diff --git a/lxc1/p1-ingress/pre-consolidation-traefik.bak0 b/lxc1/p1-ingress/pre-consolidation-traefik.bak0
new file mode 100644
index 0000000..d325855
--- /dev/null
+++ b/lxc1/p1-ingress/pre-consolidation-traefik.bak0
@@ -0,0 +1,51 @@
+services:
+  traefik:
+    image: traefik:latest
+    container_name: traefik-node${TRAEFIK_NODE_ID}
+    network_mode: host
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    cpus: 1.0
+    mem_limit: "1024m"
+    mem_reservation: "128m"
+    restart: always
+    command:
+      - "--api.dashboard=true"
+      - "--api.insecure=true" 
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--providers.docker.useBindPortIP=false"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+      # Variables for flexibility
+      - "--providers.docker.network=${HOME_EXT_NETWORK},${DNS_EXT_NETWORK}"
+      - "--providers.file.directory=/etc/traefik/dynamic"
+      - "--providers.file.watch=true"
+      ## DNS resolver
+      - "--certificatesresolvers.dns_resolver.acme.dnschallenge=true"
+      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.provider=desec"
+      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.delaybeforecheck=90"
+      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.disablepropagationcheck=true"
+      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
+      - "--certificatesresolvers.dns_resolver.acme.email=${ACME_EMAIL}"
+      - "--certificatesresolvers.dns_resolver.acme.storage=/letsencrypt/acme.json"
+      ## HTTP Resolver
+      - "--certificatesresolvers.http_resolver.acme.httpchallenge=true"
+      - "--certificatesresolvers.http_resolver.acme.httpchallenge.entrypoint=web"
+      - "--certificatesresolvers.http_resolver.acme.storage=/letsencrypt/acme.json"
+      - "--certificatesresolvers.http_resolver.acme.email=${ACME_EMAIL}"
+      ## mysresolver resolver for old configs
+      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=desec"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=90"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
+      - "--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+    environment:
+      - DESEC_TOKEN=${DESEC_TOKEN}
+      - DESEC_DOMAIN=${DESEC_DOMAIN}
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "/docker/traefik/letsencrypt:/letsencrypt"
+      - "/docker/traefik/dynamic:/etc/traefik/dynamic"
\ No newline at end of file
diff --git a/lxc1/p1-ingress/traefik.yml b/lxc1/p1-ingress/traefik.yml
index d325855..e6bf033 100644
--- a/lxc1/p1-ingress/traefik.yml
+++ b/lxc1/p1-ingress/traefik.yml
@@ -10,41 +10,40 @@ services:
     mem_reservation: "128m"
     restart: always
     command:
+      # --- Core & API ---
       - "--api.dashboard=true"
-      - "--api.insecure=true" 
+      # REMOVED: --api.insecure=true (We will route the dashboard securely via Traefik labels instead)
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
-      - "--providers.docker.useBindPortIP=false"
-      - "--entrypoints.web.address=:80"
-      - "--entrypoints.websecure.address=:443"
-      # Variables for flexibility
-      - "--providers.docker.network=${HOME_EXT_NETWORK},${DNS_EXT_NETWORK}"
+      - "--providers.docker.network=${HOME_EXT_NETWORK},${DNS_EXT_NETWORK}" # Ensure these are correct!
       - "--providers.file.directory=/etc/traefik/dynamic"
       - "--providers.file.watch=true"
-      ## DNS resolver
-      - "--certificatesresolvers.dns_resolver.acme.dnschallenge=true"
-      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.provider=desec"
-      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.delaybeforecheck=90"
-      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.disablepropagationcheck=true"
-      - "--certificatesresolvers.dns_resolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
-      - "--certificatesresolvers.dns_resolver.acme.email=${ACME_EMAIL}"
-      - "--certificatesresolvers.dns_resolver.acme.storage=/letsencrypt/acme.json"
-      ## HTTP Resolver
-      - "--certificatesresolvers.http_resolver.acme.httpchallenge=true"
-      - "--certificatesresolvers.http_resolver.acme.httpchallenge.entrypoint=web"
-      - "--certificatesresolvers.http_resolver.acme.storage=/letsencrypt/acme.json"
-      - "--certificatesresolvers.http_resolver.acme.email=${ACME_EMAIL}"
-      ## mysresolver resolver for old configs
-      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
-      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=desec"
-      - "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=90"
-      - "--certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true"
-      - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
-      - "--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}"
-      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+
+      # --- Entrypoints ---
+      - "--entrypoints.web.address=:80"
+      # Global Redirect: Force HTTP -> HTTPS for everyone
+      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
+      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
+      
+      - "--entrypoints.websecure.address=:443"
+      # WILDCARD BLANKET: This tells Traefik "Use deSEC to get a wildcard cert for EVERYTHING on port 443"
+      - "--entrypoints.websecure.http.tls.certresolver=desec"
+      - "--entrypoints.websecure.http.tls.domains[0].main=mapletree.email"
+      - "--entrypoints.websecure.http.tls.domains[0].sans=*.mapletree.email"
+      - "--entrypoints.websecure.http.tls.domains[0].sans=*.dev.mapletree.email" # Optional: Add your dev subdomain too
+      - "--entrypoints.websecure.http.tls.domains[0].sans=*.test.mapletree.email"
+
+      # --- One Resolver to Rule Them All (deSEC) ---
+      # I renamed this to 'desec' for clarity.
+      - "--certificatesresolvers.desec.acme.dnschallenge=true"
+      - "--certificatesresolvers.desec.acme.dnschallenge.provider=desec"
+      - "--certificatesresolvers.desec.acme.email=${ACME_EMAIL}"
+      - "--certificatesresolvers.desec.acme.storage=/letsencrypt/acme.json"
+      # Optimization: deSEC is fast; we don't need massive delays or propagation checks
+      - "--certificatesresolvers.desec.acme.dnschallenge.delaybeforecheck=10"
+      - "--certificatesresolvers.desec.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
     environment:
       - DESEC_TOKEN=${DESEC_TOKEN}
-      - DESEC_DOMAIN=${DESEC_DOMAIN}
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - "/docker/traefik/letsencrypt:/letsencrypt"