diff --git a/apps/caddy/Caddyfile b/apps/caddy/Caddyfile
deleted file mode 100644
index 6a52946..0000000
--- a/apps/caddy/Caddyfile
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-  email zuma@deuxfleurs.fr
-}
-
-chokbar.bzh {
-  respond "Kenavo !"
-}
-
-search.chokbar.bzh {
-  reverse_proxy searxng.service.consul:8080
-}
diff --git a/apps/caddy/caddy.hcl b/apps/caddy/caddy.hcl
deleted file mode 100644
index 30d38d0..0000000
--- a/apps/caddy/caddy.hcl
+++ /dev/null
@@ -1,48 +0,0 @@
-job "caddy" {
-  datacenters = [ "gribse-house", "zuma-house", "mayel-house" ]
-  type = "system"
-  priority = 90
-
-  group "caddy" {
-    network {
-      port "http_port" { static = 80 }
-      port "https_port" { static = 443 }
-    }
-
-    task "server" {
-      driver = "docker"
-
-      config {
-        image = "caddy"
-        network_mode = "host"
-        ports = [ "http_port", "https_port" ]
-        volumes = [
-          "secrets/Caddyfile:/etc/caddy/Caddyfile"
-        ]
-      }
-
-      resources {
-        cpu = 1000
-        memory = 400
-      }
-
-      template {
-        data = file("./Caddyfile")
-        destination = "secrets/Caddyfile"
-        perms = 400
-      }
-
-      service {
-        name = "caddy-http"
-        port = "http_port"
-        address_mode = "host"
-      }
-
-      service {
-        name = "caddy-https"
-        port = "https_port"
-        address_mode = "host"
-      }
-    }
-  }
-}
diff --git a/apps/searxng/searxng.hcl b/apps/searxng/searxng.hcl
index 79dc35d..cbf8558 100644
--- a/apps/searxng/searxng.hcl
+++ b/apps/searxng/searxng.hcl
@@ -23,6 +23,9 @@ job "searxng" {
       }
 
       service {
+        tags = [
+          "tricot search.chokbar.bzh"
+        ]
         name = "searxng"
         port = "http_port"
       }
diff --git a/apps/tricot/tricot.hcl b/apps/tricot/tricot.hcl
new file mode 100644
index 0000000..a8428a8
--- /dev/null
+++ b/apps/tricot/tricot.hcl
@@ -0,0 +1,95 @@
+job "tricot" {
+  datacenters = ["zuma-house", "gribse-house", "mayel-house"]
+  type = "system"
+  priority = 90
+
+  update {
+    max_parallel = 1
+    stagger = "5m"
+  }
+
+  group "tricot" {
+    network {
+      port "http_port" { static = 80 }
+      port "https_port" { static = 443 }
+      port "metrics_port" { static = 9334 }
+    }
+
+    task "server" {
+      driver = "docker"
+
+      config {
+        image = "git.shenanigans.cc/zuma/tricot:filouterie"
+        network_mode = "host"
+        readonly_rootfs = true
+        ports = [ "http_port", "https_port" ]
+        volumes = [
+          "secrets:/etc/tricot",
+        ]
+        ulimit {
+          nofile = "65535:65535"
+        }
+        # exporting jemalloc profiles requires a
+        # writeable tmpfs
+        mount {
+          type = "tmpfs"
+          target = "/tmp"
+          readonly = false
+        }
+      }
+
+      resources {
+        cpu = 1000
+        memory = 400
+      }
+
+      restart {
+        interval = "5m"
+        attempts = 10
+        delay    = "15s"
+        mode     = "delay"
+      }
+
+      template {
+        data = <<EOH
+TRICOT_NODE_NAME={{ env "attr.unique.hostname" }}
+TRICOT_LETSENCRYPT_EMAIL=zuma@deuxfleurs.fr
+TRICOT_ENABLE_COMPRESSION=true
+TRICOT_CONSUL_TLS_SKIP_VERIFY=true
+TRICOT_HTTP_BIND_ADDR=[::]:80
+TRICOT_HTTPS_BIND_ADDR=[::]:443
+TRICOT_METRICS_BIND_ADDR=[::]:9334
+TRICOT_MAX_LOG_PER_SEC=10
+RUST_LOG=tricot=debug
+EOH
+        destination = "secrets/env"
+        env = true
+      }
+
+      service {
+        name = "tricot-http"
+        port = "http_port"
+        tags = [
+          "${meta.site}"
+         ]
+        address_mode = "host"
+      }
+
+      service {
+        name = "tricot-https"
+        port = "https_port"
+        tags = [
+          "${meta.site}",
+        ]
+        address_mode = "host"
+      }
+
+      service {
+        name = "tricot-metrics"
+        port = "metrics_port"
+        address_mode = "host"
+      }
+    }
+  }
+}
+