diff --git a/Caddyfile b/Caddyfile
new file mode 100644
index 0000000..d2dfbf9
--- /dev/null
+++ b/Caddyfile
@@ -0,0 +1,62 @@
+{
+	persist_config off
+
+	log {
+		output stderr
+		exclude admin.api
+		format console {
+			time_key ""
+		}
+	}
+
+	metrics {
+		per_host
+	}
+
+	storage s3 {
+		host "{$S3_ENDPOINT}"
+		access_id "{$S3_ACCESS_KEY_ID}"
+		secret_key "{$S3_SECRET_ACCESS_KEY}"
+		bucket "{$S3_BUCKET}"
+		prefix "ssl"
+	}
+
+	email {env.ACME_EMAIL}
+
+	auto_https disable_redirects
+
+	on_demand_tls {
+		permission http http://{$GIT_PAGES_ADDRESS:localhost}:3001
+	}
+
+	servers :80 {
+		name http
+		protocols h1 h2c
+	}
+
+	servers :443 {
+		name https
+		protocols h1 h2
+	}
+}
+
+http:// {
+	@get method GET
+	redir @get https://{host}{uri} 301
+
+	# initial PUT/POST for a new domain has to happen over HTTP
+	reverse_proxy http://{$GIT_PAGES_ADDRESS:localhost}:3000
+}
+
+https:// {
+	tls {
+		on_demand
+	}
+
+	encode
+	reverse_proxy http://{$GIT_PAGES_ADDRESS:localhost}:3000
+}
+
+http://localhost:2020 {
+	respond "ok"
+}
diff --git a/Dockerfile b/Dockerfile
index 1a31ad4..f465161 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,18 +1,54 @@
-FROM golang:1.25-alpine AS builder
-RUN apk add --no-cache git
-WORKDIR /app
+# syntax = docker/dockerfile:1
+
+# Build hivemind.
+FROM golang:1.25-alpine AS hivemind-builder
+RUN apk --no-cache add git
+WORKDIR /build
+RUN GOBIN=/usr/bin go install github.com/DarthSim/hivemind@v1.1.0
+
+# Build Caddy with S3 storage backend.
+FROM caddy:2.10.2-builder AS caddy-builder
+RUN xcaddy build ${CADDY_VERSION} \
+    --with github.com/ss098/certmagic-s3
+
+# Build git-pages.
+FROM golang:1.25-alpine AS git-pages-builder
+RUN apk --no-cache add git
+WORKDIR /build
 COPY go.mod go.sum ./
 RUN go mod download
 COPY src/ ./src/
-RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o git-pages ./src
+RUN go build -a -o git-pages ./src
+
+# Compose git-pages and Caddy.
 FROM alpine:latest
-RUN apk --no-cache add ca-certificates git
-RUN addgroup -g 1000 -S appuser && \
-    adduser -u 1000 -S appuser -G appuser
+RUN apk --no-cache add ca-certificates
+COPY --from=hivemind-builder /usr/bin/hivemind /usr/bin/hivemind
+COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy
+COPY --from=git-pages-builder /build/git-pages /usr/bin/git-pages
 
 WORKDIR /app
-COPY --from=builder /app/git-pages .
+RUN mkdir /app/data
+COPY Caddyfile /app/Caddyfile
+COPY config.toml.example /app/config.toml
 
+RUN addgroup -g 1000 -S appuser && adduser -u 1000 -S appuser -G appuser
+RUN chown -R appuser:appuser /app
 USER appuser
-EXPOSE 3333
-CMD ["./git-pages"]
+
+# Caddy ports:
+EXPOSE 80 443 2019
+# git-pages ports:
+EXPOSE 3000 3001 3002
+
+# While the default command is to run git-pages standalone, the intended configuration
+# is to use it with Caddy and store both site data and credentials to an S3-compatible
+# object store.
+# In a combined configuration, the same container may be used twice, launching either
+# `git-caddy` or `caddy run` to start both services.
+# In a standalone configuration use port 3000 (http) to connect to git-caddy.
+COPY <<EOF Procfile
+pages: git-pages
+caddy: caddy run
+EOF
+CMD ["hivemind", "-processes=pages"]
diff --git a/config.toml.example b/config.toml.example
index a7bd20d..59839fe 100644
--- a/config.toml.example
+++ b/config.toml.example
@@ -3,10 +3,10 @@ pages = "tcp/:3000"
 caddy = "tcp/:3001"
 health = "tcp/:3002"
 
-[wildcard]
-domain = "codeberg.page"
-clone-url = "https://codeberg.org/%s/%s.git"
-index-repo = "%s.codeberg.page"
+# [wildcard]
+# domain = "codeberg.page"
+# clone-url = "https://codeberg.org/%s/%s.git"
+# index-repo = "%s.codeberg.page"
 
 [backend]
 type = "fs"
@@ -14,9 +14,9 @@ type = "fs"
 [backend.fs]
 root = "data"
 
-[backend.s3]
-endpoint = "play.min.io"
-access-key-id = "Q3AM3UQ867SPQQA43P2F"
-secret-access-key = "zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG"
-region = "us-east-1"
-bucket = "git-pages-demo"
+# [backend.s3]
+# endpoint = "play.min.io"
+# access-key-id = "Q3AM3UQ867SPQQA43P2F"
+# secret-access-key = "zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG"
+# region = "us-east-1"
+# bucket = "git-pages-demo"
diff --git a/fly.toml b/fly.toml
new file mode 100644
index 0000000..b8e5f9a
--- /dev/null
+++ b/fly.toml
@@ -0,0 +1,60 @@
+# Requires secrets to be set:
+#  - S3_ENDPOINT
+#  - S3_ACCESS_KEY_ID
+#  - S3_SECRET_ACCESS_KEY
+#  - S3_BUCKET
+#  - GIT_PAGES_CONFIG
+
+app = "git-pages"
+swap_size_mb = 512
+
+[build]
+dockerfile = "Dockerfile"
+
+[experimental]
+cmd = ["hivemind"]
+
+[[vm]]
+cpu-type = "shared"
+cpus = 2
+memory = 512
+
+[env]
+AUTOMEMLIMIT = "0.25"
+CADDY_ADMIN = ":2019"
+
+[[files]]
+guest_path = "/app/config.toml"
+secret_name = "GIT_PAGES_CONFIG"
+
+[[services]]
+internal_port = 80
+protocol = "tcp"
+ports = [{ port = 80 }]
+auto_stop_machines = "stop"
+auto_start_machines = true
+
+[[services]]
+internal_port = 443
+protocol = "tcp"
+ports = [{ port = 443 }]
+auto_stop_machines = "stop"
+auto_start_machines = true
+
+[checks.git-pages]
+type = "http"
+method = "get"
+port = 3002
+path = "/"
+grace_period = "10s"
+interval = "10s"
+timeout = "1s"
+
+[checks.caddy]
+type = "http"
+method = "get"
+port = 2020
+path = "/"
+grace_period = "10s"
+interval = "10s"
+timeout = "1s"