diff --git a/2 Personal/Home Lab/NAS/immich_v1.1_setup.md b/2 Personal/Home Lab/NAS/immich_v1.1_setup.md
index 5fad300..df5944d 100644
--- a/2 Personal/Home Lab/NAS/immich_v1.1_setup.md	
+++ b/2 Personal/Home Lab/NAS/immich_v1.1_setup.md	
@@ -769,3 +769,22 @@ The main things that can still hurt later are:
 - leaving the documented DB password unchanged
 
 This document should be updated after every meaningful change.
+
+
+---
+```mermaid
+flowchart LR
+    User[User Browser] -->|HTTPS| Cloudflare[Cloudflare Edge]
+
+    Cloudflare -->|Tunnel| CFD[cloudflared in edge stack]
+
+    CFD -->|HTTP or HTTPS, but one consistent model| Traefik[Traefik]
+    Traefik -->|Badger auth check| Pangolin[Pangolin]
+    Traefik -->|Proxy via Gerbil/Newt| RemoteApps[Apps behind Pangolin]
+
+    Cloudflare -->|Direct route| Authentik[Authentik direct]
+
+    Pangolin --> Gerbil[Gerbil]
+    Newt[Newt on remote hosts] --> Pangolin
+    Newt --> Gerbil
+```