diff --git a/hosts.yml b/hosts.yml
index aa2fbbf..322afd3 100755
--- a/hosts.yml
+++ b/hosts.yml
@@ -1,4 +1,8 @@
 ---
+# Homelab IP addressing scheme/convention
+# 10.89.0.1x-2x for low level hosts (proxmox servers, NAS, etc)
+# 10.89.0.3x for proxies (caddy-proxy-external, caddy-proxy-internal, etc)
+# 10.89.0.1xx for VMs running the actual apps I host
 all:
   children:
     servers:
@@ -9,6 +13,12 @@ all:
           ansible_host: 10.89.0.12
         nas:
           ansible_host: 10.89.0.15
+    proxies:
+      hosts:
+        caddy_internal:
+          ansible_host: 10.89.0.30
+        caddy_external:
+          ansible_host: 10.89.0.31
     vms:
       hosts:
         portainer_main:
diff --git a/playbooks/nodes/apps.yml b/playbooks/nodes/apps.yml
index fafbd8a..8620dbe 100644
--- a/playbooks/nodes/apps.yml
+++ b/playbooks/nodes/apps.yml
@@ -17,4 +17,15 @@
       port: 7073
   - role: apps/tianji
     vars:
-      port: 7074
\ No newline at end of file
+      port: 7074
+  - role: apps/stirling-pdf
+    vars:
+      port: 7075
+  - role: apps/dumbware-todo
+    vars:
+      port: 7076
+      pin: 8989
+  - role: apps/dumbware-drop
+    vars:
+      port: 7077
+      pin: "8989"
\ No newline at end of file
diff --git a/playbooks/proxy/external.yml b/playbooks/proxy/external.yml
new file mode 100644
index 0000000..496f4b9
--- /dev/null
+++ b/playbooks/proxy/external.yml
@@ -0,0 +1,33 @@
+---
+- name: Set up the reverse proxy for internal only services
+  hosts: caddy_external
+  become: true
+  roles:
+  - role: caddy/install
+  - role: caddy/proxy
+    vars:
+      domains:
+      - name: "thatshit.live"
+        sites:
+        - name: "whale"
+          host: 10.89.0.101
+          port: 9443
+          https: true
+          transport_opts:
+          - tls_insecure_skip_verify
+      - name: "blinker.club"
+        sites:
+        - name: "whale"
+          host: 10.89.0.101
+          port: 9443
+          https: true
+          transport_opts:
+          - tls_insecure_skip_verify
+      - name: "thegrind.dev"
+        sites:
+        - name: "whale"
+          host: 10.89.0.101
+          port: 9443
+          https: true
+          transport_opts:
+          - tls_insecure_skip_verify
\ No newline at end of file
diff --git a/playbooks/proxy/internal.yml b/playbooks/proxy/internal.yml
new file mode 100644
index 0000000..145622e
--- /dev/null
+++ b/playbooks/proxy/internal.yml
@@ -0,0 +1,45 @@
+---
+- name: Set up the reverse proxy for internal only services
+  hosts: caddy_internal
+  become: true
+  roles:
+  - role: caddy/install
+  - role: caddy/proxy
+    vars:
+      domains:
+        - name: "lan.thegrind.dev"
+          sites:
+            - name: "whale"
+              host: 10.89.0.101
+              port: 9443
+              https: true
+              transport_opts:
+                - tls_insecure_skip_verify
+            - name: "router"
+              host: 10.89.0.1
+              port: 8989
+            - name: "adguard"
+              host: 10.89.0.1
+              port: 3000
+            - name: "nas"
+              host: 10.89.0.15
+              port: 80
+            - name: "streaming"
+              host: 10.89.0.106
+              port: 10000
+              https: true
+              transport_opts:
+                - tls_insecure_skip_verify
+            - name: "stash"
+              host: 10.89.0.106
+              port: 6969
+            - name: "node1"
+              host: 10.89.0.13
+              port: 8006
+              transport_opts:
+                - tls_insecure_skip_verify
+            - name: "node3"
+              host: 10.89.0.12
+              port: 8006
+              transport_opts:
+                - tls_insecure_skip_verify
\ No newline at end of file
diff --git a/playbooks/server/base.yml b/playbooks/server/base.yml
index e477d6f..54c8035 100755
--- a/playbooks/server/base.yml
+++ b/playbooks/server/base.yml
@@ -1,5 +1,5 @@
 ---
-- name: Set up a new virtual machine
+- name: set up a new virtual machine
   hosts: vms
   become: true
   roles:
diff --git a/roles/apps/dumbware-drop/defaults/main.yml b/roles/apps/dumbware-drop/defaults/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/apps/dumbware-drop/tasks/main.yml b/roles/apps/dumbware-drop/tasks/main.yml
new file mode 100644
index 0000000..7330564
--- /dev/null
+++ b/roles/apps/dumbware-drop/tasks/main.yml
@@ -0,0 +1,22 @@
+- name: Create the data dir on network drive
+  ansible.builtin.include_role:
+    role: docker/container-data
+  vars:
+    dir_name: "dw-drop"
+
+- name: Create dumbware-drop container
+  community.docker.docker_container:
+    name: dw-drop
+    image: dumbwareio/dumbdrop:latest 
+    pull: true
+    state: started
+    restart_policy: always 
+    ports:
+      - "{{ port }}:3000" 
+    volumes:
+      - /home/docker/container-data/dw-drop:/app/uploads
+    env:
+      DUMBDROP_TITLE: "Share a file with Javi"
+      DUMBDROP_PIN: "{{ pin }}" 
+      MAX_FILE_SIZE: "10240" # 10GB
+      LOCAL_UPLOAD_DIR: /app/uploads
diff --git a/roles/apps/dumbware-todo/defaults/main.yml b/roles/apps/dumbware-todo/defaults/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/apps/dumbware-todo/tasks/main.yml b/roles/apps/dumbware-todo/tasks/main.yml
new file mode 100644
index 0000000..79ca9e0
--- /dev/null
+++ b/roles/apps/dumbware-todo/tasks/main.yml
@@ -0,0 +1,20 @@
+- name: Create data folder
+  ansible.builtin.file:
+    path: /home/docker/dw-todo
+    state: directory
+    mode: '0777'
+
+- name: Create dw-todo container
+  community.docker.docker_container:
+    name: dw-todo 
+    image: dumbwareio/dumbdo:latest 
+    pull: true
+    state: started
+    restart_policy: unless-stopped
+    ports:
+      - "{{ port }}:3000"
+    volumes:
+      - /home/docker/dw-todo:/app/data
+    env:
+      DUMBDO_SITE_TITLE="Javi's Daily TO-DO"
+      DUMBDO_PIN="{{ pin }}"
\ No newline at end of file
diff --git a/roles/apps/stirling-pdf/defaults/main.yml b/roles/apps/stirling-pdf/defaults/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/apps/stirling-pdf/tasks/main.yml b/roles/apps/stirling-pdf/tasks/main.yml
new file mode 100644
index 0000000..3b90f39
--- /dev/null
+++ b/roles/apps/stirling-pdf/tasks/main.yml
@@ -0,0 +1,21 @@
+- name: Create the data dir on network drive
+  ansible.builtin.include_role:
+    role: docker/container-data
+  vars:
+    dir_name: "stirlingpdf-data"
+
+- name: Make stirlingPDF container
+  community.docker.docker_container:
+    name: stirling-pdf
+    image: docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest
+    ports:
+      - "{{ port }}:8080"
+    volumes:
+      - /home/docker/container-data/stirlingpdf-data/trainingData:/usr/share/tessdata # Required for extra OCR languages
+      - /home/docker/container-data/stirlingpdf-data/extraConfigs:/configs
+      - /home/docker/container-data/stirlingpdf-data/customFiles:/customFiles/
+      - /home/docker/container-data/stirlingpdf-data/logs:/logs/
+      - /home/docker/container-data/stirlingpdf-data/pipeline:/pipeline/
+    env:
+      DOCKER_ENABLE_SECURITY=false
+      LANGS=en_GB
\ No newline at end of file
diff --git a/roles/caddy/install/defaults/main.yml b/roles/caddy/install/defaults/main.yml
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/roles/caddy/install/defaults/main.yml
@@ -0,0 +1 @@
+
diff --git a/roles/caddy/install/tasks/main.yml b/roles/caddy/install/tasks/main.yml
new file mode 100644
index 0000000..a6d0f5d
--- /dev/null
+++ b/roles/caddy/install/tasks/main.yml
@@ -0,0 +1,78 @@
+- name: Install dependencies
+  apt:
+    name: apt-transport-https
+    state: present
+    update_cache: true
+
+- name: Download and install XCaddy GPG key
+  ansible.builtin.shell:
+    cmd: >
+      curl -1sLf 'https://dl.cloudsmith.io/public/caddy/xcaddy/gpg.key' |
+      gpg --dearmor -o /usr/share/keyrings/caddy-xcaddy-archive-keyring.gpg
+  args:
+    creates: /usr/share/keyrings/caddy-xcaddy-archive-keyring.gpg
+  become: true
+
+- name: Add XCaddy repository list
+  ansible.builtin.get_url:
+    url: https://dl.cloudsmith.io/public/caddy/xcaddy/debian.deb.txt
+    dest: /etc/apt/sources.list.d/caddy-xcaddy.list
+    mode: '0644'
+    force: true
+
+- name: Update apt cache
+  ansible.builtin.apt:
+    update_cache: true
+
+- name: Install xcaddy
+  ansible.builtin.apt:
+    name: xcaddy
+    state: present
+
+- name: Build Caddy with Cloudflare DNS plugin
+  ansible.builtin.shell: |
+    xcaddy build \
+      --with github.com/caddy-dns/cloudflare \
+      --output /usr/local/bin/caddy
+  args:
+    creates: /usr/local/bin/caddy
+
+- name: Create systemd service for custom Caddy binary
+  ansible.builtin.copy:
+    dest: /etc/systemd/system/caddy.service
+    owner: root
+    group: root
+    mode: '0644'
+    content: |
+      [Unit]
+      Description=Caddy
+
+      [Service]
+      User=root
+      Group=root
+      ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
+      ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
+      TimeoutStopSec=5s
+      LimitNOFILE=1048576
+      Restart=on-failure
+
+      [Install]
+      WantedBy=multi-user.target
+
+- name: Unmask Caddy service
+  ansible.builtin.systemd:
+    name: caddy
+    masked: false
+
+- name: Allow Caddy to bind to ports <1024
+  command: setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy
+
+- name: Reload systemd to pick up caddy.service changes
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Enable and start Caddy service
+  ansible.builtin.systemd:
+    name: caddy
+    enabled: true
+    state: started
diff --git a/roles/caddy/proxy/defaults/main.yml b/roles/caddy/proxy/defaults/main.yml
new file mode 100644
index 0000000..099e02f
--- /dev/null
+++ b/roles/caddy/proxy/defaults/main.yml
@@ -0,0 +1,8 @@
+cloudflare_api_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          34356665643335356136633736363963383562366164613637363437636435343835303966356331
+          3463343766623264393037333638386534306164393430610a396533613235313030623834646466
+          31313662653435656663663361646261626130376632323163626232616331663239623236366264
+          6632626166623131380a333935646530396362363833383164386234653834323462386563373132
+          66643138663062346237646236333934306434633837643738343137623934626132376230316138
+          3237633130343862376332633565373631313736366431316232
\ No newline at end of file
diff --git a/roles/caddy/proxy/tasks/main.yml b/roles/caddy/proxy/tasks/main.yml
new file mode 100644
index 0000000..65dd788
--- /dev/null
+++ b/roles/caddy/proxy/tasks/main.yml
@@ -0,0 +1,12 @@
+- name: Generate Caddyfile from template
+  template:
+    src: Caddyfile.j2
+    dest: /etc/caddy/Caddyfile
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Reload Caddy
+  ansible.builtin.systemd:
+    name: caddy
+    state: reloaded
\ No newline at end of file
diff --git a/roles/caddy/proxy/templates/Caddyfile.j2 b/roles/caddy/proxy/templates/Caddyfile.j2
new file mode 100644
index 0000000..8fb31b5
--- /dev/null
+++ b/roles/caddy/proxy/templates/Caddyfile.j2
@@ -0,0 +1,23 @@
+{% for domain in domains %}
+{% set base_domain = domain.name.lstrip('*.') %}
+*.{{ base_domain }} {
+    tls {
+        issuer acme {
+            dns cloudflare {{ cloudflare_api_key }} 
+        }
+    }
+
+    {% for site in domain.sites %}
+        @{{ site.name }} host {{ site.name }}.{{ base_domain }}
+        handle @{{ site.name }} {
+            reverse_proxy {{ site.host }}:{{ site.port }} {
+                transport http {
+                    {% for opt in (site.transport_opts | default([])) %}
+                    {{ opt }}
+                    {% endfor %}
+                }
+            }
+        }
+    {% endfor %}
+}
+{% endfor %}
\ No newline at end of file