diff --git a/Makefile b/Makefile
index e00f39c..d84cffa 100644
--- a/Makefile
+++ b/Makefile
@@ -36,10 +36,7 @@ config.json: config.yaml .files-list $(FILES)
 	  --ignition-file $${TEMPDIR}/config.json \
 	  --keep-machine-id \
 	  --keep-paths '/etc/ssh/ssh_host_.*' \
-	  --keep-paths '/home/core/caddy/' \
-	  --keep-paths '/home/core/matrixdotorg-synapse/' \
-	  --keep-paths '/home/core/matrixdotorg-matrix-appservice-irc' \
-	  --keep-paths '/home/core/postgresql/secret' \
+	  --keep-paths '/opt/caddy/data' \
 	  --keep-paths '/var/log' && \
 	ssh -o ControlPath=/tmp/ssh_mux_%h_%p_%r akpella \
 	  sudo systemctl reboot && \
diff --git a/config.yaml b/config.yaml
index 6cd4f1f..8332b93 100644
--- a/config.yaml
+++ b/config.yaml
@@ -10,66 +10,47 @@ passwd:
 
 storage:
   directories:
-    - path: /home/core/caddy/data
-    - path: /home/core/caddy/etc/caddy
-    - path: /home/core/caddy/var/www/html
-    - path: /home/core/matrixdotorg-synapse/data
-    - path: /home/core/matrixdotorg-matrix-appservice-irc/data
-    - path: /home/core/postgresql
+    - path: /opt/caddy/etc/caddy
+    - path: /opt/caddy/data
   files:
     # /etc/hostname
     - path: /etc/hostname
       contents:
         inline: "akpella.fst.ee"
-    # /etc/systemd/network/00-eth0.network
-    - path: /etc/systemd/network/00-eth0.network
-      contents:
-        local: etc/systemd/network/00-eth0.network
     # /etc/hosts
     - path: /etc/hosts
       overwrite: true
       contents:
         local: etc/hosts
-    # /home/core/caddy/etc/caddy/Caddyfile
-    - path: /home/core/caddy/etc/caddy/Caddyfile
-      overwrite: true
+    # /etc/systemd/network/00-eth0.network
+    - path: /etc/systemd/network/00-eth0.network
       contents:
-        local: caddy/etc/caddy/Caddyfile
-    # /home/core/caddy/var/www/html/index.html
-    - path: /home/core/caddy/var/www/html/index.html
-      overwrite: true
+        local: etc/systemd/network/00-eth0.network
+    # /etc/flatcar/enabled-sysext.conf
+    - path: /etc/flatcar/enabled-sysext.conf
+      contents:
+        inline: |
+          podman
+          python
+    # /etc/containers/policy.json
+    - path: /etc/containers/policy.json
+      contents:
+        local: etc/containers/policy.json
+    # /etc/containers/systemd/caddy.container
+    - path: /etc/containers/systemd/caddy.container
+      contents:
+        local: etc/containers/systemd/caddy.container
+    # /opt/caddy/etc/caddy/Caddyfile
+    - path: /opt/caddy/etc/caddy/Caddyfile
+      contents:
+        local: caddy/Caddyfile
+    # /opt/caddy/var/www/html/index.html
+    - path: /opt/caddy/var/www/html/index.html
       contents:
         inline: |
           <h1>no</h1>
 
 systemd:
   units:
-    # docker-network-setup.service
-    - name: docker-network-setup.service
+    - name: caddy.service
       enabled: true
-      contents_local: docker-network-setup.service
-    # docker-matrixdotorg-synapse.service
-    - name: docker-matrixdotorg-synapse.service
-      enabled: true
-      contents_local: docker-matrixdotorg-synapse.service
-    # docker-caddy.service
-    - name: docker-caddy.service
-      enabled: true
-      contents_local: docker-caddy.service
-    # docker-matrixdotorg-matrix-appservice-irc.service
-    - name: docker-matrixdotorg-matrix-appservice-irc.service
-      enabled: false
-      contents_local: docker-matrixdotorg-matrix-appservice-irc.service
-    # generate-secrets.service
-    - name: generate-secrets.service
-      enabled: true
-      contents_local: generate-secrets.service
-    # docker-postgresql.service
-    - name: docker-postgresql.service
-      enabled: true
-      contents_local: docker-postgresql.service
-    # docker.service
-    - name: docker.service
-      dropins:
-        - name: docker.conf
-          contents_local: docker.conf
diff --git a/files/caddy/Caddyfile b/files/caddy/Caddyfile
new file mode 100644
index 0000000..6f67588
--- /dev/null
+++ b/files/caddy/Caddyfile
@@ -0,0 +1,18 @@
+{
+  #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
+  email akpall+akpella@fst.ee
+}
+
+fst.ee {
+  root * /var/www/html
+  file_server
+}
+
+#fst.ee:8448 {
+#  reverse_proxy /_matrix/* matrixdotorg-synapse:8008
+#}
+
+#matrix.fst.ee {
+#  reverse_proxy /_matrix/* matrixdotorg-synapse:8008
+#  reverse_proxy /_synapse/client/* matrixdotorg-synapse:8008
+#}
diff --git a/files/caddy/etc/caddy/Caddyfile b/files/caddy/etc/caddy/Caddyfile
deleted file mode 100644
index 769f01b..0000000
--- a/files/caddy/etc/caddy/Caddyfile
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-  #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
-  email akpall+akpella@fst.ee
-}
-
-fst.ee {
-  root * /var/www/html
-  file_server
-}
-
-fst.ee:8448 {
-  reverse_proxy /_matrix/* matrixdotorg-synapse:8008
-}
-
-matrix.fst.ee {
-  reverse_proxy /_matrix/* matrixdotorg-synapse:8008
-  reverse_proxy /_synapse/client/* matrixdotorg-synapse:8008
-}
diff --git a/files/etc/containers/policy.json b/files/etc/containers/policy.json
new file mode 100644
index 0000000..0d1bdb1
--- /dev/null
+++ b/files/etc/containers/policy.json
@@ -0,0 +1,8 @@
+{
+    "default": [{"type": "reject"}],
+    "transports": {
+        "docker": {
+            "docker.io/library/caddy": [{"type": "insecureAcceptAnything"}]
+        }
+    }
+}
diff --git a/files/etc/containers/systemd/caddy.container b/files/etc/containers/systemd/caddy.container
new file mode 100644
index 0000000..c8c9f32
--- /dev/null
+++ b/files/etc/containers/systemd/caddy.container
@@ -0,0 +1,13 @@
+[Unit]
+Description=Caddy 2 is a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go.
+
+[Container]
+Image=docker.io/library/caddy:latest
+PublishPort=443:443
+PublishPort=80:80
+Volume=/opt/caddy/data:/data
+Volume=/opt/caddy/etc/caddy:/etc/caddy
+Volume=/opt/caddy/var/www/html:/var/www/html
+
+[Install]
+WantedBy=multi-user.target
diff --git a/files/etc/hosts b/files/etc/hosts
index 4208f6f..41aa4f7 100644
--- a/files/etc/hosts
+++ b/files/etc/hosts
@@ -1,2 +1,37 @@
-127.0.0.1       localhost akpella.fst.ee
-::1             localhost akpella.fst.ee
+# /etc/hosts: Local Host Database
+#
+# This file describes a number of aliases-to-address mappings for the for
+# local hosts that share this file.
+#
+# The format of lines in this file is:
+#
+# IP_ADDRESS	canonical_hostname	[aliases...]
+#
+#The fields can be separated by any number of spaces or tabs.
+#
+# In the presence of the domain name service or NIS, this file may not be
+# consulted at all; see /etc/host.conf for the resolution order.
+#
+
+# IPv4 and IPv6 localhost aliases
+127.0.0.1	localhost akpella.fst.ee
+::1		localhost akpella.fst.ee
+
+#
+# Imaginary network.
+#10.0.0.2               myname
+#10.0.0.3               myfriend
+#
+# According to RFC 1918, you can use the following IP networks for private
+# nets which will never be connected to the Internet:
+#
+#       10.0.0.0        -   10.255.255.255
+#       172.16.0.0      -   172.31.255.255
+#       192.168.0.0     -   192.168.255.255
+#
+# In case you want to be able to connect directly to the Internet (i.e. not
+# behind a NAT, ADSL router, etc...), you need real official assigned
+# numbers.  Do not try to invent your own network numbers but instead get one
+# from your network provider (if any) or from your regional registry (ARIN,
+# APNIC, LACNIC, RIPE NCC, or AfriNIC.)
+#