diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f63b25b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+passphrase
diff --git a/docker-compose.yml b/docker-compose.yml
index 1175613..faa79a9 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,86 +1,84 @@
-version: "3.3"
-
+---
 services:
-
   traefik:
-    image: "traefik:latest"
-    container_name: "traefik"
-    command:
-#      - "--log.level=DEBUG"  # disable in prod
-      - "--api.insecure=true" # disable in prod
-      - "--providers.docker=true"
-      - "--providers.docker.exposedbydefault=false"
-      - "--providers.file.directory=/etc/traefik/dynamic_conf.d"
-      - "--entryPoints.https.address=:443"
-      - "--entryPoints.http.address=:80"
-      - "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/letsencrypt/acme.json"
-      - "--certificatesresolvers.letsencrypt.acme.email=infra@clps.ch"
-      - "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
-    volumes:
-      - "/home/cloud/traefik/dynamic_conf.d:/etc/traefik/dynamic_conf.d/"
-      - "/home/cloud/traefik/letsencrypt/acme.json:/etc/traefik/letsencrypt/acme.json"
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+    image: traefik:latest
     restart: unless-stopped
+    container_name: traefik
+    command:
+      - --api.insecure=true # disable in prod
+      - --certificatesresolvers.letsencrypt.acme.email=infra@clps.ch
+      - --certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme.json
+      - --certificatesresolvers.letsencrypt.acme.tlschallenge=true
+      - --entrypoints.http.address=:80
+      - --entrypoints.http.http.redirections.entrypoint.to=https
+      - --entrypoints.https.address=:443
+      - --log.level=info
+      - --providers.docker.exposedbydefault=false
+      - --providers.docker=true
     ports:
       - "80:80"
       - "443:443"
       - "8069:8080"
+    volumes:
+      - ./traefik/acme.json:/etc/traefik/acme.json
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
   grafana:
-    image: "grafana/grafana:latest"
-    container_name: "grafana"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.grafana.rule=Host(`grafana.clps.ch`)"
-      - "traefik.http.routers.grafana.entrypoints=https"
-      - "traefik.http.routers.grafana.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.grafana.tls=true"
-      - "traefik.http.services.grafana.loadbalancer.server.port=3000"
-    depends_on:
-      - traefik
+    image: grafana/grafana:latest
     restart: unless-stopped
+    container_name: grafana
     environment:
       - GF_SECURITY_ADMIN_USER=admin
       - GF_SECURITY_ADMIN_PASSWORD=grafana
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.http.routers.grafana.entrypoints=https
+    #  - traefik.http.routers.grafana.rule=Host(`grafana.clps.ch`)
+    #  - traefik.http.routers.grafana.tls.certresolver=letsencrypt
+    #  - traefik.http.services.grafana.loadbalancer.server.port=3000
     volumes:
-      - ./grafana:/etc/grafana/provisioning/datasources
+      - ./grafana/:/etc/grafana/provisioning/datasources/
 
   prometheus:
-    image: "prom/prometheus:latest"
-    container_name: "prometheus"
-    command:
-      - '--config.file=/etc/prometheus/prometheus.yml'
+    image: prom/prometheus:latest
     restart: unless-stopped
+    container_name: prometheus
+    command:
+      - --config.file=/etc/prometheus/prometheus.yml
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.http.routers.prometheus.entrypoints=https
+    #  - traefik.http.routers.prometheus.rule=Host(`prom.clps.ch`)
+    #  - traefik.http.routers.prometheus.tls.certresolver=letsencrypt
+    #  - traefik.http.services.prometheus.loadbalancer.server.port=9090
     volumes:
-      - ./prometheus:/etc/prometheus
-      - prom_data:/prometheus
-    #labels:      # We might want to reserve this interface to a closed network
-    #  - "traefik.enable=true"
-    #  - "traefik.http.routers.prometheus.rule=Host(`prom.clps.ch`)"
-    #  - "traefik.http.routers.prometheus.entrypoints=https"
-    #  - "traefik.http.routers.prometheus.tls.certresolver=letsencrypt"
-    #  - "traefik.http.routers.prometheus.tls=true"
-    #  - "traefik.http.services.prometheus.loadbalancer.server.port=9090"
-    depends_on:
-      -  traefik
+      - ./prometheus/:/etc/prometheus/:ro
+      - prom_data:/prometheus/
 
   nextcloud:
-    image: "nextcloud/all-in-one:latest"
-    container_name: "nextcloud-aio-mastercontainer"
+    image: nextcloud/all-in-one:latest
+    restart: unless-stopped
+    container_name: nextcloud-aio-mastercontainer
     init: true
     environment:
-      - "APACHE_PORT=11000"
-      - "APACHE_IP_BINDING=0.0.0.0"
+      - APACHE_PORT=11000
+      - SKIP_DOMAIN_VALIDATION=true
+    labels:
+      - traefik.enable=true
+      - traefik.http.middlewares.nextcloud_headers.headers.hostsProxyHeaders=X-Forwarded-Host
+      - traefik.http.middlewares.nextcloud_headers.headers.referrerPolicy=same-origin
+      - traefik.http.routers.nextcloud.entrypoints=https
+      - traefik.http.routers.nextcloud.middlewares=nextcloud_headers
+      - traefik.http.routers.nextcloud.rule=Host(`cloud.clps.ch`)
+      - traefik.http.routers.nextcloud.tls.certresolver=letsencrypt
+      - traefik.http.services.nextcloud.loadbalancer.server.port=11000
     ports:
-      -  "8080:8080" # disable in prod
-      -  "8443:8443" # disable in prod
+      - "8080:8080" # disable in prod
     volumes:
-      - "nextcloud_aio_mastercontainer:/mnt/docker-aio-config"
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
-    depends_on:
-      -  traefik
-    restart: unless-stopped
+      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
 volumes:
   nextcloud_aio_mastercontainer:
+    name: nextcloud_aio_mastercontainer
   prom_data:
diff --git a/traefik/.gitignore b/traefik/.gitignore
new file mode 100644
index 0000000..08a7346
--- /dev/null
+++ b/traefik/.gitignore
@@ -0,0 +1 @@
+acme.json
diff --git a/traefik/dynamic_conf.d/nextcloud.yml b/traefik/dynamic_conf.d/nextcloud.yml
deleted file mode 100644
index 4414f26..0000000
--- a/traefik/dynamic_conf.d/nextcloud.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-http:
-  routers:
-    nextcloud:
-      rule: "Host(`cloud.clps.ch`)"
-      entrypoints:
-        - "https"
-      service: nextcloud
-      middlewares:
-        - nextcloud-chain
-      tls:
-        certresolver: "letsencrypt"
-
-  services:
-    nextcloud:
-      loadBalancer:
-        servers:
-          - url: "http://nextcloud-aio-mastercontainer:11000" # Use the host's IP address if Traefik runs outside the host network
-
-  middlewares:
-    nextcloud-secure-headers:
-      headers:
-        hostsProxyHeaders:
-          - "X-Forwarded-Host"
-        referrerPolicy: "same-origin"
-
-    https-redirect:
-      redirectscheme:
-        scheme: https
-
-    nextcloud-chain:
-      chain:
-        middlewares:
-          # - ... (e.g. rate limiting middleware)
-          - https-redirect
-          - nextcloud-secure-headers
diff --git a/traefik/traefik.yml b/traefik/traefik.yml
deleted file mode 100644
index 3e66149..0000000
--- a/traefik/traefik.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-# STATIC CONFIGURATION
-
-entryPoints:
-  https:
-    address: ":443" # Create an entrypoint called "https" that uses port 443
-    # If you want to enable HTTP/3 support, uncomment the line below
-    # http3: {}
-  web:
-    address: ":80"
-
-certificatesResolvers:
-  # Define "letsencrypt" certificate resolver
-  letsencrypt:
-    acme:
-      storage: /letsencrypt/acme.json # Defines the path where certificates should be stored
-      email: "infra@clps.ch" #Where LE sends notification about certificates expiring
-      tlschallenge: true
-
-providers:
-  file:
-    directory: "/etc/traefik/dynamic_conf.d" # Adjust the path according your needs.
-    watch: true
-
-# Enable HTTP/3 feature by uncommenting the lines below. Don't forget to route 443 UDP to Traefik (Firewall\NAT\Traefik Container)
-# experimental:
-  # http3: true