diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6a0b115
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+ssl/
diff --git a/conf.d/config.yaml b/conf.d/config.yaml
new file mode 100644
index 0000000..fbf3805
--- /dev/null
+++ b/conf.d/config.yaml
@@ -0,0 +1,15 @@
+http:
+  routers:
+    wild:
+      rule: "Host(`hemlabb.uk`)"
+      entrypoints:
+        - websecure
+      service: "uptime-kuma@docker"
+      tls:
+        certresolver: cloudflare
+        domains:
+          - main: "hemlabb.uk"
+            sans:
+              - "*.hemlabb.uk"
+
+
diff --git a/conf.d/gitea.yaml b/conf.d/gitea.yaml
new file mode 100644
index 0000000..905e8b4
--- /dev/null
+++ b/conf.d/gitea.yaml
@@ -0,0 +1,12 @@
+http:
+  routers:
+    gitea:
+      rule: "Host(`gitea.hemlabb.uk`)"
+      service: gitea
+      entryPoints:
+        - websecure
+  services:
+    gitea:
+      loadBalancer:
+        servers:
+          - url: "https://gitea.lab:3000" # Replace with your service's address
\ No newline at end of file
diff --git a/conf.d/pihole.yaml b/conf.d/pihole.yaml
new file mode 100644
index 0000000..0b35b56
--- /dev/null
+++ b/conf.d/pihole.yaml
@@ -0,0 +1,12 @@
+http:
+  routers:
+    pihole:
+      rule: "Host(`pihole.hemlabb.uk`)"
+      service: pihole
+      entryPoints:
+        - websecure
+  services:
+    pihole:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.11/admin" # Replace with your service's address
diff --git a/traefik.yaml b/traefik.yaml
new file mode 100644
index 0000000..86afe10
--- /dev/null
+++ b/traefik.yaml
@@ -0,0 +1,69 @@
+providers:
+  file:
+    directory: /etc/traefik/conf.d/
+  docker:
+    endpoint: tcp://nas.lab:2375
+    exposedByDefault: false
+    useBindPortIP: true
+entryPoints:
+  web:
+    address: ':80'
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ':443'
+    http:
+      tls:
+        certResolver: letsencrypt
+  traefik:
+    address: ':8080'
+
+certificatesResolvers:
+  cloudflare:
+    acme:
+      email: s.nilsson@me.com
+      storage: /etc/traefik/ssl/acme.json
+      # caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
+      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
+      dnsChallenge:
+        provider: cloudflare
+        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
+        #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"
+            #  letsencrypt:
+            #    acme:
+            #      email: "foo@bar.com"
+            #      storage: /etc/traefik/ssl/acme.json
+            #      tlsChallenge: {}
+
+api:
+  dashboard: true
+  insecure: true
+
+tracing: {}
+
+log:
+  filePath: /var/log/traefik/traefik.log
+  format: json
+  level: INFO
+
+accessLog:
+  filePath: /var/log/traefik/traefik-access.log
+  format: json
+  filters:
+    statusCodes:
+      - "200"
+      - "400-599"
+    retryAttempts: true
+    minDuration: "10ms"
+  bufferingSize: 0
+  fields:
+    headers:
+      defaultMode: drop
+      names:
+        User-Agent: keep