diff --git a/infra/services/caddy/Caddyfile b/infra/services/caddy/Caddyfile
new file mode 100644
index 0000000000..39a9fc09cb
--- /dev/null
+++ b/infra/services/caddy/Caddyfile
@@ -0,0 +1,15 @@
+{
+	email custom-domains@ente.io
+	on_demand_tls {
+		ask https://api.ente.io/custom-domain
+	}
+}
+
+https:// {
+	tls {
+		on_demand
+	}
+	reverse_proxy https://custom-albums.ente.io {
+		header_up Host {upstream_hostport}
+	}
+}
diff --git a/infra/services/caddy/README.md b/infra/services/caddy/README.md
new file mode 100644
index 0000000000..d13d016d1c
--- /dev/null
+++ b/infra/services/caddy/README.md
@@ -0,0 +1,19 @@
+# Caddy
+
+Caddy is used to terminate TLS and manage certificates for custom domains.
+
+## Installation
+
+```sh
+sudo mkdir -p /root/caddy/conf
+sudo mv Caddyfile /root/caddy/conf
+sudo chown root:root /root/caddy/conf/Caddyfile
+```
+
+Rest of it works like our other systemd services.
+
+If the Caddyfile changes, the running instance can be updated without restarts by using `sudo systemctl reload caddy`.
+
+## Backups
+
+The entire `/root/caddy` directory can be backed up and contains the everything needed to resurrect the same setup.
diff --git a/infra/services/caddy/caddy.service b/infra/services/caddy/caddy.service
new file mode 100644
index 0000000000..1aa30e6442
--- /dev/null
+++ b/infra/services/caddy/caddy.service
@@ -0,0 +1,17 @@
+[Unit]
+Documentation=https://caddyserver.com/docs/running
+Requires=docker.service
+After=docker.service
+
+[Service]
+ExecStartPre=docker pull caddy
+ExecStartPre=-docker stop caddy
+ExecStartPre=-docker rm caddy
+ExecStart=docker run --name caddy \
+    --cap-add NET_ADMIN \
+    -p 80:80 -p 443:443 -p 443:443/udp \
+    -v /root/caddy/conf:/etc/caddy \
+    -v /root/caddy/data:/data \
+    -v /root/caddy/config:/config \
+    caddy
+ExecReload=docker exec -w /etc/caddy caddy caddy reload