diff --git a/data.nix b/data.nix
index 681a645..5d3aaf4 100644
--- a/data.nix
+++ b/data.nix
@@ -31,6 +31,7 @@ rec {
     ssh8022 = 8022;
     vaultwarden = 8222;
     headscale = 8080;
+    plik = 8099;
     hass = 8123;
     prometheus = 9001;
     tailscale = 41641;
diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix
index cda5f14..08457a7 100644
--- a/hosts/fwminex/configuration.nix
+++ b/hosts/fwminex/configuration.nix
@@ -28,6 +28,7 @@ in
     syncthing-cert.file = ../../secrets/fwminex/syncthing/cert.pem.age;
     frigate.file = ../../secrets/frigate.age;
     timelapse.file = ../../secrets/timelapse.age;
+    plik.file = ../../secrets/fwminex/up.jakstys.lt.env.age;
     r1-htpasswd = {
       file = ../../secrets/r1-htpasswd.age;
       owner = "nginx";
@@ -137,8 +138,8 @@ in
           bitwarden = config.mj.services.nsd-acme.zones."bitwarden.jakstys.lt";
         in
         {
+          preStart = "ln -sf $CREDENTIALS_DIRECTORY/up.jakstys.lt.env /run/caddy/up.jakstys.lt.env";
           serviceConfig = {
-
             # 2025-02-11 blocks system from upgrading during reload
             ExecReload = lib.mkForce "";
 
@@ -151,7 +152,10 @@ in
               "grafana.jakstys.lt-key.pem:${grafana.keyFile}"
               "bitwarden.jakstys.lt-cert.pem:${bitwarden.certFile}"
               "bitwarden.jakstys.lt-key.pem:${bitwarden.keyFile}"
+              "up.jakstys.lt.env:${config.age.secrets.plik.path}"
             ];
+            RuntimeDirectory = "caddy";
+            EnvironmentFile = [ "-/run/caddy/up.jakstys.lt.env" ];
           };
           after = [
             "nsd-acme-r1.jakstys.lt.service"
@@ -228,6 +232,11 @@ in
       powerKeyLongPress = "poweroff";
     };
 
+    plikd = {
+      enable = true;
+      settings.ListenPort = myData.ports.plik;
+    };
+
     soju = {
       enable = true;
       listen = [
@@ -292,6 +301,12 @@ in
           tls {$CREDENTIALS_DIRECTORY}/r1.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/r1.jakstys.lt-key.pem
           redir https://r1.jakstys.lt:8443
         '';
+        "up.jakstys.lt".extraConfig = ''
+          basic_auth {
+            {$PLIK_USER} {$PLIK_PASSWORD}
+          }
+          reverse_proxy 127.0.0.1:${toString myData.ports.plik}
+        '';
         "irc.jakstys.lt".extraConfig =
           let
             gamja = pkgs.compressDrvWeb (pkgs.gamja.override {
diff --git a/secrets.nix b/secrets.nix
index 05466fa..0c9afee 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -81,6 +81,7 @@ in
 
   "secrets/fwminex/syncthing/key.pem.age"
   "secrets/fwminex/syncthing/cert.pem.age"
+  "secrets/fwminex/up.jakstys.lt.env.age"
 ]
 // mk (
   [
diff --git a/secrets/fwminex/up.jakstys.lt.env.age b/secrets/fwminex/up.jakstys.lt.env.age
new file mode 100644
index 0000000..9ad6838
Binary files /dev/null and b/secrets/fwminex/up.jakstys.lt.env.age differ