diff --git a/.vscode/settings.json b/.vscode/settings.json
index 09a003d..ac9cee9 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -19,6 +19,7 @@
     "builtins",
     "cachix",
     "charliermarsh",
+    "cloudflared",
     "codezombiech",
     "Compat",
     "concatLists",
diff --git a/systems/jeeves-jr/configuration.nix b/systems/jeeves-jr/configuration.nix
index 5e4469a..6ef19db 100644
--- a/systems/jeeves-jr/configuration.nix
+++ b/systems/jeeves-jr/configuration.nix
@@ -1,6 +1,9 @@
 { pkgs, ... }:
 {
-  imports = [ ../../users/richie/global/zerotier.nix ];
+  imports = [
+    ../../users/richie/global/zerotier.nix
+    ./docker
+  ];
 
   networking = {
     hostId = "1beb3026";
diff --git a/systems/jeeves-jr/docker/default.nix b/systems/jeeves-jr/docker/default.nix
new file mode 100644
index 0000000..493313e
--- /dev/null
+++ b/systems/jeeves-jr/docker/default.nix
@@ -0,0 +1,15 @@
+{ pkgs, config, ... }:
+{
+  imports = [ ./web.nix ];
+
+  virtualisation.oci-containers.backend = "docker";
+
+  system.activationScripts.mkVPN =
+    let
+      docker = config.virtualisation.oci-containers.backend;
+      dockerBin = "${pkgs.${docker}}/bin/${docker}";
+    in
+    ''
+      ${dockerBin} network inspect web >/dev/null 2>&1 || ${dockerBin} network create web --subnet 172.100.5.0/16
+    '';
+}
diff --git a/systems/jeeves-jr/docker/web.nix b/systems/jeeves-jr/docker/web.nix
new file mode 100644
index 0000000..40ef8ce
--- /dev/null
+++ b/systems/jeeves-jr/docker/web.nix
@@ -0,0 +1,39 @@
+{
+  virtualisation.oci-containers.containers = {
+    arch_mirror = {
+      image = "ubuntu/apache2:latest";
+      volumes = [
+        "/ZFS/Media/Docker/Docker/templates/file_server/sites/:/etc/apache2/sites-enabled/"
+        "/ZFS/Media/Mirror/:/data"
+      ];
+      ports = [ "800:80" ];
+      extraOptions = [ "--network=web" ];
+      autoStart = true;
+    };
+    haproxy = {
+      image = "haproxy:latest";
+      user = "998:998";
+      environment = {
+        TZ = "Etc/EST";
+      };
+      volumes = [
+        "/ZFS/Main/Docker/jeeves-jr/haproxy/web/haproxy/cloudflare.pem:/etc/ssl/certs/cloudflare.pem"
+        "/ZFS/Main/Docker/jeeves-jr/haproxy/web/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg"
+      ];
+      dependsOn = [ "arch_mirror" ];
+      extraOptions = [ "--network=web" ];
+      autoStart = true;
+    };
+    cloud_flare_tunnel = {
+      image = "cloudflare/cloudflared:latest";
+      cmd = [
+        "tunnel"
+        "run"
+      ];
+      environmentFiles = [ "/ZFS/Main/Docker/jeeves-jr/haproxy/web/cloudflare_tunnel.env" ];
+      dependsOn = [ "haproxy" ];
+      extraOptions = [ "--network=web" ];
+      autoStart = true;
+    };
+  };
+}