diff --git a/hosts/franz/arion/infrastructure/arion-compose.nix b/hosts/franz/arion/infrastructure/arion-compose.nix
index 6f454b7..b63aa3d 100644
--- a/hosts/franz/arion/infrastructure/arion-compose.nix
+++ b/hosts/franz/arion/infrastructure/arion-compose.nix
@@ -7,9 +7,7 @@
   };
 
   docker-compose.volumes = {
-    traefik_letsencrypt = null;
-    scrutiny_data = null;
-    scrutiny_db = null;
+    traefik-logs = null;
   };
 
   services = {
@@ -40,8 +38,10 @@
       };
       volumes = [
         "/home/ghoscht/.docker/infrastructure/traefik_config/traefik.yml:/traefik.yml:ro"
+        "/home/ghoscht/.docker/infrastructure/traefik_data/config.yml:/config.yml:ro"
         "/storage/dataset/docker/infrastructure/traefik_data/acme.json:/acme.json"
         "/var/run/docker.sock:/var/run/docker.sock:ro"
+        "traefik-logs:/var/log/traefik"
       ];
       env_file = [
         "/home/ghoscht/.docker/infrastructure/traefik.env"
@@ -51,6 +51,46 @@
         "dmz"
       ];
     };
+    crowdsec.service = {
+      image = "crowdsecurity/crowdsec:v1.6.2";
+      container_name = "crowdsec";
+      environment = {
+        GID = "1000";
+        COLLECTIONS = "crowdsecurity/linux crowdsecurity/traefik firix/authentik LePresidente/gitea Dominic-Wagner/vaultwarden";
+      };
+      volumes = [
+        "/storage/dataset/docker/infrastructure/crowdsec_config/acquis.yaml:/etc/crowdsec/acquis.yaml"
+        "/storage/dataset/docker/infrastructure/crowdsec_config/profiles.yaml:/etc/crowdsec/profiles.yaml"
+        "/storage/dataset/docker/infrastructure/crowdsec_config/ntfy.yaml:/etc/crowdsec/notifications/ntfy.yaml"
+        "/storage/dataset/docker/infrastructure/crowdsec_db:/var/lib/crowdsec/data/"
+        "/storage/dataset/docker/infrastructure/crowdsec_data:/etc/crowdsec/"
+        "traefik-logs:/var/log/traefik/:ro"
+        "/var/run/docker.sock:/var/run/docker.sock:ro"
+      ];
+      depends_on = [
+        "traefik"
+      ];
+      networks = [
+        "dmz"
+      ];
+      restart = "always";
+    };
+    bouncer-traefik.service = {
+      image = "fbonalair/traefik-crowdsec-bouncer:0.5.0";
+      environment = {
+        CROWDSEC_AGENT_HOST = "crowdsec:8080";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/infrastructure/traefik-bouncer.env"
+      ];
+      depends_on = [
+        "crowdsec"
+      ];
+      networks = [
+        "dmz"
+      ];
+      restart = "always";
+    };
     scrutiny.service = {
       image = "ghcr.io/analogj/scrutiny:v0.8.0-omnibus";
       container_name = "scrutiny";
@@ -85,18 +125,6 @@
         "dmz"
       ];
     };
-    dyndns.service = {
-      image = "ghcr.io/cromefire/fritzbox-cloudflare-dyndns:1.2.1";
-      container_name = "dyndns";
-      restart = "always";
-      ports = ["8888:8080"];
-      environment = {
-        CLOUDFLARE_ZONES_IPV4 = "ghoscht.com";
-      };
-      env_file = [
-        "/home/ghoscht/.docker/infrastructure/dyndns.env"
-      ];
-    };
     diun.service = {
       image = "crazymax/diun:4.28";
       container_name = "diun";
diff --git a/hosts/franz/arion/infrastructure/default.nix b/hosts/franz/arion/infrastructure/default.nix
index 9891caa..27d4c33 100644
--- a/hosts/franz/arion/infrastructure/default.nix
+++ b/hosts/franz/arion/infrastructure/default.nix
@@ -21,7 +21,7 @@ in {
     owner = vars.user;
   };
 
-  sops.secrets."dyndns/cloudflare_api_key" = {
+  sops.secrets."crowdsec/traefik_bouncer_api_key" = {
     owner = vars.user;
   };
 
@@ -48,12 +48,12 @@ in {
     '';
   };
 
-  sops.templates."dyndns.env" = {
-    path = "/home/${vars.user}/.docker/infrastructure/dyndns.env";
+  sops.templates."traefik-bouncer.env" = {
+    path = "/home/${vars.user}/.docker/infrastructure/traefik-bouncer.env";
     owner = vars.user;
     mode = "0775";
     content = ''
-      CLOUDFLARE_API_TOKEN="${config.sops.placeholder."dyndns/cloudflare_api_key"}"
+      CROWDSEC_BOUNCER_API_KEY="${config.sops.placeholder."crowdsec/traefik_bouncer_api_key"}"
     '';
   };
 
@@ -74,6 +74,8 @@ in {
               entrypoint:
                 to: websecure
                 scheme: https
+        websecure:
+          address: ":443"
         web-external:
           address: ":81"
           http:
@@ -81,16 +83,20 @@ in {
               entrypoint:
                 to: websecure-external
                 scheme: https
-        websecure:
-          address: ":443"
+            middlewares:
+              - crowdsec-bouncer@file
         websecure-external:
           address: ":444"
-          providers:
+          http:
+            middlewares:
+              - crowdsec-bouncer@file
       providers:
         docker:
           watch: true
           exposedByDefault: false
           network: dmz
+        file:
+          filename: /config.yml
       certificatesResolvers:
         letsencrypt:
           acme:
@@ -101,6 +107,11 @@ in {
               resolvers:
                 - "1.1.1.1:53"
                 - "1.0.0.1:53"
+      log:
+        level: "INFO"
+        filePath: "/var/log/traefik/traefik.log"
+      accessLog:
+        filePath: "/var/log/traefik/access.log"
     '';
   };
   sops.templates."diun.env" = {
@@ -111,4 +122,10 @@ in {
       DIUN_NOTIF_NTFY_TOKEN="${config.sops.placeholder."diun/ntfy_access_token"}"
     '';
   };
+  services.cron = {
+    enable = true;
+    systemCronJobs = [
+      "0 * * * *      root    . /etc/profile; docker exec crowdsec cscli hub update && docker exec crowdsec cscli hub upgrade >> /var/log/crowdsec-update.log"
+    ];
+  };
 }
diff --git a/rsc/docker/franz/infrastructure/docker-compose.yml b/rsc/docker/franz/infrastructure/docker-compose.yml
deleted file mode 100644
index d7ea165..0000000
--- a/rsc/docker/franz/infrastructure/docker-compose.yml
+++ /dev/null
@@ -1,114 +0,0 @@
-version: '3'
-services:
-  traefik:
-    image: traefik
-    container_name: traefik
-    restart: always
-    ports:
-      - "80:80"
-      - "443:443"
-      - "6666:8080"
-    volumes:
-      - ./traefik_data:/etc/traefik
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    networks:
-      traefik_net:
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.dashboard.rule=Host(`traefik.ghoscht.com`)
-      - traefik.http.routers.dashboard.entrypoints=websecure
-      - traefik.http.services.dashboard.loadbalancer.server.port=8080
-      - traefik.http.routers.dashboard.tls=true
-      - traefik.http.routers.dashboard.tls.certresolver=lencrypt
-    env_file:
-      - traefik.env
-    dns:
-      - 1.1.1.1
-  homarr:
-    container_name: homarr
-    image: ghcr.io/ajnart/homarr:latest
-    restart: always
-    volumes:
-      - ./homarr_data:/app/data/configs
-      - ./homarr_icons:/app/public/imgs
-    networks:
-      traefik_net:
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.homarr.entrypoints=websecure
-      - traefik.http.routers.homarr.rule=Host(`dashboard.ghoscht.com`)
-      - traefik.http.routers.homarr.tls=true
-      - traefik.http.routers.homarr.tls.certresolver=lencrypt
-    dns:
-      - 1.1.1.1
-  scrutiny:
-    container_name: scrutiny
-    image: ghcr.io/analogj/scrutiny:master-omnibus
-    restart: always
-    cap_add:
-      - SYS_RAWIO
-    volumes:
-      - /run/udev:/run/udev:ro
-      - ./scrutiny_data:/opt/scrutiny/config
-      - ./scrutiny_db:/opt/scrutiny/influxdb
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.scrutiny.entrypoints=websecure
-      - traefik.http.routers.scrutiny.rule=Host(`scrutiny.ghoscht.com`)
-      - traefik.http.services.scrutiny.loadbalancer.server.port=8080
-      - traefik.http.routers.scrutiny.tls=true
-      - traefik.http.routers.scrutiny.tls.certresolver=lencrypt
-    networks:
-      traefik_net:
-    devices:
-      - "/dev/sda"
-      - "/dev/sdb"
-  ntfy:
-    image: binwiederhier/ntfy
-    container_name: ntfy
-    command:
-      - serve
-    environment:
-      - TZ=UTC # optional: set desired timezone
-    user: 1000:1000 # optional: replace with your own user/group or uid/gid
-    volumes:
-      - ./ntfy_data/server.yml:/etc/ntfy/server.yml
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.ntfy.entrypoints=websecure
-      - traefik.http.routers.ntfy.rule=Host(`ntfy.ghoscht.com`,`ntfy.local.ghoscht.com`)
-      - traefik.http.routers.ntfy.tls=true
-      - traefik.http.routers.ntfy.tls.certresolver=lencrypt
-    networks:
-      traefik_net:
-  homeassistant:
-    container_name: homeassistant
-    image: "ghcr.io/home-assistant/home-assistant:stable"
-    volumes:
-      - /mnt/hdd/docker/home-assistant_data:/config
-      - /etc/localtime:/etc/localtime:ro
-      - /run/dbus:/run/dbus:ro
-    restart: unless-stopped
-    privileged: true
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.homeassistant.entrypoints=websecure
-      - traefik.http.routers.homeassistant.rule=Host(`home.ghoscht.com`,`home.local.ghoscht.com`)
-      - traefik.http.routers.homeassistant.tls=true
-      - traefik.http.routers.homeassistant.tls.certresolver=lencrypt
-      - traefik.http.services.homeassistant.loadbalancer.server.port=8123
-    networks:
-      traefik_net:
-  cloudflared:
-    container_name: cloudflared
-    image: cloudflare/cloudflared:latest
-    restart: always
-    command: tunnel --no-autoupdate --protocol http2 run
-    env_file:
-      - cloudflared.env
-    networks:
-      traefik_net:
-networks:
-  traefik_net:
-    name: traefik-net
-    external: true
diff --git a/rsc/docker/franz/infrastructure/traefik_data/config.yml b/rsc/docker/franz/infrastructure/traefik_data/config.yml
new file mode 100644
index 0000000..626e7bc
--- /dev/null
+++ b/rsc/docker/franz/infrastructure/traefik_data/config.yml
@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    crowdsec-bouncer:
+      forwardauth:
+        address: http://bouncer-traefik:8080/api/v1/forwardAuth
+        trustForwardHeader: true
diff --git a/rsc/docker/franz/infrastructure/traefik_data/config/middlewares.yml b/rsc/docker/franz/infrastructure/traefik_data/config/middlewares.yml
deleted file mode 100644
index c8d0f7d..0000000
--- a/rsc/docker/franz/infrastructure/traefik_data/config/middlewares.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-http:
-  middlewares:
-    httpsredirect:
-      redirectScheme:
-        scheme: https
-        permanent: true
diff --git a/rsc/docker/franz/infrastructure/traefik_data/config/routers.yml b/rsc/docker/franz/infrastructure/traefik_data/config/routers.yml
deleted file mode 100644
index 1e3e2a4..0000000
--- a/rsc/docker/franz/infrastructure/traefik_data/config/routers.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-http:
-  routers:
-    redirecttohttps:
-      entryPoints:
-        - "web"
-      middlewares:
-        - "httpsredirect"
-      rule: "HostRegexp(`{host:.+}`)"
-      service: "noop@internal"
diff --git a/secrets/franz.yaml b/secrets/franz.yaml
index f6ce0bd..930ba60 100644
--- a/secrets/franz.yaml
+++ b/secrets/franz.yaml
@@ -51,6 +51,8 @@ minio:
     root_password: ENC[AES256_GCM,data:0//dfGYkV80=,iv:h1b0R2QRpN/RI9kUBU0fiKLOI3PUYmisa7RH1ibSF4c=,tag:ln1cv5LQpb76vK5+eTvSuA==,type:str]
 diun:
     ntfy_access_token: ENC[AES256_GCM,data:37UYgaMlmpoMW74LqtxkuMqGQmCvLpVdJAgEmVxSULY=,iv:tZPlfIgo1vWvMPlQzCBPXj5xYDiTWJOsVwkxBjGNMDk=,tag:882g2UxFfg5VSKqAtEMk2Q==,type:str]
+crowdsec:
+    traefik_bouncer_api_key: ENC[AES256_GCM,data:qNY3cWNxG2pyrTN1UnYCGWCmx1Yue1WAJZ8DEsLqnZ+RDoaJfvqqJazJUg==,iv:x0K9Vq+ZuojmeHSbS/0PoOQdLIRDMtGdmU+msv4PWzI=,tag:qgxQIBHtARTNv17x7N6zyw==,type:str]
 wiki:
     aws_access_key_id: ENC[AES256_GCM,data:Fqfa6XcDDpQ0l+/entQh6sxobBM=,iv:gbfHxTy0Oj9xYlucpN98CjNIURDrx9BuFF4Pfo90V0M=,tag:df8Z3J2ovO1MHPnzOsCtpg==,type:str]
     aws_secret_access_key: ENC[AES256_GCM,data:sbgzvlN5dP4jZIGKtDsMn5o2RqWTl+XNi80ydnOgrQkgnQ/HxluWWA==,iv:xyCKfbf/UF9cFunCYHwVBw4eVvOeZQtfPtrz2s6zIII=,tag:S0wzL8d5iEn20VbOVfrZBw==,type:str]