diff --git a/compose.libsonnet b/compose.libsonnet
index 7c5e867..2c1fe0d 100644
--- a/compose.libsonnet
+++ b/compose.libsonnet
@@ -17,10 +17,12 @@ local traefikLabels(name, host, port, extras) = toLabels({
   'traefik.enable': 'true',
   ['traefik.http.routers.%s.rule' % name]: 'Host(`%s.mat`)' % host,
   ['traefik.http.routers.%s.entrypoints' % name]: 'web',
-  ['traefik.http.services.%s.loadbalancer.server.port' % name]: port,
-  ['traefik.http.routers.%s.service' % name]: '%s' % name,
+  ['traefik.http.routers.%s-tls.rule' % name]: 'Host(`%s.home.mat.services`)' % host,
+  ['traefik.http.routers.%s-tls.entrypoints' % name]: 'web-tls',
   'traefik.docker.network': 'traefik',
-} + extras);
+} + extras + if port == null then {} else {
+  ['traefik.http.services.%s.loadbalancer.server.port' % name]: port
+});
 
 local mkNetwork(svc) = if std.get(svc, 'gluetun', false) then {
   network_mode: 'service:gluetun',
@@ -35,7 +37,12 @@ local mkService(name, svc) = svc {
            + if std.get(svc, 'docker', false)
            then [dockerSocket]
            else [],
-  labels: traefikLabels(name, std.get(svc, 'host', name), svc.webPort, optional(svc, 'traefik')),
+  labels: traefikLabels(
+    name,
+    std.get(svc, 'host', name),
+    svc.webPort,
+    optional(svc, 'traefik')
+  ),
   restart: std.get(svc, 'restart', 'always'),
 } + mkNetwork(svc);
 
@@ -70,7 +77,7 @@ local mediaMounts(mounts) = {
 
   MediaMounts:: mediaMounts,
 
-  MediaService(name, tag='latest', env={}, mounts={}, webPort, ports=[], extras={}):: {
+  MediaService(name, tag='latest', env={}, mounts={}, webPort=null, ports=[], extras={}):: {
     image: 'lscr.io/linuxserver/%s:%s' % [name, tag],
     environment: mediaEnv + env,
     volumes: { ['media_%s_config' % name]: '/config' },
diff --git a/services.jsonnet b/services.jsonnet
index 92e89a1..786d8a1 100644
--- a/services.jsonnet
+++ b/services.jsonnet
@@ -24,9 +24,11 @@ function(secrets={})
         WIREGUARD_ADDRESSES: std.get(secrets, 'WIREGUARD_ADDRESSES'),
       },
       ports: [
-        Port(8888),
-        Port(8388),
-        Port(8388, kind='udp'),
+        // http proxy
+        // Port(8888),
+        // shadowsocks proxy
+        // Port(8388),
+        // Port(8388, kind='udp'),
       ],
       webPort:: 8000,
       volumes: { gluetun_data: '/gluetun' },
@@ -39,37 +41,47 @@ function(secrets={})
         'providers.docker': 'true',
         'providers.docker.exposedbydefault': 'false',
         'entrypoints.web.address': ':80',
-        // 'entrypoints.websecure.address': ':443',
+        'entrypoints.web.http.redirections.entrypoint.to': 'web-tls',
+        'entrypoints.web-tls.address': ':443',
+        'entrypoints.web-tls.http.tls.domains[0].main': 'home.mat.services',
+        'entrypoints.web-tls.http.tls.domains[0].sans': '*.home.mat.services',
+        'entrypoints.web-tls.http.tls.certresolver': 'letsencrypt',
+        'certificatesresolvers.letsencrypt.acme.dnschallenge': true,
+        'certificatesresolvers.letsencrypt.acme.dnschallenge.provider': 'luadns',
+        'certificatesresolvers.letsencrypt.acme.email': 'mat@mat.services',
+        'certificatesresolvers.letsencrypt.acme.storage': '/letsencrypt/acme.json',
       }),
       docker:: true,
       webPort:: 8080,
       ports: [
         Port(80),
-        // Port(443),
+        Port(443),
       ],
+      environment: {
+        LUADNS_API_USERNAME: 'mat@mat.services',
+        LUADNS_API_TOKEN: std.get(secrets, 'LUADNS_API_TOKEN'),
+      },
       traefik:: {
         // 'traefik.http.routers.http-catchall.rule': 'hostregexp(`{host:.+}`)'
         // 'traefik.http.routers.http-catchall.entrypoints': 'web'
         // 'traefik.http.routers.http-catchall.middlewares': 'redirect-to-https'
         // 'traefik.http.middlewares.redirect-to-https.redirectscheme.scheme': 'https'
       },
+      volumes: { letsencrypt_data: '/letsencrypt' }
     },
     portainer: {
       image: 'portainer/portainer-ce:latest',
       docker:: true,
       volumes: { portainer_portainer_data: '/data' },
       webPort:: 9000,
-      ports: [Port(9443)],
+      // useful when traefik is having issues
+      // ports: [Port(9443)],
     },
     deluge: MediaService(
       name='deluge',
       env={ DELUGE_LOGLEVEL: 'error' },
       mounts={ torrents: '/downloads' },
       webPort=8112,
-      // ports=[
-      //   Port(54979),
-      //   Port(54979, kind='udp'),
-      // ],
       extras={ gluetun:: true },
     ),
     prowlarr: MediaService(
@@ -128,15 +140,22 @@ function(secrets={})
       devices: ['/dev/dri:/dev/dri'],
       webPort:: 32400,
       ports: [
+        // plex
         Port(32400),
+        // companion
         Port(3005),
-        Port(8324),
+        // dlna
         Port(32469),
         Port(1900, kind='udp'),
+        // gdm network discovery
         Port(32410, kind='udp'),
         Port(32412, kind='udp'),
         Port(32413, kind='udp'),
         Port(32414, kind='udp'),
+        // bonjour/avahi
+        // Port(5353, kind='udp'),
+        // plex for roku via companion
+        // Port(8324),
       ],
     },
     archivebox: {