diff --git a/swarm/stack/caddy/Caddyfile b/swarm/stack/caddy/Caddyfile
index 7e127b7..85f4b5e 100644
--- a/swarm/stack/caddy/Caddyfile
+++ b/swarm/stack/caddy/Caddyfile
@@ -1,3 +1,32 @@
+# ─────────────────────────────────────────────────────────────────────────────
+# GLOBAL BLOCK — add this at the very top before any snippets
+# ─────────────────────────────────────────────────────────────────────────────
+
+{
+    crowdsec {
+        api_url http://crowdsec:8080
+        api_key {$CROWDSEC_API_KEY}
+    }
+    log {
+        output file /var/log/caddy/access.log {
+            roll_size 50mb
+            roll_keep 5
+        }
+        format json
+    }
+}
+
+# ─────────────────────────────────────────────────────────────────────────────
+# CROWDSEC SNIPPET — add alongside existing auth snippets
+# ─────────────────────────────────────────────────────────────────────────────
+
+(crowdsec) {
+    route {
+        crowdsec
+    }
+}
+
+
 (authentik) {
     route /outpost.goauthentik.io/* {
         reverse_proxy http://authentik:9000