath = {
-            rule = "Host(`git.everest.tailscale`)";
-            service = "forgejo";
-          };
-        };
-        services.forgejo.loadBalancer.servers = [
-          {url = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";}
-        ];
-      };
-    };
+  # Set up caddy as the reverse proxy for Forgejo
+  services.caddy.virtualHosts.forgejo = {
+    hostName = "git.everest.tailscale";
+    extraConfig = ''
+      import tailscale
+      reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
+    '';
   };
 }
diff --git a/roles/server/syncthing.nix b/roles/server/syncthing.nix
index c581918..f684129 100755
--- a/roles/server/syncthing.nix
+++ b/roles/server/syncthing.nix
@@ -36,20 +36,12 @@
   # Add a cname for syncthing
   services.dnsmasq.settings.cname = ["sync.everest.tailscale,everest"];
 
-  # Set up traefik as the reverse proxy for syncthing
-  services.traefik = {
-    dynamicConfigOptions = {
-      http = {
-        routers = {
-          syncthing-subdomain = {
-            rule = "Host(`sync.everest.tailscale`)";
-            service = "syncthing";
-          };
-        };
-        services.syncthing.loadBalancer.servers = [
-          {url = "http://localhost:8384";}
-        ];
-      };
-    };
+  # Set up caddy as the reverse proxy for syncthing
+  services.caddy.virtualHosts.syncthing = {
+    hostName = "sync.everest.tailscale";
+    extraConfig = ''
+      import tailscale
+      reverse_proxy localhost:8384
+    '';
   };
 }
diff --git a/roles/server/traefik.nix b/roles/server/traefik.nix
deleted file mode 100644
index 171f64d..0000000
--- a/roles/server/traefik.nix
+++ /dev/null
@@ -1,31 +0,0 @@
-{...}: {
-  specialisation.traefikEnableWebUI.configuration.services.traefik = {
-    staticConfigOptions = {
-      api = {
-        # Enable the web ui
-        insecure = true;
-        dashboard = true;
-      };
-    };
-  };
-
-  services.traefik = {
-    enable = true;
-    staticConfigOptions = {
-      entryPoints = {
-        http = {address = "100.73.96.48:80";};
-      };
-    };
-  };
-
-  systemd = {
-    units.tailscaled.requiredBy = ["traefik.service"];
-    # We have somewhat frequent power outages, and our ISP router takes
-    # ages to boot up. If I don't add a delay, traefik tries to bind to
-    # the tailscale interface before it's ready, making it crash too much
-    # in too little time
-    services.traefik.serviceConfig.RestartSec = 120;
-  };
-
-  networking.firewall.allowedTCPPorts = [80 8080];
-}
diff --git a/roles/server/transmission.nix b/roles/server/transmission.nix
index ec28ab8..e52f286 100755
--- a/roles/server/transmission.nix
+++ b/roles/server/transmission.nix
@@ -40,20 +40,12 @@ in {
   # Add a cname for transmission
   services.dnsmasq.settings.cname = ["transmission.everest.tailscale,everest"];
 
-  # Set up traefik as the reverse proxy for transmission
-  services.traefik = {
-    dynamicConfigOptions = {
-      http = {
-        routers = {
-          transmission-subdomain = {
-            rule = "Host(`transmission.everest.tailscale`)";
-            service = "transmission";
-          };
-        };
-        services.transmission.loadBalancer.servers = [
-          {url = "http://localhost:${toString config.services.transmission.settings.rpc-port}";}
-        ];
-      };
-    };
+  # Set up caddy as the reverse proxy for transmission
+  services.caddy.virtualHosts.transmission = {
+    hostName = "transmission.everest.tailscale";
+    extraConfig = ''
+      import tailscale
+      reverse_proxy localhost:${toString config.services.transmission.settings.rpc-port}
+    '';
   };
 }