diff --git a/proxy/Caddyfile b/proxy/Caddyfile
index 1fff47a..bc24cc5 100644
--- a/proxy/Caddyfile
+++ b/proxy/Caddyfile
@@ -1,18 +1,76 @@
 {
-	auto_https disable_redirects
-	local_certs
-	pki {
-		ca local {
-			name "{$LOCAL_CA_NAME}"
-		}
-	}
+	email {env.EMAIL}
 	log default {
 		output stdout
 		format console
 	}
+	debug
 }
 
-(errorhandler) {
+*.{$DOMAIN} {
+	tls {
+		dns netcup {
+			customer_number {env.NETCUP_CUSTOMER_NUMBER}
+			api_key {env.NETCUP_API_KEY}
+			api_password {env.NETCUP_API_PASSWORD}
+		}
+		propagation_timeout 900s
+		propagation_delay 600s
+		resolvers 9.9.9.9
+	}
+	#header Strict-Transport-Security "max-age=63072000"
+
+	@whoami host whoami.{$DOMAIN}
+	handle @whoami {
+		reverse_proxy whoami:80
+	}
+
+	@dashboard host dashboard.{$DOMAIN}
+	handle @dashboard {
+		reverse_proxy homer:8080
+	}
+
+	@hassi host hassi.{$DOMAIN}
+	handle @hassi {
+		# reverse_proxy homeassistant:8123
+		reverse_proxy {host}:8123
+	}
+
+	@zigbee2mqtt host zigbee2mqtt.{$DOMAIN}
+	handle @zigbee2mqtt {
+		reverse_proxy zigbee2mqtt:8080
+	}
+
+	@jellyfin host jellyfin.{$DOMAIN}
+	handle @jellyfin {
+		reverse_proxy jellyfin:8096
+	}
+
+	@paperless host paperless.{$DOMAIN}
+	handle @paperless {
+		reverse_proxy paperless-ngx:8000
+	}
+
+	@download host download.{$DOMAIN}
+	handle @download {
+		reverse_proxy pyload:8000
+	}
+
+	@uptime host uptime.{$DOMAIN}
+	handle @uptime {
+		reverse_proxy uptime-kuma:3001
+	}
+
+	@torrent host torrent.{$DOMAIN}
+	handle @torrent {
+		reverse_proxy transmission:9091
+	}
+
+	# Fallback unhandled (sub)domains
+	handle {
+		error 404
+	}
+
 	handle_errors {
 		root * /usr/share/caddy/web
 		rewrite * /error.html
@@ -22,70 +80,3 @@
 		}
 	}
 }
-
-(localtls) {
-	tls internal
-}
-
-whoami.{$DOMAIN} http://whoami.{$DOMAIN} {
-	reverse_proxy whoami:80
-	import errorhandler
-}
-
-dashboard.{$DOMAIN}  http://dashboard.{$DOMAIN} {
-	reverse_proxy homer:8080
-	import errorhandler
-}
-
-hassi.{$DOMAIN} http://hassi.{$DOMAIN} {
-	# reverse_proxy homeassistant:8123
-	reverse_proxy {host}:8123
-	import errorhandler
-}
-
-zigbee2mqtt.{$DOMAIN} http://zigbee2mqtt.{$DOMAIN} {
-	reverse_proxy zigbee2mqtt:8080
-	import errorhandler
-}
-
-jellyfin.{$DOMAIN} http://jellyfin.{$DOMAIN} {
-	reverse_proxy jellyfin:8096
-	import errorhandler
-}
-
-paperless.{$DOMAIN} http://paperless.{$DOMAIN} {
-	reverse_proxy paperless-ngx:8000
-	import errorhandler
-}
-
-download.{$DOMAIN} http://download.{$DOMAIN} {
-	reverse_proxy pyload:8000
-	import errorhandler
-}
-
-uptime.{$DOMAIN} http://uptime.{$DOMAIN} {
-	reverse_proxy uptime-kuma:3001
-	import errorhandler
-}
-
-torrent.{$DOMAIN} http://torrent.{$DOMAIN} {
-	reverse_proxy transmission:9091
-	import errorhandler
-}
-
-*.{$DOMAIN} http://*.{$DOMAIN} {
-	error 404
-	import errorhandler
-}
-
-root-ca.{$DOMAIN} http://root-ca.{$DOMAIN} {
-	file_server * {
-		root /usr/share/caddy/web
-		hide .git Readme.md
-	}
-	file_server /root.crt {
-		root /data/caddy/pki/authorities/local/
-		hide *.key
-	}
-	import errorhandler
-}
diff --git a/proxy/Dockerfile b/proxy/Dockerfile
new file mode 100644
index 0000000..7223e84
--- /dev/null
+++ b/proxy/Dockerfile
@@ -0,0 +1,7 @@
+FROM caddy:2-builder AS builder
+
+RUN xcaddy build --with github.com/caddy-dns/netcup
+
+FROM caddy:2
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
diff --git a/proxy/docker-compose.yaml b/proxy/docker-compose.yaml
index 2870b0b..9f0eaac 100644
--- a/proxy/docker-compose.yaml
+++ b/proxy/docker-compose.yaml
@@ -1,7 +1,7 @@
 services:
 
   caddy:
-    image: caddy:2
+    build: ./
     restart: unless-stopped
     ports:
       - 80:80
@@ -17,6 +17,10 @@ services:
     environment:
       - DOMAIN=${DOMAIN}
       - LOCAL_CA_NAME=${LOCAL_CA_NAME}
+      - NETCUP_CUSTOMER_NUMBER=${NETCUP_CUSTOMER_NUMBER}
+      - NETCUP_API_KEY=${NETCUP_API_KEY}
+      - NETCUP_API_PASSWORD=${NETCUP_API_PASSWORD}
+      - EMAIL=${LETSENCRYPT_MAIL}
     cap_add:
       - cap_net_bind_service
 
diff --git a/proxy/web/error.html b/proxy/web/error.html
index 2315a15..7a72d86 100644
--- a/proxy/web/error.html
+++ b/proxy/web/error.html
@@ -28,7 +28,7 @@
 </body>
 
 <footer>
-   <a href="http://dashboard.lan/">Dashboard</a>
+   <a href="http://dashboard.home.florianzirker.de/">Dashboard</a>
 </footer>
 
 
diff --git a/proxy/web/index.html b/proxy/web/index.html
index 76a3485..2f9cb5e 100644
--- a/proxy/web/index.html
+++ b/proxy/web/index.html
@@ -37,7 +37,7 @@
 
       <li>
          Um das CA-Certifikat in den Linux-Truststore zu installieren führen Sie folgende Befehle aus:
-         <pre><code>curl -o caddy-root-ca.crt <span id="url">http://example.lan/</span>root.crt
+         <pre><code>curl -o caddy-root-ca.crt <span id="url">http://example.home.florianzirker.de/</span>root.crt
 sudo mkdir -p /usr/local/share/ca-certificates/extra
 sudo cp caddy-root-ca.crt /usr/local/share/ca-certificates/extra/
 sudo update-ca-certificates