diff --git a/auth/docker-compose.yml b/auth/docker-compose.yml
new file mode 100644
index 0000000..1214623
--- /dev/null
+++ b/auth/docker-compose.yml
@@ -0,0 +1,90 @@
+services:
+
+  authentik-server:
+    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
+    restart: unless-stopped
+    command: server
+    environment:
+      - AUTHENTIK_REDIS__HOST=redis
+      - AUTHENTIK_POSTGRESQL__HOST=postgresql
+      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
+      - AUTHENTIK_POSTGRESQL__NAME=${POSTGRES_DB}
+      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
+      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
+      - AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED}
+    volumes:
+      - ${VOLUMES_PATH}/auth/media:/media
+      - ${VOLUMES_PATH}/auth/custom-templates:/templates
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    networks:
+      - web
+      - auth
+
+  authentik-worker:
+    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
+    restart: unless-stopped
+    command: worker
+    environment:
+      - AUTHENTIK_REDIS__HOST=redis
+      - AUTHENTIK_POSTGRESQL__HOST=postgresql
+      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
+      - AUTHENTIK_POSTGRESQL__NAME=${POSTGRES_DB}
+      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
+      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
+      - AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED}
+    user: root
+    volumes:
+      # - /var/run/docker.sock:/var/run/docker.sock
+      - ${VOLUMES_PATH}/auth/media:/media
+      - ${VOLUMES_PATH}/auth/certs:/certs
+      - ${VOLUMES_PATH}/auth/custom-templates:/templates
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    networks:
+      - auth
+
+  postgresql:
+    image: postgres:${POSTGRES_VERSION}
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - ${VOLUMES_PATH}/auth/postgres/:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+      - POSTGRES_USER=${POSTGRES_USER}
+      - POSTGRES_DB=${POSTGRES_DB}
+    networks:
+      - auth
+
+  redis:
+    image: redis:${REDIS_VERSION}
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - ${VOLUMES_PATH}/auth/redis:/data
+    networks:
+      - auth
+
+
+networks:
+  auth:
+  web:
+    external: true
diff --git a/paperless/docker-compose.yaml b/paperless/docker-compose.yaml
index 20b0079..5688a55 100644
--- a/paperless/docker-compose.yaml
+++ b/paperless/docker-compose.yaml
@@ -60,6 +60,9 @@ services:
       - USERMAP_GID=1000
       - PAPERLESS_PRE_CONSUME_SCRIPT=/usr/src/paperless/scripts/removePdfPassword.py
       - PAPERLESS_OCR_USER_ARGS=${USER_ARGS_JSON}
+      - PAPERLESS_APPS=allauth.socialaccount.providers.openid_connect
+      - PAPERLESS_SOCIALACCOUNT_PROVIDERS=${PAPERLESS_SOCIALACCOUNT_PROVIDERS}
+      - PAPERLESS_CSRF_TRUSTED_ORIGINS=https://paperless.home.florianzirker.de,https://auth.home.florianzirker.de
     labels:
       - "docker.group=paperless"
 
diff --git a/proxy/Caddyfile b/proxy/Caddyfile
index c155caf..a245a03 100644
--- a/proxy/Caddyfile
+++ b/proxy/Caddyfile
@@ -1,18 +1,112 @@
 {
-	auto_https disable_redirects
-	local_certs
-	pki {
-		ca local {
-			name "{$LOCAL_CA_NAME}"
-		}
-	}
+	email {env.EMAIL}
 	log default {
 		output stdout
 		format console
 	}
+	auto_https disable_redirects
 }
 
-(errorhandler) {
+(proxy-auth) {
+	reverse_proxy /outpost.goauthentik.io/* http://authentik-server:9000
+	forward_auth http://authentik-server:9000 {
+		uri /outpost.goauthentik.io/auth/caddy
+		copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+		trusted_proxies private_ranges
+	}
+}
+
+http://*.{$DOMAIN} {
+	redir https://{labels.3}.{$DOMAIN}{uri} permanent
+}
+
+http://*.{$OLD_DOMAIN} {
+	redir https://{labels.1}.{$DOMAIN}{uri} permanent
+}
+
+*.{$DOMAIN} {
+	tls {
+		dns netcup {
+			customer_number {env.NETCUP_CUSTOMER_NUMBER}
+			api_key {env.NETCUP_API_KEY}
+			api_password {env.NETCUP_API_PASSWORD}
+		}
+		propagation_timeout 900s
+		propagation_delay 600s
+		resolvers 9.9.9.9
+	}
+	#header Strict-Transport-Security "max-age=63072000"
+
+	@whoami host whoami.{$DOMAIN}
+	handle @whoami {
+		route {
+			import proxy-auth
+			reverse_proxy whoami:80
+		}
+	}
+
+	@dashboard host dashboard.{$DOMAIN}
+	handle @dashboard {
+		reverse_proxy homer:8080
+	}
+
+	@hassi host hassi.{$DOMAIN}
+	handle @hassi {
+		reverse_proxy homeassistant:8123
+	}
+
+	@zigbee2mqtt host zigbee2mqtt.{$DOMAIN}
+	handle @zigbee2mqtt {
+		route {
+			import proxy-auth
+			reverse_proxy zigbee2mqtt:8080
+		}
+	}
+
+	@jellyfin host jellyfin.{$DOMAIN}
+	handle @jellyfin {
+		reverse_proxy jellyfin:8096
+	}
+
+	@paperless host paperless.{$DOMAIN}
+	handle @paperless {
+		reverse_proxy paperless-ngx:8000
+	}
+
+	@download host download.{$DOMAIN}
+	handle @download {
+		route {
+			import proxy-auth
+			reverse_proxy pyload:8000
+		}
+	}
+
+	@uptime host uptime.{$DOMAIN}
+	handle @uptime {
+		route {
+			import proxy-auth
+			reverse_proxy uptime-kuma:3001
+		}
+	}
+
+	@torrent host torrent.{$DOMAIN}
+	handle @torrent {
+		route {
+			import proxy-auth
+			reverse_proxy transmission:9091
+		}
+	}
+
+	@auth host auth.{$DOMAIN}
+	handle @auth {
+		reverse_proxy authentik-server:9000
+	}
+
+	# Fallback unhandled (sub)domains
+	handle {
+		error 404
+	}
+
 	handle_errors {
 		root * /usr/share/caddy/web
 		rewrite * /error.html
@@ -22,65 +116,3 @@
 		}
 	}
 }
-
-(localtls) {
-	tls internal
-}
-
-whoami.{$DOMAIN} http://whoami.{$DOMAIN} {
-	reverse_proxy whoami:80
-	import errorhandler
-}
-
-dashboard.{$DOMAIN}  http://dashboard.{$DOMAIN} {
-	reverse_proxy homer:8080
-	import errorhandler
-}
-
-hassi.{$DOMAIN} http://hassi.{$DOMAIN} {
-	# reverse_proxy homeassistant:8123
-	reverse_proxy {host}:8123
-	import errorhandler
-}
-
-zigbee2mqtt.{$DOMAIN} http://zigbee2mqtt.{$DOMAIN} {
-	reverse_proxy zigbee2mqtt:8080
-	import errorhandler
-}
-
-jellyfin.{$DOMAIN} http://jellyfin.{$DOMAIN} {
-	reverse_proxy jellyfin:8096
-	import errorhandler
-}
-
-paperless.{$DOMAIN} http://paperless.{$DOMAIN} {
-	reverse_proxy paperless-ngx:8000
-	import errorhandler
-}
-
-download.{$DOMAIN} http://download.{$DOMAIN} {
-	reverse_proxy pyload:8000
-	import errorhandler
-}
-
-uptime.{$DOMAIN} http://uptime.{$DOMAIN} {
-	reverse_proxy uptime-kuma:3001
-	import errorhandler
-}
-
-torrent.{$DOMAIN} http://torrent.{$DOMAIN} {
-	reverse_proxy transmission:9091
-	import errorhandler
-}
-
-root-ca.{$DOMAIN} http://root-ca.{$DOMAIN} {
-	file_server * {
-		root /usr/share/caddy/web
-		hide .git Readme.md
-	}
-	file_server /root.crt {
-		root /data/caddy/pki/authorities/local/
-		hide *.key
-	}
-	import errorhandler
-}
diff --git a/proxy/Dockerfile b/proxy/Dockerfile
new file mode 100644
index 0000000..7223e84
--- /dev/null
+++ b/proxy/Dockerfile
@@ -0,0 +1,7 @@
+FROM caddy:2-builder AS builder
+
+RUN xcaddy build --with github.com/caddy-dns/netcup
+
+FROM caddy:2
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
diff --git a/proxy/docker-compose.yaml b/proxy/docker-compose.yaml
index 2870b0b..c6e63dd 100644
--- a/proxy/docker-compose.yaml
+++ b/proxy/docker-compose.yaml
@@ -1,7 +1,7 @@
 services:
 
   caddy:
-    image: caddy:2
+    build: ./
     restart: unless-stopped
     ports:
       - 80:80
@@ -16,7 +16,12 @@ services:
       - web
     environment:
       - DOMAIN=${DOMAIN}
+      - OLD_DOMAIN=${OLD_DOMAIN}
       - LOCAL_CA_NAME=${LOCAL_CA_NAME}
+      - NETCUP_CUSTOMER_NUMBER=${NETCUP_CUSTOMER_NUMBER}
+      - NETCUP_API_KEY=${NETCUP_API_KEY}
+      - NETCUP_API_PASSWORD=${NETCUP_API_PASSWORD}
+      - EMAIL=${LETSENCRYPT_MAIL}
     cap_add:
       - cap_net_bind_service
 
@@ -33,6 +38,4 @@ services:
 networks:
   web:
     external: true
-  dockersocket:
-    external: true
 
diff --git a/proxy/web/error.html b/proxy/web/error.html
new file mode 100644
index 0000000..7a72d86
--- /dev/null
+++ b/proxy/web/error.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html lang="de">
+
+<head>
+   <meta charset="UTF-8">
+   <title>Fehler</title>
+   <meta name="viewport" content="width=device-width, initial-scale=1">
+   <style>
+      :root {
+         max-width: 80ch;
+         padding: 3em 1em;
+         margin: auto;
+         font-size: 1.25em;
+         font-family: Arial, Helvetica, sans-serif;
+      }
+      footer {
+         position: absolute;
+         bottom: 0;
+         height: 50px;
+      }
+   </style>
+</head>
+
+<body>
+   <h1>{{placeholder "http.error.status_code"}}</h1>
+
+   {{placeholder "http.error.status_text"}}
+</body>
+
+<footer>
+   <a href="http://dashboard.home.florianzirker.de/">Dashboard</a>
+</footer>
+
+
+</html>
diff --git a/proxy/web/index.html b/proxy/web/index.html
index 76a3485..2f9cb5e 100644
--- a/proxy/web/index.html
+++ b/proxy/web/index.html
@@ -37,7 +37,7 @@
 
       <li>
          Um das CA-Certifikat in den Linux-Truststore zu installieren führen Sie folgende Befehle aus:
-         <pre><code>curl -o caddy-root-ca.crt <span id="url">http://example.lan/</span>root.crt
+         <pre><code>curl -o caddy-root-ca.crt <span id="url">http://example.home.florianzirker.de/</span>root.crt
 sudo mkdir -p /usr/local/share/ca-certificates/extra
 sudo cp caddy-root-ca.crt /usr/local/share/ca-certificates/extra/
 sudo update-ca-certificates
diff --git a/smartHome/docker-compose.yaml b/smartHome/docker-compose.yaml
index 026778b..4a27a1b 100644
--- a/smartHome/docker-compose.yaml
+++ b/smartHome/docker-compose.yaml
@@ -8,11 +8,13 @@ services:
     environment:
       - TZ=Europe/Berlin
     restart: unless-stopped
-    network_mode: host
+    #network_mode: host
+    networks:
+       - web
+       - smarthome
     labels:
       - "docker.group=smartHome"
 
-
   mqttbroker:
     image: eclipse-mosquitto:${MOSQUITTO_VERSION}
     restart: unless-stopped
@@ -28,7 +30,6 @@ services:
     labels:
       - "docker.group=smartHome"
 
-
   zigbee2mqtt:
     restart: unless-stopped
     image: koenkk/zigbee2mqtt
@@ -45,6 +46,26 @@ services:
     labels:
       - "docker.group=smartHome"
 
+  db:
+    image: postgres:${POSTGRES_VERSION}
+    restart: unless-stopped
+    networks:
+      - smarthome
+    volumes:
+      - ${VOLUMES_PATH}/smartHome/postgres:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_DB=${POSTGRES_DB}
+      - POSTGRES_USER=${POSTGRES_USER}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    labels:
+      - "docker.group=smartHome"
+
 
 networks:
   web:
diff --git a/start-all.sh b/start-all.sh
index 8010786..69b5585 100755
--- a/start-all.sh
+++ b/start-all.sh
@@ -6,6 +6,7 @@ function up {
 }
 
 up proxy;
+up auth;
 up monitoring;
 up smartHome;
 up dashboard;
diff --git a/tools/docker-compose.yml b/tools/docker-compose.yml
new file mode 100644
index 0000000..53592e1
--- /dev/null
+++ b/tools/docker-compose.yml
@@ -0,0 +1,28 @@
+services:
+
+  stirling-pdf:
+    image: frooodle/s-pdf:latest
+    # ports:
+    #   - '8080:8080'
+    networks:
+      - web
+    volumes:
+      - ${VOLUMES_PATH}/tools/stirling-pdf/trainingData:/usr/share/tesseract-ocr/5/tessdata #Required for extra OCR languages
+      - ${VOLUMES_PATH}/tools/stirling-pdf/extraConfigs:/configs
+#      - ${VOLUMES_PATH}/tools/stirling-pdf/customFiles:/customFiles/
+#      - ${VOLUMES_PATH}/tools/stirling-pdf/logs:/logs/
+    environment:
+      - DOCKER_ENABLE_SECURITY=false
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.pdf.rule=Host(`pdf.${DOMAIN}`)"
+      - "traefik.http.routers.pdf.entrypoints=web"
+      - "traefik.http.services.pdf.loadbalancer.server.port=8080"
+      - "traefik.docker.network=web"
+      - "docker.group=tools"
+
+networks:
+  paperless:
+  web:
+    external: true
+
diff --git a/torrent/docker-compose.yaml b/torrent/docker-compose.yaml
index f5b6923..72d8c9b 100644
--- a/torrent/docker-compose.yaml
+++ b/torrent/docker-compose.yaml
@@ -4,8 +4,6 @@ services:
     image: lscr.io/linuxserver/transmission:${TRANSMISSION_VERSION}
     environment:
       - TZ=Etc/UTC
-      - USER=${USERNAME}
-      - PASS=${PASSWORD}
     volumes:
       - ${VOLUMES_PATH}/torrent/transmission:/config
       - ${DOWNLOAD_PATH}:/downloads