diff --git a/confd/conf.d/crt-list.toml b/confd/conf.d/crt-list.toml
new file mode 100644
index 0000000000000000000000000000000000000000..ef435f2eebbd475736686c03fd1dfc4087cb78e2
--- /dev/null
+++ b/confd/conf.d/crt-list.toml
@@ -0,0 +1,7 @@
+[template]
+src  = "crt-list.tmpl"
+dest = "/etc/haproxy/crt-list"
+keys = [
+  "/services"
+]
+reload_cmd = "/docker kill --signal=\"SIGUSR1\" haproxy"
diff --git a/confd/conf.d/haproxy.toml b/confd/conf.d/haproxy.toml
new file mode 100644
index 0000000000000000000000000000000000000000..d3554213d797707dc76f507ce18dc280808e75a1
--- /dev/null
+++ b/confd/conf.d/haproxy.toml
@@ -0,0 +1,7 @@
+[template]
+src  = "haproxy.cfg.tmpl"
+dest = "/etc/haproxy/haproxy.cfg"
+keys = [
+  "/services"
+]
+reload_cmd = "/docker kill --signal=\"SIGUSR1\" haproxy"
diff --git a/confd/templates/crt-list.tmpl b/confd/templates/crt-list.tmpl
new file mode 100644
index 0000000000000000000000000000000000000000..391fa958ca43aafe16896f691311e48ed3a05e6d
--- /dev/null
+++ b/confd/templates/crt-list.tmpl
@@ -0,0 +1,7 @@
+{{range $app := lsdir "/services"}}
+{{$hostnames := printf "/services/%s/*" $app}}
+  {{range gets $hostnames}}
+    {{$hostname := .Key}}
+/etc/haproxy/approved-certs/{{base $hostname}}.pem {{base $hostname}}
+  {{end}}
+{{end}}
diff --git a/confd/templates/haproxy.cfg.tmpl b/confd/templates/haproxy.cfg.tmpl
new file mode 100644
index 0000000000000000000000000000000000000000..bf6aab89fd5b72b1f7923ae6b6612fa6c03ece3c
--- /dev/null
+++ b/confd/templates/haproxy.cfg.tmpl
@@ -0,0 +1,63 @@
+{{$default_service_value := getv "/services/default"}}
+{{$default_service := json $default_service_value}}
+{{$default_url := printf "/services/%s/%s" $default_service.app $default_service.hostname}}
+{{$default_value := getv $default_url}}
+{{$default := json $default_value}}
+{{$default := json $default_value}}
+global
+  maxconn 4096
+  user haproxy
+  group haproxy
+
+defaults
+  mode http
+  option httplog
+  option dontlognull
+  retries 3
+  timeout connect 5000
+  timeout client 50000
+  timeout server 50000
+
+frontend https-in
+mode http
+  bind *:443 ssl crt-list /etc/haproxy/crt-list crt /etc/haproxy/approved-certs/{{$default_service.hostname}}.pem
+  reqadd X-Forwarded-Proto:\ https
+{{range $app := lsdir "/services"}}
+{{$hostnames := printf "/services/%s/*" $app}}
+  {{range gets $hostnames}}
+    {{$hostname := .Key}}
+    {{$data := json .Value}}
+# {{base $hostname}}:
+  acl https_{{base $hostname}} hdr(host) -i {{base $hostname}}
+  use_backend {{base $hostname}} if https_{{base $hostname}}
+  {{end}}
+{{end}}
+
+default_backend {{$default_service.hostname}}
+
+frontend http-in
+  bind *:80
+{{range $app := lsdir "/services"}}
+{{$hostnames := printf "/services/%s/*" $app}}
+  {{range gets $hostnames}}
+    {{$hostname := .Key}}
+    {{$data := json .Value}}
+# {{base $hostname}}:
+  acl is_{{base $hostname}} hdr(host) -i {{base $hostname}}
+  use_backend {{base $hostname}} if is_{{base $hostname}}
+  {{end}}
+{{end}}
+
+{{range $app := lsdir "/services"}}
+{{$hostnames := printf "/services/%s/*" $app}}
+  {{range gets $hostnames}}
+    {{$hostname := .Key}}
+    {{$data := json .Value}}
+# {{base $hostname}}:
+backend {{base $hostname}}
+  cookie SERVERID insert nocache indirect
+  option httpclose
+  option forwardfor
+  server Server {{$data.ip}}:{{$data.port}} cookie Server
+  {{end}}
+{{end}}
diff --git a/unit-files/haproxy-confd.service b/unit-files/haproxy-confd.service
new file mode 100644
index 0000000000000000000000000000000000000000..99ff82e2cce8b8f0a3e30ce8e04c728a7745510d
--- /dev/null
+++ b/unit-files/haproxy-confd.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=%p
+After=docker.service
+Requires=docker.service
+
+[Service]
+Restart=always
+TimeoutStartSec=0
+ExecStartPre=-/usr/bin/docker kill %p
+ExecStartPre=-/usr/bin/docker rm %p
+ExecStart=/usr/bin/docker run\
+--name %p\
+-v /data/server-wide/haproxy/:/etc/haproxy/\
+-v /data/indiehosters/confd/:/etc/confd/\
+-v /var/run/docker.sock:/var/run/docker.sock\
+indiehosters/confd
+ExecReload=/usr/bin/docker restart %p
+ExecStop=/usr/bin/docker stop %p
+
+[Install]
+WantedBy=multi-user.target
diff --git a/unit-files/haproxy.service b/unit-files/haproxy.service
index 8331b4be6dcf323b653f595802682d16a257b455..93b98305d978cfa8003e51eb4f2f03449b4b3ba6 100644
--- a/unit-files/haproxy.service
+++ b/unit-files/haproxy.service
@@ -10,10 +10,10 @@ ExecStartPre=-/usr/bin/docker kill %p
 ExecStartPre=-/usr/bin/docker rm %p
 ExecStart=/usr/bin/docker run\
 --name %p\
+-v /data/server-wide/haproxy:/etc/haproxy\
 -p 80:80\
 -p 443:443\
--v /data/server-wide/haproxy/approved-certs/:/etc/haproxy/approved-certs\
-indiehosters/haproxy-confd
+indiehosters/haproxy
 ExecReload=/usr/bin/docker restart %p
 ExecStop=/usr/bin/docker stop %p