diff --git a/ansible/host_vars/grimes/main.yml b/ansible/host_vars/grimes/main.yml
index d1ba1e7..fca7d97 100644
--- a/ansible/host_vars/grimes/main.yml
+++ b/ansible/host_vars/grimes/main.yml
@@ -1,4 +1,6 @@
 private_ip: "{{ ansible_tailscale0.ipv4.address }}"
 
+traefik_http3: true
+
 restic_backup_locations:
   - /opt
diff --git a/ansible/roles/traefik/defaults/main.yml b/ansible/roles/traefik/defaults/main.yml
index 6352074..f6418ee 100644
--- a/ansible/roles/traefik/defaults/main.yml
+++ b/ansible/roles/traefik/defaults/main.yml
@@ -3,3 +3,4 @@ traefik_provider_homeassistant: false
 traefik_provider_grafana: false
 traefik_provider_uptime_kuma: false
 traefik_tls_challenge: false
+traefik_http3: false
diff --git a/ansible/roles/traefik/files/docker-compose.yml b/ansible/roles/traefik/files/docker-compose.yml
index 8140821..bd7b03b 100644
--- a/ansible/roles/traefik/files/docker-compose.yml
+++ b/ansible/roles/traefik/files/docker-compose.yml
@@ -10,6 +10,7 @@ services:
     ports:
       - 80:80
       - 443:443
+      - 443:443/udp
       - "{{ private_ip }}:8080:8080"
     depends_on:
       - docker_proxy
diff --git a/ansible/roles/traefik/files/traefik.yml b/ansible/roles/traefik/files/traefik.yml
index e7a99d6..12e43b5 100644
--- a/ansible/roles/traefik/files/traefik.yml
+++ b/ansible/roles/traefik/files/traefik.yml
@@ -40,6 +40,9 @@ entryPoints:
     transport:
       respondingTimeouts:
         readTimeout: 180s
+    {% if traefik_http3 %}
+    http3: {}
+    {% end %}
   traefik:
     address: :8080
 
diff --git a/terraform/hetzner_firewall.tf b/terraform/hetzner_firewall.tf
index 5ad833a..1eff296 100644
--- a/terraform/hetzner_firewall.tf
+++ b/terraform/hetzner_firewall.tf
@@ -49,4 +49,15 @@ resource "hcloud_firewall" "web" {
       "::/0"
     ]
   }
+
+  # HTTP/3
+  rule {
+    direction = "in"
+    protocol  = "udp"
+    port      = "443"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
 }