diff --git a/services/http-proxy/proxy.nix b/services/http-proxy/proxy.nix
index 6cd87db..2b038ed 100644
--- a/services/http-proxy/proxy.nix
+++ b/services/http-proxy/proxy.nix
@@ -3,33 +3,37 @@
   services.caddy = {
     enable = true;
     configFile = pkgs.writeText "Caddyfile" ''
-      http://nzbget.home.2rjus.net {
+      {
+        acme_ca https://ca.home.2rjus.net/acme/acme/directory
+      }
+
+      nzbget.home.2rjus.net {
         log {
           output file /var/log/caddy/nzbget.log
         }
         reverse_proxy http://nzbget-jail.home.2rjus.net:6789
       }
 
-      http://radarr.home.2rjus.net {
+      radarr.home.2rjus.net {
         log {
           output file /var/log/caddy/radarr.log
         }
         reverse_proxy http://radarr-jail.home.2rjus.net:7878
       }
 
-      http://sonarr.home.2rjus.net {
+      sonarr.home.2rjus.net {
         log {
           output file /var/log/caddy/sonarr.log
         }
         reverse_proxy http://sonarr-jail.home.2rjus.net:8989
       }
-      http://ha.home.2rjus.net {
+      ha.home.2rjus.net {
         log {
           output file /var/log/caddy/ha.log
         }
         reverse_proxy http://ha1.home.2rjus.net:8123
       }
-      http://z2m.home.2rjus.net {
+      z2m.home.2rjus.net {
         log {
           output file /var/log/caddy/z2m.log
         }
diff --git a/system/default.nix b/system/default.nix
index d84bc65..41b5955 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -4,6 +4,7 @@
     ./monitoring.nix
     ./packages.nix
     ./root-user.nix
+    ./root-ca.nix
     ./sops.nix
     ./sshd.nix
     ./weekly-rebuild.nix
diff --git a/system/root-ca.crt b/system/root-ca.crt
new file mode 100644
index 0000000..15d8ec5
--- /dev/null
+++ b/system/root-ca.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxDCCAWmgAwIBAgIQQCSzuOLIKLj1dGbC+NFttjAKBggqhkjOPQQDAjBAMRow
+GAYDVQQKExFob21lLjJyanVzLm5ldCBDQTEiMCAGA1UEAxMZaG9tZS4ycmp1cy5u
+ZXQgQ0EgUm9vdCBDQTAeFw0yNDEwMjEwOTEyNDRaFw0zNDEwMTkwOTEyNDRaMEAx
+GjAYBgNVBAoTEWhvbWUuMnJqdXMubmV0IENBMSIwIAYDVQQDExlob21lLjJyanVz
+Lm5ldCBDQSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGDE4ss9y
+9msphQ/Sa/tAoEaGoDHQcg5oRcxWL5SZYjUPNl+zbRZzqkvCz2S1XrHJPiPWbyJX
+cZAlPxbwZrWDyKNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
+AQEwHQYDVR0OBBYEFPZx6AahX5diBMChZbv5N4dh+vCTMAoGCCqGSM49BAMCA0kA
+MEYCIQC6yqMM9/s1Dct5jlq0NAGsDA68hVTDcO3RP61lxQlfBwIhAL1jlmIwaSJc
+TjdIMjPQ3ombBRqDJBDvDr8o6oOUjret
+-----END CERTIFICATE-----
diff --git a/system/root-ca.nix b/system/root-ca.nix
new file mode 100644
index 0000000..5e5ff78
--- /dev/null
+++ b/system/root-ca.nix
@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  security.pki = {
+    certificateFiles = [
+      "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      ./root-ca.crt
+    ];
+  };
+}