diff --git a/env.yaml.bash b/env.yaml.bash
index 4720096..e22cdb6 100755
--- a/env.yaml.bash
+++ b/env.yaml.bash
@@ -11,6 +11,9 @@ networking:
   domain: riju.example.com  # FIXME
   ip: x.y.z.w  # FIXME
 
+contact:
+  letsEncryptEmail: ops@example.com  # FIXME
+
 metallb:
   secretkey: "$(pwgen -s 256 1)"
 
diff --git a/k8s/traefik-config.in.yaml b/k8s/traefik-config.in.yaml
new file mode 100644
index 0000000..ec668cd
--- /dev/null
+++ b/k8s/traefik-config.in.yaml
@@ -0,0 +1,33 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  namespace: traefik
+  name: traefik-config
+data:
+  traefik.yaml: |
+    entrypoints:
+      http:
+        address: ":8000/tcp"
+      https:
+        address: ":8443/tcp"
+        http:
+          tls: true
+      healthcheck:
+        address: ":9000/tcp"
+      docker:
+        address: ":31000/tcp"
+        http:
+          tls: true
+    ping:
+      entryPoint: "healthcheck"
+    providers:
+      kubernetescrd: true
+      kubernetesingress: true
+    certificatesResolvers:
+      riju:
+        acme:
+          email: "{{ .contact.letsEncryptEmail }}"
+          storage: acme.json
+          httpChallenge:
+            entryPoint: http
diff --git a/k8s/traefik-config.yaml b/k8s/traefik-config.yaml
deleted file mode 100644
index 8e5efc2..0000000
--- a/k8s/traefik-config.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
----
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  namespace: traefik
-  name: traefik-config
-data:
-  traefik.yaml: |
-    entrypoints:
-      traefik:
-        address: ":9000/tcp"
-      metrics:
-        address: ":9100/tcp"
-      web:
-        address: ":8000/tcp"
-      websecure:
-        address: ":8443/tcp"
-        http:
-          tls: true
-    api:
-      dashboard: true
-    ping: true
-    metrics:
-      prometheus:
-        entrypoint: metrics
-    providers:
-      kubernetescrd: true
-      kubernetesingress: true
diff --git a/k8s/traefik.yaml b/k8s/traefik.yaml
index 5c654a8..4a9f4df 100644
--- a/k8s/traefik.yaml
+++ b/k8s/traefik.yaml
@@ -55,14 +55,14 @@ spec:
             successThreshold: 1
             timeoutSeconds: 2
           ports:
-            - name: traefik
-              containerPort: 9000
-            - name: web
+            - name: http
               containerPort: 8000
-            - name: websecure
+            - name: https
               containerPort: 8443
-            - name: metrics
-              containerPort: 9100
+            - name: ping
+              containerPort: 9000
+            - name: docker
+              containerPort: 31000
           securityContext:
             capabilities:
               drop:
@@ -101,13 +101,13 @@ spec:
     app: traefik
   ports:
     - port: 80
-      name: "web"
-      targetPort: web
-      protocol: TCP
+      name: http
+      targetPort: 8000
     - port: 443
-      name: "websecure"
-      targetPort: websecure
-      protocol: TCP
+      name: https
+      targetPort: 8443
+    - port: 31000
+      name: docker
 
 ---
 kind: IngressClass
@@ -118,19 +118,3 @@ metadata:
     ingressclass.kubernetes.io/is-default-class: "true"
 spec:
   controller: traefik.io/ingress-controller
----
-
-kind: IngressRoute
-apiVersion: traefik.containo.us/v1alpha1
-metadata:
-  namespace: traefik
-  name: traefik-dashboard
-spec:
-  entryPoints:
-    - traefik
-  routes:
-    - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
-      kind: Rule
-      services:
-        - name: api@internal
-          kind: TraefikService