diff --git a/Caddyfile b/Caddyfile
index 8d0593e..7afda5f 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -1,22 +1,33 @@
 {
-    # Enable admin API for clustering
-    admin off
-    
-    # Configure storage if clustering is enabled
-    {$PORTAL_CORE_CLUSTERED_ENABLED:false} {
-        storage etcd {
-            endpoints {$PORTAL_CORE_CLUSTERED_ETCD_ENDPOINTS}
-            namespace {$PORTAL_CORE_CLUSTERED_ETCD_PREFIX}/caddy
-        }
-    }
+	# Enable admin API for clustering
+	admin off
+
+	# Configure storage for clustering
+	storage etcd {
+		prefix "{$PORTAL_CORE_CLUSTERED_ETCD_PREFIX}"
+		endpoints {
+			{$PORTAL_CORE_CLUSTERED_ETCD_ENDPOINTS}
+		}
+		timeout {$PORTAL_CORE_CLUSTERED_ETCD_TIMEOUT:5m}
+		auth {
+			username "{$PORTAL_CORE_CLUSTERED_ETCD_USERNAME}"
+			password "{$PORTAL_CORE_CLUSTERED_ETCD_PASSWORD}"
+		}
+		tls {
+			cert "{$PORTAL_CORE_CLUSTERED_ETCD_TLS_CERT}"
+			key "{$PORTAL_CORE_CLUSTERED_ETCD_TLS_KEY}"
+			ca "{$PORTAL_CORE_CLUSTERED_ETCD_TLS_CA}"
+			server_name "{$PORTAL_CORE_CLUSTERED_ETCD_TLS_SERVER_NAME}"
+		}
+	}
 }
 
 # Handle all domains matching the PORTAL_CORE_DOMAIN
 *.{$PORTAL_CORE_DOMAIN} {
-    reverse_proxy localhost:{$PORTAL_CORE_PORT}
+	reverse_proxy localhost:{$PORTAL_CORE_PORT}
 }
 
 # Handle direct domain access
-:{80, 443} {
-    reverse_proxy localhost:{$PORTAL_CORE_PORT}
+:80, :443 {
+	reverse_proxy localhost:{$PORTAL_CORE_PORT}
 }
diff --git a/Caddyfile.nocluster b/Caddyfile.nocluster
new file mode 100644
index 0000000..5f4ace7
--- /dev/null
+++ b/Caddyfile.nocluster
@@ -0,0 +1,13 @@
+{
+    admin off
+}
+
+# Handle all domains matching the PORTAL_CORE_DOMAIN
+*.{$PORTAL_CORE_DOMAIN} {
+    reverse_proxy localhost:{$PORTAL_CORE_PORT}
+}
+
+# Handle direct domain access
+:80, :443 {
+    reverse_proxy localhost:{$PORTAL_CORE_PORT}
+}
diff --git a/Dockerfile b/Dockerfile
index 62d5eb5..0f4e8bd 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,10 +1,17 @@
+FROM caddy:2.9-builder AS builder
+
+RUN xcaddy build \
+    --with go.lumeweb.com/caddy-etcd
+
 FROM caddy:2.9-alpine
 
 RUN apk add --no-cache bash
 
 COPY portal /usr/local/bin/portal
 COPY Caddyfile /etc/caddy/Caddyfile
+COPY Caddyfile.nocluster /etc/caddy/Caddyfile.nocluster
 COPY entrypoint.sh /entrypoint.sh
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
 
 RUN chmod +x /entrypoint.sh
 
diff --git a/entrypoint.sh b/entrypoint.sh
index 7d8abb4..5c0b5f0 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,7 +1,34 @@
 #!/bin/bash
 
-# Start portal in background
-/usr/local/bin/portal &
+# Validate required env vars when clustering is enabled
+if [ "${PORTAL_CORE_CLUSTERED_ENABLED}" = "true" ]; then
+    required_vars=(
+        "PORTAL_CORE_CLUSTERED_ETCD_ENDPOINTS"
+        "PORTAL_CORE_CLUSTERED_ETCD_PREFIX"
+    )
+    
+    for var in "${required_vars[@]}"; do
+        if [ -z "${!var}" ]; then
+            echo "Error: $var is required when clustering is enabled"
+            exit 1
+        fi
+    done
 
-# Start Caddy in foreground
-/usr/bin/caddy run --config /etc/caddy/Caddyfile
+    # Remove TLS block from Caddyfile if TLS env vars are empty
+    if [ -z "${PORTAL_CORE_CLUSTERED_ETCD_TLS_CERT}" ] || [ -z "${PORTAL_CORE_CLUSTERED_ETCD_TLS_KEY}" ]; then
+        sed -i '/tls/,/}/d' /etc/caddy/Caddyfile
+        sed -i '/^$/d' /etc/caddy/Caddyfile
+    fi
+
+    # Start portal in background
+    /usr/local/bin/portal &
+
+    # Start Caddy with etcd storage in foreground
+    /usr/bin/caddy run --config /etc/caddy/Caddyfile
+else
+    # Start portal in background
+    /usr/local/bin/portal &
+
+    # Start Caddy without etcd storage in foreground
+    /usr/bin/caddy run --config /etc/caddy/Caddyfile.nocluster
+fi