diff --git a/options/default.nix b/options/default.nix
index 94cc523..f9e506b 100644
--- a/options/default.nix
+++ b/options/default.nix
@@ -20,6 +20,14 @@
       fullName = lib.mkOption {
         type = lib.types.str;
       };
+      uid = lib.mkOption {
+        type = lib.types.int;
+        default = 1000;
+      };
+      gid = lib.mkOption {
+        type = lib.types.int;
+        default = 100;
+      };
 
       getty.autoLogin = lib.mkEnableOption "auto-login to getty";
     };
diff --git a/options/podman.nix b/options/podman.nix
index 3f005f3..2a7b63c 100644
--- a/options/podman.nix
+++ b/options/podman.nix
@@ -2,5 +2,9 @@
 {
   options.profile.podman = {
     enable = lib.mkEnableOption "podman";
+    caddy.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
   };
 }
diff --git a/system/podman/caddy.nix b/system/podman/caddy.nix
new file mode 100644
index 0000000..6423583
--- /dev/null
+++ b/system/podman/caddy.nix
@@ -0,0 +1,41 @@
+{ config, lib, pkgs, ... }:
+let
+  user = config.profile.user;
+  podman = config.profile.podman;
+  cache = "/home/${user.name}/.cache/podman/caddy";
+in
+{
+  config = lib.mkIf (podman.enable && podman.caddy.enable) {
+    system.activationScripts.podman-caddy = ''
+      mkdir -p ${cache}
+      chown -R ${config.profile.user.name} ${cache}
+    '';
+    # https://fictionbecomesfact.com/caddy-container
+    systemd.services.create-caddy-network = with config.virtualisation.oci-containers; {
+      serviceConfig.Type = "oneshot";
+      wantedBy = [ "${backend}-caddy.service" ];
+      script = ''${pkgs.podman}/bin/podman network exists caddy || ${pkgs.podman}/bin/podman network create caddy'';
+    };
+    virtualisation.oci-containers.containers = {
+      caddy = {
+        image = "lucaslorentz/caddy-docker-proxy:ci-alpine";
+        environment = {
+          TZ = "Asia/Jakarta";
+        };
+        ports = [ "80:80" "443:443" ];
+        autoStart = true;
+        volumes = [
+          "/run/user/${toString(user.uid)}/podman/podman.sock:/var/run/docker.sock:z"
+          "${cache}:/data"
+        ];
+        extraOptions = [
+          "--network=caddy"
+        ];
+        labels = {
+          "caddy" = "cockpit.tigor.web.id";
+          "caddy.reverse_proxy" = "hosts.container.internal:9090";
+        };
+      };
+    };
+  };
+}
diff --git a/system/podman/default.nix b/system/podman/default.nix
index 7f0798c..8e9b51e 100644
--- a/system/podman/default.nix
+++ b/system/podman/default.nix
@@ -10,11 +10,23 @@ in
       podman-compose # start group of containers for dev
     ];
 
+    virtualisation.containers.enable = true;
+    virtualisation.oci-containers.backend = "podman";
     virtualisation.podman = {
       enable = true;
       dockerSocket.enable = true;
       autoPrune.enable = true; # Default weekly
       dockerCompat = true;
+      defaultNetwork.settings.dns_enabled = true;
+    };
+    # https://madison-technologies.com/take-your-nixos-container-config-and-shove-it/
+    networking.firewall.interfaces.podman1 = {
+      allowedUDPPorts = [ 53 ]; # this needs to be there so that containers can look eachother's names up over DNS
     };
   };
+
+
+  imports = [
+    ./caddy.nix
+  ];
 }