diff --git a/servers/containers/jade-website-frontend.container b/servers/containers/jade-website-frontend.container
index 2cb433ed..bb159c3b 100644
--- a/servers/containers/jade-website-frontend.container
+++ b/servers/containers/jade-website-frontend.container
@@ -9,6 +9,7 @@ After=network-online.target
 ContainerName=jade-website-frontend
 NoNewPrivileges=true
 Image=oci-archive:/opt/images/jade-website-frontend
+ReadOnly=true
 # Volume=/var/opt/thelounge:/var/opt/thelounge:z,U
 AutoUpdate=local
 Network=web.network
diff --git a/servers/containers/kanidm-certs.volume b/servers/containers/kanidm-certs.volume
new file mode 100644
index 00000000..a153d05e
--- /dev/null
+++ b/servers/containers/kanidm-certs.volume
@@ -0,0 +1 @@
+[Volume]
\ No newline at end of file
diff --git a/servers/containers/kanidm.container b/servers/containers/kanidm.container
new file mode 100644
index 00000000..30057ddd
--- /dev/null
+++ b/servers/containers/kanidm.container
@@ -0,0 +1,61 @@
+
+
+
+[Unit]
+Description=Kanidm identity server
+Wants=network-online.target
+After=network-online.target
+
+[Container]
+ContainerName=kanidm
+
+NoNewPrivileges=true
+Image=docker.io/kanidm/server:latest
+
+ReadOnly=true
+# Volume=/run/podman/podman.sock:/var/run/docker.sock:z
+Volume=/var/opt/kanidm_data:/data:Z
+Volume=kanidm-certs.volume:/data/certs:z
+Volume=/etc/kanidm/entrypoint.sh:/entrypoint.sh:ro,z
+Volume=/etc/kanidm/data/server.toml:/data/server.toml:ro,z
+
+Exec="/entrypoint.sh"
+
+AutoUpdate=registry
+Network=web.network
+
+
+Label="traefik.enable=true"
+Label="traefik.http.routers.kanidm.rule=Host(`idm.ellis.link`)"
+Label="traefik.http.routers.kanidm.entrypoints=https"
+Label="traefik.http.routers.kanidm.service=kanidm"
+
+Label="traefik.http.routers.kanidm.tls.certresolver=letsencrypt"
+
+# Kanidm is a bit odd here
+Label="traefik.http.services.kanidm.loadbalancer.server.port=8443"
+Label="traefik.http.services.kanidm.loadbalancer.server.scheme=https"
+Label="traefik.http.services.kanidm.loadbalancer.serversTransport=kanidm@file"
+# Label="traefik.http.serversTransports.kanidm.insecureSkipVerify=true"
+
+Label="traefik.http.middlewares.compress.compress=true"
+
+Label="traefik.http.middlewares.hsts.headers.stsincludesubdomains=false"
+Label="traefik.http.middlewares.hsts.headers.stspreload=true"
+Label="traefik.http.middlewares.hsts.headers.stsseconds=31536000"
+Label="traefik.http.middlewares.hsts.headers.isdevelopment=false"
+
+Label="traefik.http.routers.kanidm.middlewares=compress" # hsts,
+
+Label="homepage.group=Services"
+Label="homepage.name=Kanidm"
+Label="homepage.href=https://idm.ellis.link/"
+Label="homepage.description=Identity server"
+
+
+[Service]
+Restart=on-failure
+TimeoutStartSec=900
+
+[Install]
+WantedBy=default.target
\ No newline at end of file
diff --git a/servers/containers/pitch-tagai.container b/servers/containers/pitch-tagai.container
index 917e1c3d..d82cb5bb 100644
--- a/servers/containers/pitch-tagai.container
+++ b/servers/containers/pitch-tagai.container
@@ -9,6 +9,7 @@ After=network-online.target
 ContainerName=pitch-tagai
 NoNewPrivileges=true
 Image=localhost/pitch-tagai:latest
+ReadOnly=true
 PodmanArgs=--stop-timeout=0
 # StopTimeout=1
 
diff --git a/servers/containers/traefik.container b/servers/containers/traefik.container
index fb4cf78c..637097ef 100644
--- a/servers/containers/traefik.container
+++ b/servers/containers/traefik.container
@@ -5,12 +5,13 @@
 Description=traefik web server
 Wants=network-online.target
 After=network-online.target
+After=kanidm.service
 
 [Container]
 ContainerName=traefik
 PodmanArgs=--privileged
 NoNewPrivileges=true
-Image=docker.io/library/traefik:latest
+Image=docker.io/library/traefik:3.0
 PublishPort=0.0.0.0:80:80/tcp
 PublishPort=0.0.0.0:443:443/tcp
 PublishPort=0.0.0.0:443:443/udp
@@ -24,6 +25,8 @@ ReadOnly=true
 Volume=/run/podman/podman.sock:/var/run/docker.sock:z
 Volume=/var/srv/traefik:/certificates:z
 Volume=/etc/traefik:/etc/traefik:ro,z
+Volume=kanidm-certs.volume:/kanidm_certs:ro,z
+
 # Volume=/var/srv/matrix/caddy/config:/config:z
 # Volume=/var/srv/matrix/caddy/data:/data:z
 # Volume=/var/srv/matrix/caddy/Caddyfile:/etc/caddy/Caddyfile:ro,z
@@ -34,7 +37,7 @@ Network=web.network
 # IP6=fe80::9724:38eb:9b0f:df7c
 
 Exec=traefik --configFile=/etc/traefik/config.toml 
-
+Environment="SSL_CERT_FILE=/kanidm_certs/ca.pem"
 
 Label="traefik.http.middlewares.compress.compress=true"
 
diff --git a/servers/kanidm/data/server.toml b/servers/kanidm/data/server.toml
new file mode 100644
index 00000000..66ec0446
--- /dev/null
+++ b/servers/kanidm/data/server.toml
@@ -0,0 +1,95 @@
+#   The webserver bind address. Requires TLS certificates.
+#   If the port is set to 443 you may require the
+#   NET_BIND_SERVICE capability.
+#   Defaults to "127.0.0.1:8443"
+bindaddress = "[::]:8443"
+#
+#   The read-only ldap server bind address. Requires
+#   TLS certificates. If set to 636 you may require
+#   the NET_BIND_SERVICE capability.
+#   Defaults to "" (disabled)
+# ldapbindaddress = "[::]:3636"
+#
+#   HTTPS requests can be reverse proxied by a loadbalancer.
+#   To preserve the original IP of the caller, these systems
+#   will often add a header such as "Forwarded" or
+#   "X-Forwarded-For". If set to true, then this header is
+#   respected as the "authoritative" source of the IP of the
+#   connected client. If you are not using a load balancer
+#   then you should leave this value as default.
+#   Defaults to false
+# trust_x_forward_for = false
+#
+#   The path to the kanidm database.
+db_path = "/data/kanidm.db"
+#
+#   If you have a known filesystem, kanidm can tune the
+#   database page size to match. Valid choices are:
+#   [zfs, other]
+#   If you are unsure about this leave it as the default
+#   (other). After changing this
+#   value you must run a vacuum task.
+#   - zfs:
+#     * sets database pagesize to 64k. You must set
+#       recordsize=64k on the zfs filesystem.
+#   - other:
+#     * sets database pagesize to 4k, matching most
+#       filesystems block sizes.
+# db_fs_type = "zfs"
+#
+#   The number of entries to store in the in-memory cache.
+#   Minimum value is 256. If unset
+#   an automatic heuristic is used to scale this.
+#   You should only adjust this value if you experience
+#   pressure on your system.
+# db_arc_size = 2048
+#
+#   TLS chain and key in pem format. Both must be present
+tls_chain = "/data/certs/chain.pem"
+tls_key = "/data/certs/key.pem"
+#
+#   The log level of the server. May be one of info, debug, trace
+#
+#   NOTE: this is overridden by environment variables at runtime
+#   Defaults to "info"
+# log_level = "info"
+#
+#   The DNS domain name of the server. This is used in a
+#   number of security-critical contexts
+#   such as webauthn, so it *must* match your DNS
+#   hostname. It is used to create
+#   security principal names such as `william@idm.example.com`
+#   so that in a (future)
+#   trust configuration it is possible to have unique Security
+#   Principal Names (spns) throughout the topology.
+#   ⚠️  WARNING ⚠️
+#   Changing this value WILL break many types of registered
+#   credentials for accounts
+#   including but not limited to webauthn, oauth tokens, and more.
+#   If you change this value you *must* run
+#   `kanidmd domain_name_change` immediately after.
+domain = "idm.ellis.link"
+#
+#   The origin for webauthn. This is the url to the server,
+#   with the port included if
+#   it is non-standard (any port except 443). This must match
+#   or be a descendent of the
+#   domain name you configure above. If these two items are
+#   not consistent, the server WILL refuse to start!
+#   origin = "https://idm.example.com"
+origin = "https://idm.ellis.link"
+#
+[online_backup]
+#   The path to the output folder for online backups
+path = "/data/kanidm/backups/"
+#   The schedule to run online backups (see https://crontab.guru/)
+#   every day at 22:00 UTC (default)
+schedule = "00 22 * * *"
+#    four times a day at 3 minutes past the hour, every 6th hours
+# schedule = "03 */6 * * *"
+#   We also support non standard cron syntax, with the following format:
+#   sec  min   hour   day of month   month   day of week   year
+#   (it's very similar to the standard cron syntax, it just allows to specify the seconds
+#   at the beginning and the year at the end)
+#   Number of backups to keep (default 7)
+# versions = 7
diff --git a/servers/kanidm/entrypoint.sh b/servers/kanidm/entrypoint.sh
new file mode 100644
index 00000000..19b5067d
--- /dev/null
+++ b/servers/kanidm/entrypoint.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -e
+
+if [ ! -f /data/certs/cert.pem ]; then
+    echo "Generating certs"
+    /sbin/kanidmd cert-generate -c /data/server.toml
+fi
+
+/sbin/kanidmd server -c /data/server.toml
\ No newline at end of file
diff --git a/servers/main.bu b/servers/main.bu
index 98147c30..688a3793 100644
--- a/servers/main.bu
+++ b/servers/main.bu
@@ -56,6 +56,7 @@ storage:
   directories:
     - path: /var/opt/thelounge
     - path: /var/srv/traefik
+    - path: /var/opt/kanidm_data
     # - path: /var/opt/mysql-database
     # - path: /var/opt/pterodactyl
     # - path: /var/opt/pterodactyl/panel/nginx
@@ -76,6 +77,8 @@ storage:
     path: /etc/containers/systemd
   - local: traefik
     path: /etc/traefik
+  - local: kanidm
+    path: /etc/kanidm
   # - local: images
   #   path: /var/opt/images
   files:
diff --git a/servers/traefik/additional/kanidm.yml b/servers/traefik/additional/kanidm.yml
new file mode 100644
index 00000000..2a175685
--- /dev/null
+++ b/servers/traefik/additional/kanidm.yml
@@ -0,0 +1,4 @@
+http:
+  serversTransports:
+    kanidm:
+      serverName: idm.ellis.link
\ No newline at end of file
diff --git a/servers/traefik/config.toml b/servers/traefik/config.toml
index 28c46e4c..9bc3d349 100644
--- a/servers/traefik/config.toml
+++ b/servers/traefik/config.toml
@@ -4,6 +4,10 @@ level = "DEBUG"
 
 [providers.docker]
 exposedbydefault = false
+[providers.file]
+directory="/etc/traefik/additional/" 
+watch=true 
+
 [entrypoints.http]
 address = ":80"
 [entrypoints.https]