diff --git a/app/frigate/schema/schema.cue b/app/frigate/schema/schema.cue
index c997b31..7725d44 100644
--- a/app/frigate/schema/schema.cue
+++ b/app/frigate/schema/schema.cue
@@ -4,6 +4,17 @@ package schema
 	env?: [string]: string
 
 	config: #FrigateConfig
+
+	caddy: {
+		server_name: string
+		forward_auth: {
+			url:  string
+			path: string | *"/api/verify"
+		}
+		acme: {
+			email: string
+		}
+	}
 }
 
 #FrigateConfig: {
diff --git a/app/frigate/templates.cue b/app/frigate/templates.cue
index 5f6385c..3bf3717 100644
--- a/app/frigate/templates.cue
+++ b/app/frigate/templates.cue
@@ -2,6 +2,8 @@ package frigate
 
 import "du5t1n.me/cfg/base/schema/instructions"
 
+import "du5t1n.me/cfg/app/caddy"
+
 templates: [...instructions.#RenderInstruction] & [
 	{
 		template: "frigate/frigate.sysusers"
@@ -65,4 +67,11 @@ templates: [...instructions.#RenderInstruction] & [
 			]
 		}
 	},
-]
+	{
+		template: "frigate/Caddyfile"
+		dest:     "/etc/caddy/Caddyfile"
+		hooks: {
+			changed: [{run: "systemctl restart caddy"}]
+		}
+	},
+]+caddy.templates
diff --git a/env/prod/frigate.cue b/env/prod/frigate.cue
index 001f7d2..fb4145d 100644
--- a/env/prod/frigate.cue
+++ b/env/prod/frigate.cue
@@ -274,11 +274,22 @@ _frigate: config: cameras: {
 	}
 }
 
+_frigate: caddy: {
+	server_name: "frigate.pyrocufflink.blue"
+	forward_auth: {
+		url: "https://auth.pyrocufflink.blue"
+	}
+	acme: {
+		email: "frigate@pyrocufflink.blue"
+	}
+}
+
 let Marshal = yaml.Marshal
 
 frigate: {
 	env:    _frigate.env
 	config: _frigate.config
+	caddy:  _frigate.caddy
 
 	yaml: Marshal(config)
 }
diff --git a/host/nvr2.pyrocufflink.blue.cue b/host/nvr2.pyrocufflink.blue.cue
index eb27c40..73214b3 100644
--- a/host/nvr2.pyrocufflink.blue.cue
+++ b/host/nvr2.pyrocufflink.blue.cue
@@ -17,3 +17,5 @@ nut: monitor: prod.#nut_monitor & {
 }
 
 frigate: prod.frigate
+
+caddy: prod.caddy
diff --git a/templates/frigate/Caddyfile b/templates/frigate/Caddyfile
new file mode 100644
index 0000000..9ca9d80
--- /dev/null
+++ b/templates/frigate/Caddyfile
@@ -0,0 +1,20 @@
+{# vim: set ft=jinja : -#}
+{{ frigate.caddy.server_name }} {
+	forward_auth {{ frigate.caddy.forward_auth.url }} {
+		uri {{ frigate.caddy.forward_auth.path }}
+		header_up Host {upstream_hostport}
+
+		@unauthorized status 401
+		handle_response @unauthorized {
+			respond "" 302
+			header Location {{ frigate.caddy.forward_auth.url }}?rd=https://{{ frigate.caddy.server_name }}
+		}
+	}
+
+	reverse_proxy localhost:5000
+
+	tls {{ frigate.caddy.acme.email }} {
+		ca {{ caddy.acme.url }}
+		ca_root /etc/caddy/acme-ca.crt
+	}
+}