diff --git a/bootstrap.yml b/bootstrap.yml
index 36d49a3..f302864 100644
--- a/bootstrap.yml
+++ b/bootstrap.yml
@@ -1,5 +1,6 @@
 - import_playbook: facts.yml
 - import_playbook: hostname.yml
+- import_playbook: useproxy.yml
 - import_playbook: base.yml
 - import_playbook: firewalld.yml
 - import_playbook: ssh-host-certs.yml
diff --git a/group_vars/unifi-test.yml b/group_vars/unifi-test.yml
new file mode 100644
index 0000000..e1972ea
--- /dev/null
+++ b/group_vars/unifi-test.yml
@@ -0,0 +1 @@
+unifi_server_name: '{{ ansible_fqdn }}'
diff --git a/group_vars/unifi/main.yml b/group_vars/unifi/main.yml
index e4535b2..9f13b9a 100644
--- a/group_vars/unifi/main.yml
+++ b/group_vars/unifi/main.yml
@@ -1,4 +1,8 @@
-nginx_redirect_http_https: true
+unifi_server_name: unifi.pyrocufflink.blue
+unifi_caddy_acme:
+  email: unifi@pyrocufflink.net
+  url: https://ca.pyrocufflink.blue/acme/acme/directory
+
 unifi_exporter_site: Pyrocufflink
 unifi_exporter_username: prometheus
 unifi_exporter_password: !vault |
diff --git a/host-setup.yml b/host-setup.yml
index 74bd581..d412cd0 100644
--- a/host-setup.yml
+++ b/host-setup.yml
@@ -1,5 +1,6 @@
 - import_playbook: bootstrap.yml
 
+- import_playbook: users.yml
 - import_playbook: collectd.yml
 - import_playbook: promtail.yml
 - import_playbook: auto-updates.yml
diff --git a/host_vars/gw1.pyrocufflink.blue/squid.yml b/host_vars/gw1.pyrocufflink.blue/squid.yml
index c085d1a..df8b5dd 100644
--- a/host_vars/gw1.pyrocufflink.blue/squid.yml
+++ b/host_vars/gw1.pyrocufflink.blue/squid.yml
@@ -87,6 +87,10 @@ squid_http_access:
 - allow unifi_controller dockerhub
 - allow unifi_controller ghcr
 - allow unifi_controller linuxserverio
+- allow unifi_controller gitea
+- allow unifi_controller fedora_repo
+- allow unifi_controller dch_repo
+- allow unifi_controller grafana_rpm
 - allow trusted frigate github_api
 - deny all
 
diff --git a/hosts b/hosts
index fd6b5fe..ea007d9 100644
--- a/hosts
+++ b/hosts
@@ -136,6 +136,9 @@ kubelet
 [needproxy]
 nvr2.pyrocufflink.blue
 
+[needproxy:children]
+unifi
+
 [networkd]
 vmhost0.pyrocufflink.blue
 vmhost1.pyrocufflink.blue
@@ -227,6 +230,11 @@ vps
 
 [unifi]
 
+[unifi-test]
+
+[unifi:children]
+unifi-test
+
 [vm-hosts]
 vmhost0.pyrocufflink.blue
 vmhost1.pyrocufflink.blue
diff --git a/roles/unifi/defaults/main.yml b/roles/unifi/defaults/main.yml
index 4336ec6..ecfc0a9 100644
--- a/roles/unifi/defaults/main.yml
+++ b/roles/unifi/defaults/main.yml
@@ -1,5 +1,5 @@
 unifi_version: latest
-unifi_container_image: lscr.io/linuxserver/unifi-controller
+unifi_container_image: git.pyrocufflink.net/containerimages/unifi
 unifi_storage_path: /var/lib/unifi
 
 unifi_exporter_container_image: docker.io/jessestuart/unifi_exporter
diff --git a/roles/unifi/tasks/deploy.yml b/roles/unifi/tasks/deploy.yml
index 64e7f7d..149abc2 100644
--- a/roles/unifi/tasks/deploy.yml
+++ b/roles/unifi/tasks/deploy.yml
@@ -1,48 +1,3 @@
-- name: ensure unifi group exists
-  group:
-    name: unifi
-    gid: 911
-    system: true
-    state: present
-  tags:
-  - user
-  - group
-- name: ensure unifi user exists
-  user:
-    name: unifi
-    uid: 911
-    group: unifi
-    home: /var/lib/unifi
-    createhome: false
-    system: true
-    state: present
-  tags:
-  - user
-
-- name: ensure containers subuid is configured
-  lineinfile:
-    path: /etc/subuid
-    create: true
-    line: containers:39290640:1048576
-  tags:
-  - user
-- name: ensure containers subgid is configured
-  lineinfile:
-    path: /etc/subgid
-    line: containers:39290640:1048576
-  tags:
-  - user
-
-- name: ensure unifi storage path exists
-  file:
-    path: '{{ unifi_storage_path }}'
-    owner: unifi
-    group: unifi
-    mode: u=rwx,go=
-    state: directory
-  tags:
-  - datadir
-
 - name: ensure unifi.container systemd unit exists
   template:
     src: unifi.container.j2
@@ -75,23 +30,12 @@
   tags:
   - firewalld
 
-- name: ensure nginx is configured to proxy for unifi
+- name: ensure caddy is configured to proxy for unifi
   template:
-    src: unifi.nginx.conf.j2
-    dest: /etc/nginx/default.d/unifi.conf
-    mode: u=rw,go=r
+    src: unifi.caddyfile.j2
+    dest: /etc/caddy/Caddyfile.d/unifi.caddyfile
     owner: root
     group: root
+    mode: u=rw,go=r
   notify:
-  - reload nginx
-  tags:
-  - nginx
-
-- name: ensure selinux allows nginx to proxy for unifi
-  seboolean:
-    name: httpd_can_network_connect
-    persistent: true
-    state: true
-  tags:
-  - nginx
-  - selinux
+  - reload caddy
diff --git a/roles/unifi/tasks/main.yml b/roles/unifi/tasks/main.yml
index c462f21..5072050 100644
--- a/roles/unifi/tasks/main.yml
+++ b/roles/unifi/tasks/main.yml
@@ -3,8 +3,5 @@
     tags:
     - install
   - import_tasks: deploy.yml
-  - import_tasks: exporter.yml
-    tags:
-    - unifi-exporter
   tags:
   - unifi
diff --git a/roles/unifi/templates/unifi.caddyfile.j2 b/roles/unifi/templates/unifi.caddyfile.j2
new file mode 100644
index 0000000..821f0ec
--- /dev/null
+++ b/roles/unifi/templates/unifi.caddyfile.j2
@@ -0,0 +1,13 @@
+{{ unifi_server_name }} {
+    reverse_proxy localhost:8443 {
+        transport http {
+            tls_insecure_skip_verify
+        }
+    }
+{% if unifi_caddy_acme|d %}
+
+    tls {{ unifi_caddy_acme.email }} {
+        ca {{ unifi_caddy_acme.url }}
+    }
+{% endif %}
+}
diff --git a/roles/unifi/templates/unifi.container.j2 b/roles/unifi/templates/unifi.container.j2
index ee51929..012d0b7 100644
--- a/roles/unifi/templates/unifi.container.j2
+++ b/roles/unifi/templates/unifi.container.j2
@@ -5,14 +5,17 @@ After=network.target
 
 [Container]
 Image={{ unifi_container_image }}:{{ unifi_version }}
-Volume={{ unifi_storage_path }}:/config:rw,Z
+Volume=%S/%N:/var/lib/unifi:rw,U,Z
+Volume=%L/%N:/var/log/unifi:rw,U,Z
 Network=host
 NoNewPrivileges=yes
-UserNS=auto:gidmapping=911:911:1,uidmapping=911:911:1
-VolatileTmp=yes
+ReadOnly=yes
+ReadOnlyTmpfs=true
 Notify=yes
 
 [Service]
+StateDirectory=%N
+LogsDirectory=%N
 TimeoutStartSec=5min
 Restart=always
 PrivateTmp=yes
@@ -23,7 +26,7 @@ ProtectProc=invisible
 ProtectSystem=strict
 ReadWritePaths=/run
 ReadWritePaths=/var/lib/containers/storage
-ReadWritePaths={{ unifi_storage_path }}
+ReadWritePaths=%S/%N
 RestrictRealtime=yes
 UMask=0077
 
diff --git a/roles/unifi/templates/unifi.nginx.conf.j2 b/roles/unifi/templates/unifi.nginx.conf.j2
deleted file mode 100644
index ddc1c54..0000000
--- a/roles/unifi/templates/unifi.nginx.conf.j2
+++ /dev/null
@@ -1,9 +0,0 @@
-location / {
-    proxy_pass https://127.0.0.1:8443/;
-    proxy_ssl_verify off;
-    client_max_body_size 50m;
-    proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-}
diff --git a/site.yml b/site.yml
index ba76b45..9bad63c 100644
--- a/site.yml
+++ b/site.yml
@@ -11,3 +11,4 @@
 - import_playbook: postgresql.yml
 - import_playbook: serterm.yml
 - import_playbook: smtp-relay.yml
+- import_playbook: unifi.yml
diff --git a/unifi.yml b/unifi.yml
index 2055592..4d23a37 100644
--- a/unifi.yml
+++ b/unifi.yml
@@ -1,5 +1,6 @@
 - hosts: unifi
   roles:
-  - role: nginx
-    tags: nginx
+  - role: caddy
+    tags: caddy
   - role: unifi
+    tags: unifi