diff --git a/README.md b/README.md
index 60d4732..63a328c 100644
--- a/README.md
+++ b/README.md
@@ -26,10 +26,12 @@ All services below are running under Docker, except NSD and Borg.
 - matrix
 - peertube?
 - Pixelfed?
+- Prometheus
 
 ## TODO
 
-- Forward to https not working correctly yet.
+- Forward to https not working correctly yet. I think it works now? Should check it.
+- Expose treafik dashboard only on local network
 
 ### NSD
 
diff --git a/roles/nsd/files/zones/pizzapim.nl b/roles/nsd/files/zones/pizzapim.nl
index 82f9885..5758df5 100644
--- a/roles/nsd/files/zones/pizzapim.nl
+++ b/roles/nsd/files/zones/pizzapim.nl
@@ -1,7 +1,7 @@
 $ORIGIN pizzapim.nl.
 $TTL 60
 
-pizzapim.nl.	IN 	SOA	ns.pizzapim.nl. pim.kunis.nl. 2023011700 1800 3600 1209600 3600
+pizzapim.nl.	IN 	SOA	ns.pizzapim.nl. pim.kunis.nl. 2023012200 1800 3600 1209600 3600
 
 			NS	ns.pizzapim.nl.
 			NS	ns0.transip.net.
@@ -24,3 +24,4 @@ dav		IN	CNAME	www.pizzapim.nl.
 git		IN	CNAME	www.pizzapim.nl.
 meet            IN      CNAME   www.pizzapim.nl.
 rss             IN      CNAME   www.pizzapim.nl.
+traefik         IN      CNAME   www.pizzapim.nl.
diff --git a/roles/traefik/files/basic_auth_users b/roles/traefik/files/basic_auth_users
new file mode 100644
index 0000000..e26bc55
--- /dev/null
+++ b/roles/traefik/files/basic_auth_users
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+33333836626532396564616664353836636164386437323234333464336432663266663038313138
+3563663134333236366433636134653965393932343362360a306236343538663836633761353262
+65353961376230333530616465353735626232373132613635653162353634353865386638633365
+3762636464663532360a633162646365653764666563383632393738343931656366343336653437
+36656535346432313036323433396432303563663836303964643731326364306530636332346163
+36353034366562386664376565316339616466323133303464326637366432623164666332313762
+38663138613534363361376161376363666134336466303436643035356438303832333639373266
+62313730633763633066
diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
index d190b3f..e589108 100644
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -20,6 +20,10 @@
   copy:
     src: "{{ role_path }}/files/services.toml"
     dest: "{{ service_dir }}/services.toml"
+- name: Copy basic_auth_users file
+  copy:
+    src: "{{ role_path }}/files/basic_auth_users"
+    dest: "{{ service_dir }}/basic_auth_users"
 - name: Create traefik network
   docker_network:
     name: "traefik"
diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2
index 34339d4..cfc1843 100644
--- a/roles/traefik/templates/docker-compose.yml.j2
+++ b/roles/traefik/templates/docker-compose.yml.j2
@@ -9,12 +9,6 @@ services:
     restart: always
     image: traefik:v2.9
     container_name: traefik
-    command:
-      - "--providers.docker"
-      - "--entrypoints.web.address=:80"
-      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
-      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
-      - "--entrypoints.websecure.address=:443"
     ports:
       - "443:443"
       - "80:80"
@@ -24,12 +18,22 @@ services:
       - {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml
       - {{ service_dir }}/services.toml:/etc/traefik/services.toml
       - {{ service_dir }}/acme.json:/acme.json
+      - {{ service_dir }}/basic_auth_users:/basic_auth_users
     networks:
       - traefik
     labels:
       - traefik.enable=true
+
       - traefik.http.routers.esrom.entrypoints=websecure
       - traefik.http.routers.esrom.service=esrom@file
       - traefik.http.routers.esrom.rule=Host(`geokunis2.nl`)
       - traefik.http.routers.esrom.tls=true
       - traefik.http.routers.esrom.tls.certresolver=geokunis
+
+      - traefik.http.routers.traefik.rule=Host(`traefik.pizzapim.nl`)
+      - traefik.http.routers.traefik.entrypoints=websecure
+      - traefik.http.routers.traefik.tls=true
+      - traefik.http.routers.traefik.tls.certresolver=pizzapim
+      - traefik.http.routers.traefik.service=api@internal
+      - traefik.http.routers.traefik.middlewares=basic-auth
+      - traefik.http.middlewares.basic-auth.basicauth.usersfile=/basic_auth_users
diff --git a/roles/traefik/templates/traefik.toml.j2 b/roles/traefik/templates/traefik.toml.j2
index ac99065..b07f315 100644
--- a/roles/traefik/templates/traefik.toml.j2
+++ b/roles/traefik/templates/traefik.toml.j2
@@ -3,14 +3,20 @@ loglevel = "DEBUG"
 [entryPoints]
   [entryPoints.web]
   address = ":80"
+  [entryPoints.web.http.redirections.entryPoint]
+    to = "websecure"
+    scheme = "https"
+    permanent = true
   [entryPoints.websecure]
-  address = ":443"
+    address = ":443"
   [entryPoints.ssh]
-  address = ":{{ git_ssh_port }}"
+    address = ":{{ git_ssh_port }}"
   [entryPoints.video]
-  address = ":{{ jitsi_videobridge_port }}/udp"
+    address = ":{{ jitsi_videobridge_port }}/udp"
 
 [api]
+  insecure = false
+  dashboard = true
 
 [providers.docker]
   endpoint = "unix:///var/run/docker.sock"