diff --git a/modules/swarm/ontime/main.tf b/modules/swarm/ontime/main.tf
new file mode 100644
index 0000000..c67202e
--- /dev/null
+++ b/modules/swarm/ontime/main.tf
@@ -0,0 +1,86 @@
+data "docker_registry_image" "primary" {
+  name = "getontime/ontime:latest"
+}
+
+data "docker_network" "traefik" {
+  name = "traefik"
+}
+
+locals {
+  name = "ontime${var.ontime_identifier}"
+  public_paths = [
+    "/ontime-logo.png",
+    "/favicon.ico",
+    "/data",
+    "/assets",
+    "/timer",
+    "/minimal",
+    "/clock",
+    "/backstage",
+    "/countdown",
+    "/studio",
+    "/timeline",
+    "/api/poll",
+    "/api/version",
+  ]
+  public_paths_rule = join(" || ", [for path in local.public_paths : "PathPrefix(`${path}`)"])
+  labels = {
+    "shepherd.auto-update"                                         = "true",
+    "traefik.enable"                                               = "true"
+    "traefik.http.services.${local.name}.loadbalancer.server.port" = "4001",
+    "traefik.http.routers.${local.name}.rule"                      = "Host(`${local.name}.chaoswest.tv`)",
+    "traefik.http.routers.${local.name}.tls"                       = "true",
+    "traefik.http.routers.${local.name}.tls.certresolver"          = "default",
+    "traefik.http.routers.${local.name}.priority"                  = "1",
+
+    ## Authentication was tried, but ontime needs a WebSocket connection for almost everything, and we can't really secure this.
+    ## So, we'll be using the pincode feature of ontime and just deploy it only for the time needed.
+
+    #"traefik.http.routers.${local.name}.middlewares"               = "auth-ontime@file",
+
+    #"traefik.http.services.${local.name}-open.loadbalancer.server.port"  = "4001",
+    #"traefik.http.routers.${local.name}-open.rule"                      = "Host(`${local.name}.chaoswest.tv`) && (${local.public_paths_rule})",
+    #"traefik.http.routers.${local.name}-open.tls"                       = "true",
+    #"traefik.http.routers.${local.name}-open.tls.certresolver"          = "default",
+    #"traefik.http.routers.${local.name}-open.priority"                       = "2",
+  }
+}
+
+resource "docker_service" "primary" {
+  name = local.name
+
+  dynamic "labels" {
+    for_each = local.labels
+    content {
+      label = labels.key
+      value = labels.value
+    }
+  }
+
+  task_spec {
+    networks_advanced {
+      name = data.docker_network.traefik.id
+    }
+
+    container_spec {
+      image = "${data.docker_registry_image.primary.name}@${data.docker_registry_image.primary.sha256_digest}"
+
+      mounts {
+        target = "/data/"
+        source = "/mnt/data/${local.name}"
+        type   = "bind"
+      }
+    }
+  }
+}
+
+data "hetznerdns_zone" "primary" {
+  name = "chaoswest.tv"
+}
+
+resource "hetznerdns_record" "www" {
+  zone_id = data.hetznerdns_zone.primary.id
+  name    = local.name
+  value   = "ax41-1.fsn.mon2.de."
+  type    = "CNAME"
+}
diff --git a/modules/swarm/ontime/outputs.tf b/modules/swarm/ontime/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/modules/swarm/ontime/variables.tf b/modules/swarm/ontime/variables.tf
new file mode 100644
index 0000000..439927c
--- /dev/null
+++ b/modules/swarm/ontime/variables.tf
@@ -0,0 +1,4 @@
+variable "ontime_identifier" {
+  type    = string
+  default = ""
+}
diff --git a/modules/swarm/ontime/version.tf b/modules/swarm/ontime/version.tf
new file mode 100644
index 0000000..be1d72e
--- /dev/null
+++ b/modules/swarm/ontime/version.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_version = "1.5.5"
+  required_providers {
+    hetznerdns = {
+      source  = "timohirt/hetznerdns"
+      version = "~>2.2"
+    }
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "~>3.0"
+    }
+  }
+}
diff --git a/modules/swarm/traefik/cfg/dynamic/dynamic.yaml b/modules/swarm/traefik/cfg/dynamic/dynamic.yaml
index ce37829..fc43c05 100644
--- a/modules/swarm/traefik/cfg/dynamic/dynamic.yaml
+++ b/modules/swarm/traefik/cfg/dynamic/dynamic.yaml
@@ -1,17 +1,21 @@
 ---
 http:
-  routers:
-    dashboard-secure:
-      rule: Host(`traefik.montage2.de`)
-      service: api@internal
-      tls:
-        certResolver: default
-      middlewares:
-        - auth-hausmeister
-      entryPoints:
-        - https
-  middlewares:
-    auth-hausmeister:
-      basicAuth:
-        users:
-          - "hausmeister:$2y$10$.ewz0qQlm.mT/LRzuSwRYOmytRj7K3ojcxFsvkgrMKFicbA5EtKV."
+    routers:
+        dashboard-secure:
+            rule: Host(`traefik.montage2.de`)
+            service: api@internal
+            tls:
+                certResolver: default
+            middlewares:
+                - auth-hausmeister
+            entryPoints:
+                - https
+    middlewares:
+        auth-hausmeister:
+            basicAuth:
+                users:
+                    - "hausmeister:$2y$10$.ewz0qQlm.mT/LRzuSwRYOmytRj7K3ojcxFsvkgrMKFicbA5EtKV."
+        auth-ontime:
+            basicAuth:
+                users:
+                    - "cwtv:$apr1$EZhof.oe$SEgKIX98pcki/zME/sLVd1"
diff --git a/stacks/ax41-1/main.tf b/stacks/ax41-1/main.tf
index 70a4968..a5fe96d 100644
--- a/stacks/ax41-1/main.tf
+++ b/stacks/ax41-1/main.tf
@@ -50,3 +50,11 @@ module "forgejo" {
 module "prometheus" {
   source = "../../modules/swarm/prometheus"
 }
+
+# Only deploy when needed due to lacking authentication/security!
+
+#module "ontime1" {
+#  source = "../../modules/swarm/ontime"
+#
+#  ontime_identifier = "1"
+#}