diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4c49bd7
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.env
diff --git a/Caddyfile b/Caddyfile
index 373ee75..c7532d6 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -1,10 +1,24 @@
-(tempfiles.ion606.com) {
-  encode gzip zstd
-  reverse_proxy lufi:8758
+{
+	# we’re behind cloudflare tunnel; terminate tls there
+	auto_https off
 }
 
-(bin.ion606.com) {
-  encode gzip zstd
-  reverse_proxy privatebin:8758
-}
+:8550 {
+	# route by host header to each backend
+	@paste host {env.PASTE_DOMAIN}
+	handle @paste {
+		reverse_proxy privatebin:8080
+	}
 
+	@files host {env.FILES_DOMAIN}
+	handle @files {
+		reverse_proxy lufi:8081
+	}
+
+	@short host {env.SHORT_DOMAIN}
+	handle @short {
+		reverse_proxy shlink:8080
+	}
+
+	respond "not found" 404
+}
diff --git a/docker-compose.yml b/docker-compose.yml
index ffb71fa..e81a2b0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,63 +1,95 @@
 services:
-  caddy:
-    image: caddy:2-alpine
-    restart: unless-stopped
-    command: ["caddy", "run", "--config", "/etc/caddy/Caddyfile"]
-    ports:
-      - "8756:80"
-      - "8757:443"
-    networks:
-      - edge
-    environment:
-      - ACME_AGREE=true
-      - EMAIL=support@ion606.com
-    volumes:
-      - ./Caddyfile:/etc/caddy/Caddyfile:ro
-      - caddy_data:/data
-      - caddy_config:/config
-    security_opt:
-      - no-new-privileges:true
-    read_only: true
+    caddy:
+        image: caddy/caddy:2-alpine
+        restart: unless-stopped
+        ports:
+            - "8550:8550"
+        volumes:
+            - ./Caddyfile:/etc/caddy/Caddyfile:ro
+            - caddy-data:/data
+        environment:
+            - PASTE_DOMAIN=${PASTE_DOMAIN}
+            - FILES_DOMAIN=${FILES_DOMAIN}
+            - SHORT_DOMAIN=${SHORT_DOMAIN}
+        networks:
+            - proxy
 
-  lufi:
-    image: victorrds/lufi:latest
-    restart: unless-stopped
-    networks:
-      - edge
-    expose:
-      - "8758"
-    volumes:
-      - ./lufi.conf:/etc/lufi.conf:ro
-      - lufi_files:/var/lufi/files
-    labels:
-      - caddy=files.example.com
-      - caddy.reverse_proxy={{upstreams 8758}}
-    security_opt:
-      - no-new-privileges:true
+    privatebin:
+        image: privatebin/nginx-fpm-alpine:stable
+        volumes:
+            - ./privatebin.conf.php:/srv/cfg/conf.php:ro
+            - privatebin-data:/srv/data
+        labels:
+            - traefik.enable=true
+            - traefik.http.routers.privatebin.rule=Host(`${PASTE_DOMAIN}`)
+            - traefik.http.routers.privatebin.entrypoints=websecure
+            - traefik.http.routers.privatebin.tls.certresolver=le
+        networks:
+            - proxy
 
-  privatebin:
-    image: privatebin/nginx-fpm-alpine:latest
-    restart: unless-stopped
-    networks:
-      - edge
-    expose:
-      - "8758"
-    volumes:
-      - privatebin_data:/srv/data
-      - ./privatebin.conf.php:/srv/cfg/conf.php:ro
-    labels:
-      - caddy=bin.example.com
-      - caddy.reverse_proxy={{upstreams 8758}}
-    security_opt:
-      - no-new-privileges:true
-    read_only: true
+    lufi:
+        image: xataz/lufi:latest
+        environment:
+            - UID=1000
+            - GID=1000
+            - CONTACT=${ADMIN_EMAIL}
+            - SECRET=${LUFI_SECRET} # 32+ rand chars
+            - DEFAULT_DELAY=7 # days until deletion
+            - MAX_DELAY=30 # max days a user can choose
+            - MAX_FILE_SIZE=250000000 # ~238 MiB; adjust as needed
+            - WEBROOT=/ # served at /
+        volumes:
+            - lufi-data:/usr/lufi/data
+            - lufi-files:/usr/lufi/files
+        labels:
+            - traefik.enable=true
+            - traefik.http.routers.lufi.rule=Host(`${FILES_DOMAIN}`)
+            - traefik.http.routers.lufi.entrypoints=websecure
+            - traefik.http.routers.lufi.tls.certresolver=le
+        networks:
+            - proxy
+
+    shlink-db:
+        image: postgres:16-alpine
+        environment:
+            - POSTGRES_DB=shlink
+            - POSTGRES_USER=shlink
+            - POSTGRES_PASSWORD=${SHLINK_DB_PASSWORD}
+        volumes:
+            - shlink-db:/var/lib/postgresql/data
+        networks:
+            - proxy
+
+    shlink:
+        image: shlinkio/shlink:stable
+        depends_on: [shlink-db]
+        environment:
+            - DEFAULT_DOMAIN=${SHORT_DOMAIN}
+            - IS_HTTPS_ENABLED=true
+            - GEOLITE_LICENSE_KEY=${SHLINK_GEOLITE_KEY}
+            - DB_DRIVER=postgres
+            - DB_HOST=shlink-db
+            - DB_NAME=shlink
+            - DB_USER=shlink
+            - DB_PASSWORD=${SHLINK_DB_PASSWORD}
+            - INITIAL_API_KEY=${SHLINK_API_KEY}
+            - SHELL_VERBOSITY=3
+        labels:
+            - traefik.enable=true
+            - traefik.http.services.shlink.loadbalancer.server.port=8080
+            - traefik.http.routers.shlink.rule=Host(`${SHORT_DOMAIN}`)
+            - traefik.http.routers.shlink.entrypoints=websecure
+            - traefik.http.routers.shlink.tls.certresolver=le
+        networks:
+            - proxy
 
 networks:
-  edge:
+    proxy:
+        external: false
 
 volumes:
-  caddy_data:
-  caddy_config:
-  lufi_files:
-  privatebin_data:
-
+    privatebin-data:
+    lufi-data:
+    lufi-files:
+    shlink-db:
+    caddy-data:
diff --git a/lufi.conf b/lufi.conf
deleted file mode 100644
index b794dbb..0000000
--- a/lufi.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-  # required contact info displayed on the about page
-  contact => 'mailto:support@ion606.com',
-
-  # listen defaults are fine in Docker; we’re proxied by Caddy
-  proxy   => 1,           # very important when running behind Caddy/NGINX
-
-  # provisioning/limits
-  provisioning => {
-    max_file_size => 524288000,  # 500 MiB per upload
-    max_delay     => 604800,     # 7 days (seconds)
-    max_files     => 20,         # files per “batch”
-  },
-
-  # housekeeping
-  loglevel => 'warn',
-  minion   => {cleanup => 1},    # enable built-in cleanup worker
-}
-
diff --git a/privatebin.conf.php b/privatebin.conf.php
new file mode 100644
index 0000000..192bf87
--- /dev/null
+++ b/privatebin.conf.php
@@ -0,0 +1,184 @@
+;<?php http_response_code(403);
+[main]
+; name = "ION606's PrivateBin Instance"
+
+; The full URL, with the domain name and directories that point to the
+; PrivateBin files, including an ending slash (/). This URL is essential to
+; allow Opengraph images to be displayed on social networks.
+basepath = "https://pbin.ion606.com/"
+
+; enable or disable the discussion feature, defaults to true
+discussion = true
+
+; preselect the discussion feature, defaults to false
+opendiscussion = false
+
+; enable or disable the display of dates & times in the comments, defaults to true
+; Note that internally the creation time will still get tracked in order to sort
+; the comments by creation time, but you can choose not to display them.
+; discussiondatedisplay = false
+
+; enable or disable the password feature, defaults to true
+password = true
+
+; enable or disable the file upload feature, defaults to false
+fileupload = true
+
+; preselect the burn-after-reading feature, defaults to false
+burnafterreadingselected = true
+
+; which display mode to preselect by default, defaults to "plaintext"
+; make sure the value exists in [formatter_options]
+defaultformatter = "markdown"
+
+; (optional) set a syntax highlighting theme, as found in css/prettify/
+; syntaxhighlightingtheme = "sons-of-obsidian"
+
+; size limit per document or comment in bytes, defaults to 10 Megabytes
+sizelimit = 500000000
+
+; by default PrivateBin use "bootstrap5" template (tpl/bootstrap5.php).
+; Optionally you can enable the template selection menu, which uses
+; a session cookie to store the choice until the browser is closed.
+templateselection = false
+
+; List of available for selection templates when "templateselection" option is enabled
+availabletemplates[] = "bootstrap5"
+availabletemplates[] = "bootstrap"
+availabletemplates[] = "bootstrap-page"
+availabletemplates[] = "bootstrap-dark"
+availabletemplates[] = "bootstrap-dark-page"
+availabletemplates[] = "bootstrap-compact"
+availabletemplates[] = "bootstrap-compact-page"
+
+; set the template your installs defaults to, defaults to "bootstrap5" (tpl/bootstrap5.php), also
+; bootstrap template (tpl/bootstrap.php) and it's variants: "bootstrap-dark", "bootstrap-compact", "bootstrap-page",
+; which can be combined with "-dark" and "-compact" for "bootstrap-dark-page",
+; "bootstrap-compact-page" - previews at:
+; https://privatebin.info/screenshots.html
+; template = "bootstrap5"
+
+; set the language your installs defaults to, defaults to English
+; if this is set and language selection is disabled, this will be the only language
+; languagedefault = "en"
+
+; (optional) URL shortener address to offer after a new document is created.
+; It is suggested to only use this with self-hosted shorteners as this will leak
+; the documents encryption key.
+; urlshortener = "https://shortener.example.com/api?link="
+
+; (optional) Whether to shorten the URL by default when a new document is created.
+; If set to true, the "Shorten URL" functionality will be automatically called.
+; This only works if the "urlshortener" option is set.
+; shortenbydefault = false
+
+; (optional) Let users create a QR code for sharing the document URL with one click.
+; It works both when a new document is created and when you view a document.
+qrcode = true
+
+; (optional) Let users send an email sharing the document URL with one click.
+; It works both when a new document is created and when you view a document.
+email = true
+
+; Content Security Policy headers allow a website to restrict what sources are
+; allowed to be accessed in its context. You need to change this if you added
+; custom scripts from third-party domains to your templates, e.g. tracking
+; scripts or run your site behind certain DDoS-protection services.
+; Check the documentation at https://content-security-policy.com/
+; Notes:
+; - By default this disallows to load images from third-party servers, e.g. when
+;   they are embedded in documents. If you wish to allow that, you can adjust the
+;   policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images
+;   for details.
+; - The 'wasm-unsafe-eval' is used to enable webassembly support (used for zlib
+;   compression). You can remove it if compression doesn't need to be supported.
+; - The 'unsafe-inline' style-src is used by Chrome when displaying PDF previews
+;   and can be omitted if attachment upload is disabled (which is the default).
+;   See https://issues.chromium.org/issues/343754409
+; - To allow displaying PDF previews in Firefox or Chrome, sandboxing must also
+;   get turned off. The following CSP allows PDF previews:
+; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-ancestors 'none'; frame-src blob:; img-src 'self' data: blob:; media-src blob:; object-src blob:"
+;
+; The recommended and default used CSP is:
+; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; frame-src blob:; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-modals allow-downloads"
+
+; Enable or disable the warning message when the site is served over an insecure
+; connection (insecure HTTP instead of HTTPS), defaults to true.
+; Secure transport methods like Tor and I2P domains are automatically whitelisted.
+; It is **strongly discouraged** to disable this.
+; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information.
+; httpwarning = true
+
+; Pick compression algorithm or disable it. Only applies to documents & comments
+; created after changing the setting.
+; Can be set to one these values: "none" / "zlib" (default).
+; compression = "zlib"
+
+[expire]
+; expire value that is selected per default
+; make sure the value exists in [expire_options]
+default = "1week"
+
+[expire_options]
+; Set each one of these to the number of seconds in the expiration period,
+; or 0 if it should never expire
+5min = 300
+10min = 600
+1hour = 3600
+1day = 86400
+1week = 604800
+; Well this is not *exactly* one month, it's 30 days:
+1month = 2592000
+1year = 31536000
+never = 0
+
+[formatter_options]
+; Set available formatters, their order and their labels
+plaintext = "Plain Text"
+syntaxhighlighting = "Source Code"
+markdown = "Markdown"
+
+[traffic]
+; time limit between calls from the same IP address in seconds
+; Set this to 0 to disable rate limiting.
+limit = 10
+
+; (optional) Set IPs addresses (v4 or v6) or subnets (CIDR) which are exempted
+; from the rate-limit. Invalid IPs will be ignored. If multiple values are to
+; be exempted, the list needs to be comma separated. Leave unset to disable
+; exemptions.
+; exempted = "1.2.3.4,10.10.10/24"
+
+; (optional) If you want only some source IP addresses (v4 or v6) or subnets
+; (CIDR) to be allowed to create documents, set these here. Invalid IPs will be
+; ignored. If multiple values are to be exempted, the list needs to be comma
+; separated. Leave unset to allow anyone to create documents.
+; creators = "1.2.3.4,10.10.10/24"
+
+; (optional) if your website runs behind a reverse proxy or load balancer,
+; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
+; header = "X_FORWARDED_FOR"
+
+[purge]
+; minimum time limit between two purgings of expired documents, it is only
+; checked when documents get created
+; Set this to 0 to run a purge every time a document is created.
+limit = 300
+
+; maximum amount of expired documents to delete in one purge
+; Set this to 0 to disable purging. Set it higher, if you are running a large
+; site
+batchsize = 1000
+
+[model]
+; name of data model class to load and directory for storage
+; the default model "Filesystem" stores everything in the filesystem
+class = Filesystem
+
+[model_options]
+; Use the writable data volume (privatebin_data:/srv/data)
+; Default syntax in upstream config is: dir = PATH "data"
+; Either form below works. Pick ONE (uncommented). Here we use the conventional form:
+dir = PATH "data"
+; Alternative explicit absolute path (also valid):
+; dir = "/srv/data"
\ No newline at end of file
diff --git a/setup.sh b/setup.sh
new file mode 100644
index 0000000..3f9d532
--- /dev/null
+++ b/setup.sh
@@ -0,0 +1,12 @@
+cat > .env <<EOF
+LETSENCRYPT_EMAIL=ion606@protonmail.com
+ADMIN_EMAIL=ion606@protonmail.com
+PASTE_DOMAIN=bin.ion606.com
+FILES_DOMAIN=tfiles.ion606.com
+SHORT_DOMAIN=s.ion606.com
+
+LUFI_SECRET=$(openssl rand -hex 32)
+SHLINK_DB_PASSWORD=$(openssl rand -hex 24)
+SHLINK_GEOLITE_KEY=YOUR_MAXMIND_KEY
+SHLINK_API_KEY=$(openssl rand -hex 32)
+EOF
\ No newline at end of file