diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix
index feb2183..74c82c0 100644
--- a/hosts/srv01.hf/default.nix
+++ b/hosts/srv01.hf/default.nix
@@ -17,6 +17,8 @@
       ../../modules/docker.nix
       ../../modules/teleport.nix
       ../../modules/portainer_agent.nix
+      ../../modules/arcane.nix
+      ../../modules/traefik.nix
       ../../modules/auto-upgrade.nix
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
@@ -33,6 +35,45 @@
 
   virtualisation.oci-containers.containers.portainer_agent.environmentFiles = [ config.age.secrets."portainer-join_token".path ];
 
+  services.traefik-docker = {
+    enable = true;
+    dashboardUrl = "traefik.juliusfr.eu";
+    dnsSecrets = [
+      config.age.secrets."netcup-dns"
+    ];
+    mTLSCaCertSecret = config.age.secrets."step-ca-crt";
+    oidcAuthProviderUrl = "https://login.juliusfr.eu";
+    oidcClients = {
+      traefik-dashboard = {
+        secret = config.age.secrets."traefik-oidc-auth";
+      };
+      immich = {
+        secret = config.age.secrets."immich-oidc-auth";
+        scopes = [
+          "openid"
+          "email"
+          "profile"
+        ];
+        enableBypassUsingClientCertificate = true;
+      };
+      arcane = {
+        secret = config.age.secrets."arcane-oidc-auth";
+        scopes = [
+          "openid"
+          "email"
+          "profile"
+          "groups"
+        ];
+      };
+    };
+  };
+
+  services.arcane = {
+    enable = true;
+    appUrl = "arcane.juliusfr.eu";
+    secretFile = config.age.secrets."arcane-secrets";
+  };
+
   systemd.network = {
     enable = true;
       networks."10-wan" = {
diff --git a/hosts/srv01.hf/secrets.nix b/hosts/srv01.hf/secrets.nix
index 8697e77..8dc2205 100644
--- a/hosts/srv01.hf/secrets.nix
+++ b/hosts/srv01.hf/secrets.nix
@@ -4,5 +4,11 @@
     teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin";
     teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token";
     portainer-join_token.file = "${inputs.secrets}/secrets/srv01-hf/portainer_join_token";
+    netcup-dns.file = "${inputs.secrets}/secrets/dns-management/netcup";
+    traefik-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/traefik-oidc-auth";
+    immich-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/immich-oidc-auth";
+    arcane-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/arcane-oidc-auth";
+    arcane-secrets.file = "${inputs.secrets}/secrets/srv01-hf/arcane-secrets";
+    step-ca-crt.file = "${inputs.secrets}/secrets/step-ca/step-ca-crt";
   };
 }