diff --git a/modules/server/containers/defs/traefik.nix b/modules/server/containers/defs/traefik.nix
index a3631d1..35b22bc 100644
--- a/modules/server/containers/defs/traefik.nix
+++ b/modules/server/containers/defs/traefik.nix
@@ -19,15 +19,28 @@ in {
       image = "traefik:${version}";
       ip = containerCfg.ip;
       secret = name;
-      extraEnv = {
-        config.sops.secrets.INFOMANIAK_API_KEY.path
+      extraLabels = {
+        "traefik.http.routers.${subdomain}.priority" = "10";
+        "traefik.http.routers.${subdomain}.service" = "api@internal";
+        "traefik.http.routers.${subdomain}.middlewares" = "authentik";
       };
       overrides = {
         cmd = [ 
           "--api"
           "--providers.docker=true"
+          "--global.checknewversion=false"
+          "--global.sendanonymoususage=false"
+          "--api.debug=false"
+          "--api.insecure=true"
+          "--api.dashboard=true"
+          "--core.defaultrulesyntax=v3"
+          "--providers.docker.exposedByDefault=false"
           "--entrypoints.web.address=:80"
           "--entrypoints.web-secure.address=:443"
+          "--entrypoints.web.http.redirections.entrypoint.to=web-secure"
+          "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+          "--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
+          "--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
         ];
         ports = [ "443" "80" ];
         volumes = [ 
diff --git a/systems/sandbox/cfg.nix b/systems/sandbox/cfg.nix
index 520231f..74e3b2e 100644
--- a/systems/sandbox/cfg.nix
+++ b/systems/sandbox/cfg.nix
@@ -27,6 +27,11 @@
       mailServer = "infomaniak.ch";
       
       containers = {
+
+        traefik = {
+          enable = true;
+          subdomain = "traefik";
+        };
         authentik = {
           enable = true;
           db = true;