diff --git a/docker-compose.override.yml b/docker-compose.override.yml
index 8075c75..10a3b23 100644
--- a/docker-compose.override.yml
+++ b/docker-compose.override.yml
@@ -34,6 +34,26 @@ services:
       - geoip:/geoip
     networks:
       - backend
+      - dokploy-network
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=dokploy-network"
+
+      - "traefik.http.services.sso-server.loadbalancer.server.port=9443" # set port the container listenes to
+      - "traefik.http.services.sso-server.loadbalancer.server.scheme=https"
+
+      - "traefik.http.routers.sso-server-web.rule=Host(`${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.sso-server-web.entrypoints=web"
+      - "traefik.http.routers.sso-server-web.service=sso-server"
+      - "traefik.http.routers.sso-server-web.middlewares=redirect-to-https@file"
+
+      - "traefik.http.routers.sso-server-websecure.entrypoints=websecure"
+      - "traefik.http.routers.sso-server-websecure.rule=Host(`${PUBLIC_DOMAIN}`)" # change hostname!
+      - "traefik.http.routers.sso-server-websecure.tls=true"
+      - "traefik.http.routers.sso-server-websecure.tls.certresolver=hetzner"
+      - "traefik.http.routers.sso-server-websecure.tls.domains[0].main=${TLS_DOMAIN}"
+      - "traefik.http.routers.sso-server-websecure.middlewares=secHeaders@file, hsts-header@file"
+      - "traefik.http.routers.sso-server-websecure.service=sso-server"
 
   worker:
     image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:?AUTHENTIK_TAG is not configured}
@@ -57,4 +77,6 @@ volumes:
     driver: local
 
 networks:
-  backend:
\ No newline at end of file
+  backend:
+  dokploy-network:
+    external: true
\ No newline at end of file
diff --git a/env.prod.template b/env.prod.template
index ab1c797..829a172 100644
--- a/env.prod.template
+++ b/env.prod.template
@@ -1,10 +1,11 @@
 # SETTINGS from env.template
 # Misc configuration
-PUBLIC_DOMAIN=sso.s1q.dev
 COMPOSE_PROJECT_NAME=sso-s1q-dev
+PUBLIC_DOMAIN=sso.s1q.dev
+TLS_DOMAIN=*.s1q.dev
 
 # Server Versions
-AUTHENTIK_TAG=2025.6.4
+AUTHENTIK_TAG=2025.4.2
 POSTGRES_TAG=16.9-alpine
 REDIS_TAG=8.0-alpine
 
@@ -29,9 +30,6 @@ AUTHENTIK_EMAIL__FROM=sso@s1q.dev
 # COMPOSE_PORT_HTTP=80
 # COMPOSE_PORT_HTTPS=443
 
-# Liste settings
-AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS="172.18.0.0/16"
-
 
 # MaxMind GeoIP
 GEOIPUPDATE_ACCOUNT_ID=1093308