diff --git a/frigate.yml b/frigate.yml
index 800848e..176425d 100644
--- a/frigate.yml
+++ b/frigate.yml
@@ -4,3 +4,5 @@
     tags: gasket-dkms
   - role: frigate
     tags: frigate
+  - role: frigate-caddy
+    tags: frigate-caddy
diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml
new file mode 100644
index 0000000..05c9126
--- /dev/null
+++ b/group_vars/frigate.yml
@@ -0,0 +1,9 @@
+# vim: set ft=yaml.jinja :
+
+frigate_caddy_forward_auth:
+  url: https://auth.pyrocufflink.blue
+  path: /api/verify
+  location: '?rd=https://{{ frigate_caddy_server_name }}'
+frigate_caddy_acme:
+  email: frigate@pyrocufflink.blue
+  url: https://ca.pyrocufflink.blue/acme/acme/directory
diff --git a/roles/caddy/files/Caddyfile b/roles/caddy/files/Caddyfile
new file mode 100644
index 0000000..644d82b
--- /dev/null
+++ b/roles/caddy/files/Caddyfile
@@ -0,0 +1 @@
+import Caddyfile.d/*.caddyfile
diff --git a/roles/caddy/handlers/main.yml b/roles/caddy/handlers/main.yml
new file mode 100644
index 0000000..e4c3a6f
--- /dev/null
+++ b/roles/caddy/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: reload caddy
+  service:
+    name: caddy
+    state: reloaded
diff --git a/roles/caddy/tasks/main.yml b/roles/caddy/tasks/main.yml
new file mode 100644
index 0000000..ab37b0e
--- /dev/null
+++ b/roles/caddy/tasks/main.yml
@@ -0,0 +1,47 @@
+- name: ensure caddy is installed
+  package:
+    name: caddy
+    state: present
+  tags:
+  - install
+
+- name: ensure base caddy configuration is set
+  copy:
+    src: Caddyfile
+    dest: /etc/caddy/Caddyfile
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload caddy
+  tags:
+  - config
+
+- name: ensure firewall is configured for caddy
+  firewalld:
+    service: '{{ item }}'
+    permanent: true
+    immediate: true
+    state: enabled
+  when: host_uses_firewalld|d(true)
+  loop:
+  - http
+  - https
+  tags:
+  - firewalld
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure caddy starts at boot
+  service:
+    name: caddy
+    enabled: true
+  tags:
+  - service
+- name: ensure caddy is running
+  service:
+    name: caddy
+    state: started
+  tags:
+  - service
diff --git a/roles/frigate-caddy/defaults/main.yml b/roles/frigate-caddy/defaults/main.yml
new file mode 100644
index 0000000..4182b9d
--- /dev/null
+++ b/roles/frigate-caddy/defaults/main.yml
@@ -0,0 +1 @@
+frigate_caddy_server_name: frigate.{{ ansible_domain }}
diff --git a/roles/frigate-caddy/meta/main.yml b/roles/frigate-caddy/meta/main.yml
new file mode 100644
index 0000000..e278138
--- /dev/null
+++ b/roles/frigate-caddy/meta/main.yml
@@ -0,0 +1,3 @@
+dependencies:
+- role: caddy
+  tags: caddy
diff --git a/roles/frigate-caddy/tasks/main.yml b/roles/frigate-caddy/tasks/main.yml
new file mode 100644
index 0000000..5791b65
--- /dev/null
+++ b/roles/frigate-caddy/tasks/main.yml
@@ -0,0 +1,11 @@
+- name: ensure caddy is configured to proxy for frigate
+  template:
+    src: Caddyfile.j2
+    dest: /etc/caddy/Caddyfile.d/frigate.caddyfile
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload caddy
+  tags:
+  - config
diff --git a/roles/frigate-caddy/templates/Caddyfile.j2 b/roles/frigate-caddy/templates/Caddyfile.j2
new file mode 100644
index 0000000..b9c46f7
--- /dev/null
+++ b/roles/frigate-caddy/templates/Caddyfile.j2
@@ -0,0 +1,23 @@
+{# vim: set sw=4 ts=4 sts=4 et : #}
+{{ frigate_caddy_server_name }} {
+{% if frigate_caddy_forward_auth|d %}
+   forward_auth {{ frigate_caddy_forward_auth.url }} {
+       uri {{ frigate_caddy_forward_auth.path }}
+       header_up Host {upstream_hostport}
+
+       @unauthorized status 401
+       handle_response @unauthorized {
+           respond "" 301
+           header Location {{ frigate_caddy_forward_auth.url}}{{ frigate_caddy_forward_auth.location }}
+        }
+    }
+
+{% endif %}
+    reverse_proxy localhost:5000
+{% if frigate_caddy_acme|d %}
+
+    tls {{ frigate_caddy_acme.email }} {
+        ca {{ frigate_caddy_acme.url }}
+    }
+{% endif %}
+}