diff --git a/bin/dumpcerts b/bin/dumpcerts
new file mode 100755
index 0000000..f417985
--- /dev/null
+++ b/bin/dumpcerts
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# Dump Traefik certs and install into containers that need them
+
+if ! command -v traefik-certs-dumper &> /dev/null; then
+	failcheck "FAILED - traefik-certs-dumper tool not installed"
+fi
+
+traefik-certs-dumper file --version v2 --source /federated/apps/traefik/data/letsencrypt/acme.json --dest /federated/certs &> /dev/null
+
+# Install into PostgreSQL container
+cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/postgresql/data/var/lib/postgresql/server.crt
+cp /federated/apps/certs/private/$DOMAIN.key /federated/apps/postgresql/data/var/lib/postgresql/server.key
+chown 999 /federated/apps/postgresql/data/var/lib/postgresql/server.crt /federated/apps/postgresql/data/var/lib/postgresql/server.key
+chmod 600 /federated/apps/postgresql/data/var/lib/postgresql/server.crt /federated/apps/postgresql/data/var/lib/postgresql/server.key
+
+# Install into LDAP container
+cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/ldap/data/certs/
+
+# Install into Mail container
+cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/mail/data/root/certs/
+
+# Install into Collabora container
+cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/collabora/data/root/certs/
+chown 104 /federated/apps/collabora/data/root/certs/*
+
+# Install into Matrix container
+cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/matrix/data/matrix/
+chmod 644 /federated/apps/matrix/data/matrix/$DOMAIN.crt /federated/apps/matrix/data/matrix/$DOMAIN.key
diff --git a/bin/install-federated b/bin/install-federated
index d30811a..05445a1 100755
--- a/bin/install-federated
+++ b/bin/install-federated
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -x
 #
 # Federated installation script
 
@@ -34,8 +34,13 @@ get_config() {
   . /federated/lib/proxy.sh
   . /federated/lib/wireguard.sh
   . /federated/lib/baserow.sh
+  . /federated/lib/calcom.sh
   . /federated/lib/gitea.sh
   . /federated/lib/caddy.sh
+  . /federated/lib/pdns-mysql.sh
+  . /federated/lib/pdns.sh
+  . /federated/lib/pdnsadmin.sh
+  . /federated/lib/pdns-static.sh
   
   COUNTRIES=("AF" "AL" "DZ" "AS" "AD" "AO" "AI" "AQ" "AG" "AR" "AM" "AW" "AU" "AT" "AZ" "BS" "BH" "BD" "BB" "BY" "BE" "BZ" "BJ" "BM" "BT" "BO" "BO" "BA" "BW" "BV" "BR" "IO" "BN" "BN" "BG" "BF" "BI" "KH" "CM" "CA" "CV" "KY" "CF" "TD" "CL" "CN" "CX" "CC" "CO" "KM" "CG" "CD" "CK" "CR" "CI" "CI" "HR" "CU" "CY" "CZ" "DK" "DJ" "DM" "DO" "EC" "EG" "SV" "GQ" "ER" "EE" "ET" "FK" "FO" "FJ" "FI" "FR" "GF" "PF" "TF" "GA" "GM" "GE" "DE" "GH" "GI" "GR" "GL" "GD" "GP" "GU" "GT" "GG" "GN" "GW" "GY" "HT" "HM" "VA" "HN" "HK" "HU" "IS" "IN" "ID" "IR" "IQ" "IE" "IM" "IL" "IT" "JM" "JP" "JE" "JO" "KZ" "KE" "KI" "KP" "KR" "KR" "KW" "KG" "LA" "LV" "LB" "LS" "LR" "LY" "LY" "LI" "LT" "LU" "MO" "MK" "MG" "MW" "MY" "MV" "ML" "MT" "MH" "MQ" "MR" "MU" "YT" "MX" "FM" "MD" "MC" "MN" "ME" "MS" "MA" "MZ" "MM" "MM" "NA" "NR" "NP" "NL" "AN" "NC" "NZ" "NI" "NE" "NG" "NU" "NF" "MP" "NO" "OM" "PK" "PW" "PS" "PA" "PG" "PY" "PE" "PH" "PN" "PL" "PT" "PR" "QA" "RE" "RO" "RU" "RU" "RW" "SH" "KN" "LC" "PM" "VC" "VC" "VC" "WS" "SM" "ST" "SA" "SN" "RS" "SC" "SL" "SG" "SK" "SI" "SB" "SO" "ZA" "GS" "SS" "ES" "LK" "SD" "SR" "SJ" "SZ" "SE" "CH" "SY" "TW" "TW" "TJ" "TZ" "TH" "TL" "TG" "TK" "TO" "TT" "TN" "TR" "TM" "TC" "TV" "UG" "UA" "AE" "GB" "US" "UM" "UY" "UZ" "VU" "VE" "VE" "VN" "VN" "VG" "VI" "WF" "EH" "YE" "ZM" "ZW")
 
@@ -53,6 +58,19 @@ get_config() {
   else
     failcheck "/federated/bin/.env doesn't exist"
   fi 
+
+  # Setup DOMAIN variable for domain or subdomain
+  DOMAIN_ARRAY=(${DOMAIN//./ })
+  if [ "${#DOMAIN_ARRAY[@]}" -eq "2" ]; then
+    DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
+    DOMAIN_LAST=${DOMAIN_ARRAY[1]}
+  elif [ "${#DOMAIN_ARRAY[@]}" -eq "3" ]; then
+    DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
+    DOMAIN_MIDDLE=${DOMAIN_ARRAY[1]}
+    DOMAIN_LAST=${DOMAIN_ARRAY[2]}
+  else
+    failcheck "$DOMAIN is not a valid domain.com or sub.domain.com"
+  fi
 }
 
 while getopts d OPTION; do
@@ -77,11 +95,13 @@ check_ports
 config_network
 
 # Configure and start each federated service
-for i in dns postgresql ldap mail collabora proxy nextcloud matrix element listmonk vaultwarden panel wireguard jitsi baserow gitea caddy; do
+#for i in pdnsmysql pdns pdnsadmin traefik postgresql ldap mail collabora nextcloud matrix element listmonk vaultwarden panel wireguard jitsi baserow gitea caddy; do
+for i in "${SERVICES[@]}"; do
 	config_$i
 	start_$i
 done
 
+# Add cron jobs for backup, upgrade, dumpcerts
 add_cron
 
 # Print out federated environment details
diff --git a/bin/start b/bin/start
index 6ad7e16..ae7b002 100755
--- a/bin/start
+++ b/bin/start
@@ -1,9 +1,11 @@
 #!/bin/bash
 #
 # Federated Start Script
+. /federated/lib/functions.sh
 
 usage() {
-  echo "$0: all|dns|postgresql|ldap|mail|collabora|nextcloud|matrix|element|jitsi|listmonk|vaultwarden|panel|proxy|wireguard|connector|baserow|calcom|gitea|caddy"
+  printf -v SERVICES_JOINED '%s|' "${SERVICES[@]}"
+  echo "$0: ${SERVICES_JOINED%|}"
   exit 2
 }
 startservice() {
@@ -11,7 +13,7 @@ startservice() {
   cd /federated/apps/$SERVICE && docker-compose -f docker-compose.yml -p $SERVICE up -d
 }
 startservice_all() {
-  for i in dns postgresql ldap mail collabora nextcloud matrix element jitsi listmonk vaultwarden panel proxy wireguard connector baserow calcom gitea caddy; do
+  for i in "${SERVICES[@]}"; do
     echo "* Starting $i.."
     cd /federated/apps/$i && docker-compose -f docker-compose.yml -p $i up -d
   done
@@ -20,8 +22,9 @@ startservice_all() {
 [ $# != 1 ] && usage
 SERVICE=$1
 
-case "$SERVICE" in
-  all) startservice_all;;
-  dns|postgresql|ldap|mail|collabora|nextcloud|matrix|element|jitsi|listmonk|vaultwarden|panel|proxy|wireguard|connector|baserow|calcom|gitea|caddy) startservice;;
-  *) usage;;
-esac
+[ "$SERVICE" = "all" ] && startservice_all
+if printf '%s\0' "${SERVICES[@]}" | grep -Fxqz -- "$SERVICE"; then
+  startservice
+else
+  usage
+fi
diff --git a/bin/stop b/bin/stop
index 5159f88..6eae973 100755
--- a/bin/stop
+++ b/bin/stop
@@ -1,9 +1,11 @@
 #!/bin/bash
 #
 # Federated Stop Script
+. /federated/lib/functions.sh
 
 usage() {
-  echo "$0: all|dns|postgresql|ldap|mail|collabora|nextcloud|matrix|element|jitsi|listmonk|vaultwarden|panel|proxy|wireguard|connector|baserow|calcom|gitea|caddy"
+  printf -v SERVICES_JOINED '%s|' "${SERVICES[@]}"
+  echo "$0: ${SERVICES_JOINED%|}"
   exit 2
 }
 stopservice() {
@@ -11,7 +13,7 @@ stopservice() {
   cd /federated/apps/$SERVICE && docker-compose -f docker-compose.yml -p $SERVICE down
 }
 stopservice_all() {
-  for i in dns postgresql ldap mail collabora nextcloud matrix element jitsi listmonk vaultwarden panel proxy wireguard connector baserow calcom gitea caddy; do
+  for i in "${SERVICES[@]}"; do
     echo "* Stopping $i.."
     cd /federated/apps/$i && docker-compose -f docker-compose.yml -p $i down
   done
@@ -20,8 +22,9 @@ stopservice_all() {
 [ $# != 1 ] && usage
 SERVICE=$1
 
-case "$SERVICE" in
-  all) stopservice_all;;
-  dns|postgresql|ldap|mail|collabora|nextcloud|matrix|element|jitsi|listmonk|vaultwarden|panel|proxy|wireguard|connector|baserow|calcom|gitea|caddy) stopservice;;
-  *) usage;;
-esac
+[ "$SERVICE" = "all" ] && stopservice_all
+if printf '%s\0' "${SERVICES[@]}" | grep -Fxqz -- "$SERVICE"; then
+  stopservice
+else
+  usage
+fi
diff --git a/lib/baserow.sh b/lib/baserow.sh
index c5ebd67..f914b50 100644
--- a/lib/baserow.sh
+++ b/lib/baserow.sh
@@ -34,6 +34,11 @@ services:
       - ./.env
     volumes:
       - ./data/baserow/data:/baserow/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.baserow.rule=Host(\`baserow.$DOMAIN\`)"
+      - "traefik.http.routers.baserow.entrypoints=websecure"
+      - "traefik.http.routers.baserow.tls.certresolver=letsencrypt"
 
 networks:
   federated:
@@ -59,9 +64,6 @@ EMAIL_SMTP_PORT=587
 EMAIL_SMTP_USER=admin
 EMAIL_SMTP_PASSWORD=$ADMINPASS
 EMAIL_SMTP_USE_TLS=True
-VIRTUAL_PROTO=http
-VIRTUAL_PORT=80
-VIRTUAL_HOST=baserow.$DOMAIN
 EOF
 chmod 600 /federated/apps/baserow/.env
 
diff --git a/lib/caddy.sh b/lib/caddy.sh
index 71902e6..a9e1b4a 100644
--- a/lib/caddy.sh
+++ b/lib/caddy.sh
@@ -40,6 +40,11 @@ services:
       - ./data/srv:/srv
       - ./data/etc/caddy/Caddyfile:/etc/caddy/Caddyfile
       - ./data/data:/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.pdnsadmin.rule=Host(\`www.$DOMAIN\`,\`blog.$DOMAIN\`,\`documentation.$DOMAIN\`)"
+      - "traefik.http.routers.pdnsadmin.entrypoints=websecure"
+      - "traefik.http.routers.pdnsadmin.tls.certresolver=letsencrypt"
 
 networks:
   federated:
@@ -48,9 +53,6 @@ EOF
 
 cat > /federated/apps/caddy/.env <<EOF
 IMAGE_VERSION="latest"
-VIRTUAL_PROTO=http
-VIRTUAL_PORT=80
-VIRTUAL_HOST=www.$DOMAIN,blog.$DOMAIN,documentation.$DOMAIN,$DOMAIN
 EOF
 chmod 600 /federated/apps/caddy/.env
 
@@ -70,10 +72,6 @@ www.$DOMAIN:80 {
     }
   }
 }
-$DOMAIN:80 {
-  root * /srv/www.$DOMAIN/public
-  file_server
-}
 blog.$DOMAIN:80 {
   root * /srv/blog.$DOMAIN/public
   file_server
diff --git a/lib/collabora.sh b/lib/collabora.sh
index b4feb81..9858f9c 100644
--- a/lib/collabora.sh
+++ b/lib/collabora.sh
@@ -11,7 +11,7 @@ config_collabora() {
 
   if [ ! -d "/federated/apps/collabora" ]; then
     mkdir -p /federated/apps/collabora/data/root/certs &> /dev/null
-    cp -rf /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/*.pem /federated/apps/collabora/data/root/certs/
+    cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/collabora/data/root/certs/
     chown 104 /federated/apps/collabora/data/root/certs/*
   fi
 
@@ -38,13 +38,17 @@ services:
       - "9980:9980"
     volumes:
       - ./data/root:/root
-      - ./data/root/certs/fullchain1.pem:/etc/coolwsd/cert.pem
-      - ./data/root/certs/privkey1.pem:/etc/coolwsd/key.pem
-      - ./data/root/certs/chain1.pem:/etc/coolwsd/ca-chain.cert.pem
+      - ./data/root/certs/$DOMAIN.crt:/etc/coolwsd/cert.pem
+      - ./data/root/certs/$DOMAIN.key:/etc/coolwsd/key.pem
     env_file:
       - ./.env
     cap_add:
       - MKNOD
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.pdnsadmin.rule=Host(\`collabora.$DOMAIN\`)"
+      - "traefik.http.routers.pdnsadmin.entrypoints=websecure"
+      - "traefik.http.routers.pdnsadmin.tls.certresolver=letsencrypt"
 
 networks:
   federated:
@@ -53,9 +57,6 @@ EOF
 
 cat > /federated/apps/collabora/.env <<EOF
 IMAGE_VERSION="22.05.13.1.1"
-VIRTUAL_PROTO=https
-VIRTUAL_PORT=9980
-VIRTUAL_HOST=collabora.$DOMAIN
 domain=nextcloud.$DOMAIN
 server_name=collabora.$DOMAIN
 EOF
diff --git a/lib/dns.sh b/lib/dns.sh
index 6ed80aa..df1615d 100644
--- a/lib/dns.sh
+++ b/lib/dns.sh
@@ -70,7 +70,7 @@ if [ ! -e /etc/bind/.firstdone ]; then
   CNAME_RECORD=`certbot certonly --manual --manual-auth-hook /root/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.$DOMAIN -d $DOMAIN --agree-tos --email hostmaster@$DOMAIN -n 2>1 | grep acme-dns | awk '{ print $3 }'`
   echo "Got CNAME record: $CNAME_RECORD"
   echo "$CNAME_RECORD" > /etc/bind/.cnamerecord
-  echo -e "_acme-challenge\tIN\tCNAME\t$CNAME_RECORD" >> /etc/bind/zones/$DOMAIN
+  echo -e "_acme-challenge.customer2\tIN\tCNAME\t$CNAME_RECORD" >> /etc/bind/zones/$DOMAIN
 
   # Reload Bind configuration without restarting the container or process
   named -f -g &
@@ -91,6 +91,7 @@ if [ ! -e /etc/bind/.firstdone ]; then
     touch /etc/bind/.firstdone
     echo "[federated]: FAILED generating certificates for $DOMAIN"
     echo "[federated]: Check that you have DNS setup properly"
+    wait -n
     exit 2;
   fi
 
@@ -116,6 +117,7 @@ elif [ -e /etc/bind/.firstdone ] && [ -e /etc/bind/.failedcert ]; then
     touch /etc/bind/.failedcert
     echo "[federated]: FAILED generating certificates for $DOMAIN"
     echo "[federated]: Check that you have DNS setup properly"
+    wait -n
     exit 2;
   fi
   wait -n
@@ -177,24 +179,6 @@ ns1	IN	A	$EXTERNALIP
 ns2	IN      A       $EXTERNALIP
 mail	IN      A       $EXTERNALIP
 www	IN      A       $EXTERNALIP
-computer	IN      A       $EXTERNALIP
-panel	IN      A       $EXTERNALIP
-nextcloud       IN      A       $EXTERNALIP
-collabora	IN	A	$EXTERNALIP
-jitsi  	        IN	A	$EXTERNALIP
-matrix   	IN	A	$EXTERNALIP
-element    	IN	A	$EXTERNALIP
-listmonk    	IN	A	$EXTERNALIP
-vaultwarden    	IN	A	$EXTERNALIP
-vpn     	IN	A	$EXTERNALIP
-connector     	IN	A	$EXTERNALIP
-baserow     	IN	A	$EXTERNALIP
-gitea     	IN	A	$EXTERNALIP
-blog     	IN	A	$EXTERNALIP
-documentation     	IN	A	$EXTERNALIP
-*		IN	A	$EXTERNALIP
-$DOMAIN.	IN	A	$EXTERNALIP
-$DOMAIN.        IN      CNAME  	www.$DOMAIN
 EOF
 
 cat > /federated/apps/dns/data/etc/bind/zones/$DOMAIN.rev <<EOF
diff --git a/lib/element.sh b/lib/element.sh
index bd1eeb3..ecccdf8 100644
--- a/lib/element.sh
+++ b/lib/element.sh
@@ -34,6 +34,11 @@ services:
       - ./data/element/element-config.json:/app/config.json
     env_file:
       - ./.env
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.pdnsadmin.rule=Host(\`element.$DOMAIN\`)"
+      - "traefik.http.routers.pdnsadmin.entrypoints=websecure"
+      - "traefik.http.routers.pdnsadmin.tls.certresolver=letsencrypt"
         
 networks:
   federated:
@@ -42,9 +47,6 @@ EOF
 
 cat > /federated/apps/element/.env <<EOF
 IMAGE_VERSION="v1.11.19"
-VIRTUAL_PROTO=http
-VIRTUAL_PORT=80
-VIRTUAL_HOST=element.$DOMAIN
 EOF
 chmod 600 /federated/apps/element/.env
 
diff --git a/lib/functions.sh b/lib/functions.sh
index fe16696..948713f 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -1,7 +1,7 @@
 # Federated Computer functions
 
 # Define all services
-SERVICES=("dns" "postgresql" "ldap" "mail" "collabora" "proxy" "nextcloud" "matrix" "element" "listmonk" "vaultwarden" "panel" "wireguard" "jitsi" "baserow" "gitea" "caddy")
+SERVICES=("pdnsmysql" "pdns" "pdnsadmin" "traefik" "postgresql" "ldap" "mail" "collabora" "nextcloud" "matrix" "element" "listmonk" "vaultwarden" "panel" "wireguard" "jitsi" "baserow" "gitea" "caddy")
 
 fail() {
   echo -ne "FAILED\n\n$1\n\n"
@@ -31,8 +31,9 @@ spin() {
   done
 }
 add_cron() {
-        (crontab -l 2>/dev/null; echo "30 23 * * * /federated/bin/backuptool -b all >> /federated/logs/backup.log 2>&1") | sort -u | crontab -
-        (crontab -l 2>/dev/null; echo "0 2 * * * /federated/bin/upgrade >> /federated/logs/upgrade.log 2>&1") | sort -u | crontab -
+        (crontab -l 2>/dev/null; echo "30 23 * * * date >> /federated/logs/backup.log && /federated/bin/backuptool -b all >> /federated/logs/backup.log 2>&1") | sort -u | crontab -
+        (crontab -l 2>/dev/null; echo "0 2 * * * date >> /federated/logs/upgrade.log && /federated/bin/upgrade >> /federated/logs/upgrade.log 2>&1") | sort -u | crontab -
+        (crontab -l 2>/dev/null; echo "0 3 * * * date >> /federated/logs/dumpcerts.log && /federated/bin/dumpcerts >> /federated/logs/dumpcerts.log 2>&1") | sort -u | crontab -
 }
 install_federated() {
   [ -d "/federated" ] && fail "Directory /federated already exists. Already installed?"
@@ -199,6 +200,10 @@ Baserow: Easy Database. Replacement for Airtable. Build amazing, easy
 to create on-line databases to be used by your team.
 https://baserow.$DOMAIN
 
+Cal.com: Easy scheduling. Create easy links so that others can easily
+schedule time on your calendar without the annoying back-and-forth.
+https://calcom.$DOMAIN
+
 All documentation for users can be found at
 https://documentation.federated.computer/users.
 EOF
@@ -239,8 +244,12 @@ check_docker() {
         [ $? -ne 0 ] && failcheck "Couldn't run sudo apt install docker packages"
 
 	# Install extra packages
-	sudo apt-get install duplicity python3-b2sdk uuid -y &> /dev/null
+	sudo apt-get install duplicity python3-b2sdk uuid apache2-utils -y &> /dev/null
         [ $? -ne 0 ] && failcheck "Couldn't run sudo apt install extra packages"
+
+	# Install Traefik certs dumper
+	curl -sfL https://raw.githubusercontent.com/ldez/traefik-certs-dumper/master/godownloader.sh | bash -s -- -b $(go env GOPATH 2>/dev/null)/bin v2.8.1 &> /dev/null
+        [ $? -ne 0 ] && failcheck "Couldn't install traefik certs dumper"
       fi
       kill -9 $SPINPID &> /dev/null
       echo -ne "done."
@@ -289,8 +298,9 @@ check_ports() {
 	      [ $? -ne 0 ] && failcheck "Failed running systemctl stop systemd-resolved"
 
               # Put nameserver entries so will exist on reboot
-              echo "nameserver 8.8.8.8" > /etc/resolvconf/resolv.conf.d/tail
-              echo "nameserver 8.8.8.8" > /run/resolvconf/resolv.conf
+	      rm /etc/resolv.conf
+              echo "nameserver 1.1.1.1" >> /etc/resolv/resolv.conf
+              echo "nameserver 1.0.0.1" >> /etc/resolv/resolv.conf
 
 	      kill -9 $SPINPID &> /dev/null
               echo -ne "done."
diff --git a/lib/gitea.sh b/lib/gitea.sh
index a19b950..3956933 100644
--- a/lib/gitea.sh
+++ b/lib/gitea.sh
@@ -11,9 +11,6 @@ config_gitea() {
 
   if [ ! -d "/federated/apps/gitea" ]; then
     mkdir -p /federated/apps/gitea/data/data
-    mkdir -p /federated/apps/gitea/data/data/git/.ssh
-    touch /federated/apps/gitea/data/data/git/.ssh/authorized_keys
-    chmod 600 /federated/apps/gitea/data/data/git/.ssh/authorized_keys
   fi
 
   DOMAIN_ARRAY=(${DOMAIN//./ })
@@ -38,27 +35,26 @@ services:
       - "blog.$DOMAIN:$EXTERNALIP"
       - "documentation.$DOMAIN:$EXTERNALIP"
     ports:
-      - "2222:22"
+      - 22:22
     env_file:
       - ./.env
     volumes:
       - ./data/data:/data
-      - ./data/data/git/.ssh:/data/git/.ssh
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.pdnsadmin.rule=Host(\`gitea.$DOMAIN\`)"
+      - "traefik.http.routers.pdnsadmin.entrypoints=websecure"
+      - "traefik.http.routers.pdnsadmin.tls.certresolver=letsencrypt"
 
 networks:
   federated:
     external: true
 EOF
 
-#GITEA_SECRET="RbzalooGM4BbQug6wvRaklR7NeN0GRSA"
-
 cat > /federated/apps/gitea/.env <<EOF
 IMAGE_VERSION="1.19.0"
-VIRTUAL_PROTO=http
-VIRTUAL_PORT=3000
-VIRTUAL_HOST=gitea.$DOMAIN
 USER_UID=1000
 USER_GID=1000
 GITEA__database__DB_TYPE=postgres
@@ -68,10 +64,6 @@ GITEA__database__USER=gitea
 GITEA__database__PASSWD=$GITEA_SECRET
 GITEA__security__INSTALL_LOCK=true
 GITEA__server__ROOT_URL=https://gitea.$DOMAIN
-GITEA__server__DOMAIN=$DOMAIN
-GITEA__server__SSH_DOMAIN=$DOMAIN
-GITEA__server__SSH_PORT=2222
-GITEA__server__SSH_LISTEN_PORT=2222
 EOF
 chmod 600 /federated/apps/gitea/.env
 
diff --git a/lib/jitsi.sh b/lib/jitsi.sh
index 89b55e1..603fd61 100644
--- a/lib/jitsi.sh
+++ b/lib/jitsi.sh
@@ -43,10 +43,12 @@ services:
             - \${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z
             - \${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
             - ./data/config/keys:/config/keys:Z
+        labels:
+            - "traefik.enable=true"
+            - "traefik.http.routers.pdnsadmin.rule=Host(\`jitsi.$DOMAIN\`)"
+            - "traefik.http.routers.pdnsadmin.entrypoints=websecure"
+            - "traefik.http.routers.pdnsadmin.tls.certresolver=letsencrypt"
         environment:
-            - VIRTUAL_PROTO=http
-            - VIRTUAL_PORT=80
-            - VIRTUAL_HOST=jitsi.$DOMAIN
             - AMPLITUDE_ID
             - ANALYTICS_SCRIPT_URLS
             - ANALYTICS_WHITELISTED_EVENTS
@@ -279,7 +281,6 @@ services:
             ipv4_address: 172.99.0.24
             aliases:
               - xmpp.meet.jitsi
-              - xmpp.northendnetwork.com
 
     # Focus component
     jicofo:
diff --git a/lib/latest-versions b/lib/latest-versions
index 7a84516..461e36e 100644
--- a/lib/latest-versions
+++ b/lib/latest-versions
@@ -6,7 +6,7 @@ calcom=1.0
 postgresql=14
 proxy=1.1
 nextcloud=25.0.3
-listmonk=v2.4.0
+listmonk=v2.3.0
 panel=v1.10
 vaultwarden=1.27.0
 matrix=v1.75.0
diff --git a/lib/ldap.sh b/lib/ldap.sh
index 3e92bbb..4c6fe55 100644
--- a/lib/ldap.sh
+++ b/lib/ldap.sh
@@ -15,7 +15,7 @@ config_ldap() {
     mkdir -p /federated/apps/ldap/data/etc/ldap/slap.d &> /dev/null
     mkdir -p /federated/apps/ldap/data/certs &> /dev/null
     mkdir -p /federated/apps/ldap/data/root &> /dev/null
-    cp -rf /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/*.pem /federated/apps/ldap/data/certs/
+    cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/ldap/data/certs/
   fi
 
   DOMAIN_ARRAY=(${DOMAIN//./ })
@@ -63,9 +63,9 @@ LDAP_ADMIN_PASSWORD_FILE=/run/secrets/federated_ldap_password
 LDAP_RFC2307BIS_SCHEMA=true
 LDAP_REMOVE_CONFIG_AFTER_SETUP=true
 LDAP_TLS=true
-LDAP_TLS_CRT_FILENAME=fullchain1.pem
-LDAP_TLS_KEY_FILENAME=privkey1.pem
-LDAP_TLS_CA_CRT_FILENAME=chain1.pem
+LDAP_TLS_CRT_FILENAME=$DOMAIN.crt
+LDAP_TLS_KEY_FILENAME=$DOMAIN.key
+#LDAP_TLS_CA_CRT_FILENAME=chain1.pem
 LDAP_TLS_VERIFY_CLIENT=try
 EOF
 chmod 600 /federated/apps/ldap/.env
diff --git a/lib/listmonk.sh b/lib/listmonk.sh
index 75d207a..2de012f 100644
--- a/lib/listmonk.sh
+++ b/lib/listmonk.sh
@@ -36,6 +36,11 @@ services:
     volumes:
       - ./data/listmonk/config.toml:/listmonk/config.toml
       - ./data/listmonk/static:/listmonk/static
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.listmonk.rule=Host(\`listmonk.$DOMAIN\`)"
+      - "traefik.http.routers.listmonk.entrypoints=websecure"
+      - "traefik.http.routers.listmonk.tls.certresolver=letsencrypt"
 
 networks:
   federated:
@@ -44,9 +49,6 @@ EOF
 
 cat > /federated/apps/listmonk/.env <<EOF
 IMAGE_VERSION="v2.3.0"
-VIRTUAL_PROTO=http
-VIRTUAL_PORT=9000
-VIRTUAL_HOST=listmonk.$DOMAIN
 TZ=Etc/UTC
 EOF
 
diff --git a/lib/mail.sh b/lib/mail.sh
index d9ebc03..0a7c87e 100644
--- a/lib/mail.sh
+++ b/lib/mail.sh
@@ -15,7 +15,7 @@ config_mail() {
     mkdir -p /federated/apps/mail/data/var/mail-state &> /dev/null
     mkdir -p /federated/apps/mail/data/var/log/mail &> /dev/null
     mkdir -p /federated/apps/mail/data/tmp/docker-mailserver &> /dev/null
-    cp -rf /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/*.pem /federated/apps/mail/data/root/certs/
+    cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/mail/data/root/certs/
   fi
 
   DOMAIN_ARRAY=(${DOMAIN//./ })
@@ -72,8 +72,8 @@ DMS_DEBUG=0
 LOG_LEVEL=debug
 ENABLE_LDAP=1
 SSL_TYPE=manual
-SSL_CERT_PATH=/root/certs/fullchain1.pem
-SSL_KEY_PATH=/root/certs/privkey1.pem
+SSL_CERT_PATH=/root/certs/$DOMAIN.crt
+SSL_KEY_PATH=/root/certs/$DOMAIN.key
 LDAP_START_TLS=yes
 DOVECOT_TLS=yes
 SASLAUTHD_LDAP_START_TLS=yes
@@ -103,8 +103,7 @@ EOF
 chmod 600 /federated/apps/mail/.env
 
 cat > /federated/apps/mail/data/tmp/docker-mailserver/postfix-main.cf <<'EOF'
-smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname
-smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, check_policy_service inet:127.0.0.1:10023, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client zen.spamhaus.org
+smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch
 smtpd_sender_login_maps = ldap:/etc/postfix/ldap-aliases.cf
 EOF
 
@@ -124,7 +123,7 @@ start_mail() {
   [ $? -ne 0 ] && fail "Couldn't insert DKIM record into /federated/apps/dns container"
 
   # Insert the DMARC DNS TXT entry into /federated/apps/dns container
-  echo "_dmarc.$DOMAIN. IN TXT \"v=DMARC1; p=quarantine; rua=mailto:admin@$DOMAIN; ruf=mailto:admin@$DOMAIN; sp=none; ri=86400\"" >> /federated/apps/dns/data/etc/bind/zones/$DOMAIN
+  echo "_dmarc.$DOMAIN. IN TXT \"v=DMARC1; p=none; rua=mailto:admin@$DOMAIN; ruf=mailto:admin@$DOMAIN; sp=none; ri=86400\"" >> /federated/apps/dns/data/etc/bind/zones/$DOMAIN
   [ $? -ne 0 ] && fail "Couldn't insert DMARC record into /federated/apps/dns container"
 
   # Reload DNS configuration in /federated/apps/dns container 
diff --git a/lib/matrix.sh b/lib/matrix.sh
index b867462..5620e3b 100644
--- a/lib/matrix.sh
+++ b/lib/matrix.sh
@@ -11,8 +11,8 @@ config_matrix() {
 
   if [ ! -d "/federated/apps/matrix" ]; then
     mkdir -p /federated/apps/matrix/data/matrix &> /dev/null
-    cp -rf /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/*.pem /federated/apps/matrix/data/matrix
-    chmod 644 /federated/apps/matrix/data/matrix/*.pem
+    cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/matrix/data/matrix/
+    chmod 644 /federated/apps/matrix/data/matrix/$DOMAIN.crt /federated/apps/matrix/data/matrix/$DOMAIN.key
   fi
 
   DOMAIN_ARRAY=(${DOMAIN//./ })
@@ -36,6 +36,11 @@ services:
      - ./data/matrix:/data
     env_file:
       - ./.env
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.listmonk.rule=Host(\`matrix.$DOMAIN\`)"
+      - "traefik.http.routers.listmonk.entrypoints=websecure"
+      - "traefik.http.routers.listmonk.tls.certresolver=letsencrypt"
 
 networks:
   federated:
@@ -44,9 +49,6 @@ EOF
 
 cat > /federated/apps/matrix/.env <<EOF
 IMAGE_VERSION="v1.75.0"
-VIRTUAL_PROTO=http
-VIRTUAL_PORT=8008
-VIRTUAL_HOST=matrix.$DOMAIN
 EOF
 chmod 600 /federated/apps/matrix/.env
 
@@ -87,8 +89,8 @@ modules:
       bind_password: $LDAP_SECRET
       tls_options:
         validate: true
-        local_certificate_file: /data/fullchain1.pem
-        local_private_key_file: /data/privkey1.pem
+        local_certificate_file: /data/$DOMAIN.crt
+        local_private_key_file: /data/$DOMAIN.key
 EOF
 
 kill -9 $SPINPID &> /dev/null
diff --git a/lib/nextcloud.sh b/lib/nextcloud.sh
index 517d22b..7245721 100644
--- a/lib/nextcloud.sh
+++ b/lib/nextcloud.sh
@@ -50,6 +50,11 @@ services:
     secrets:
       - federated_psql_password
       - federated_nextcloud_password
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.listmonk.rule=Host(\`nextcloud.$DOMAIN\`)"
+      - "traefik.http.routers.listmonk.entrypoints=websecure"
+      - "traefik.http.routers.listmonk.tls.certresolver=letsencrypt"
 
 secrets:
   federated_psql_password:
@@ -68,9 +73,6 @@ chmod 600 /federated/apps/nextcloud/.postgresql.secret /federated/apps/nextcloud
 cat > /federated/apps/nextcloud/.env <<EOF
 IMAGE_VERSION="25.0.3"
 NEXTCLOUD_UPDATE=1
-VIRTUAL_PROTO=http
-VIRTUAL_PORT=80
-VIRTUAL_HOST=nextcloud.$DOMAIN
 PHP_MEMORY_LIMIT=2048M
 PHP_UPLOAD_LIMIT=2048M
 NEXTCLOUD_ADMIN_USER=nextcloud
diff --git a/lib/panel.sh b/lib/panel.sh
index dd7ea42..1d3b6b5 100644
--- a/lib/panel.sh
+++ b/lib/panel.sh
@@ -32,6 +32,11 @@ services:
         ipv4_address: 172.99.0.21
     env_file:
       - ./.env
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.listmonk.rule=Host(\`panel.$DOMAIN\`)"
+      - "traefik.http.routers.listmonk.entrypoints=websecure"
+      - "traefik.http.routers.listmonk.tls.certresolver=letsencrypt"
 
 networks:
   federated:
@@ -40,9 +45,6 @@ EOF
 
 cat > /federated/apps/panel/.env <<EOF
 IMAGE_VERSION="v1.10"
-VIRTUAL_PROTO=http
-VIRTUAL_PORT=80
-VIRTUAL_HOST=panel.$DOMAIN
 SERVER_HOSTNAME=panel.$DOMAIN
 LDAP_URI=ldap://ldap.$DOMAIN
 LDAP_BASE_DN=dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
@@ -59,7 +61,7 @@ SMTP_HOSTNAME=mail.$DOMAIN
 SMTP_USERNAME=admin
 SMTP_PASSWORD=$ADMINPASS
 EMAIL_FROM_ADDRESS=admin@$DOMAIN
-SMTP_USE_TLS=true
+#SMTP_USE_TLS=true
 NO_HTTPS=true
 EOF
 chmod 600 /federated/apps/panel/.env
diff --git a/lib/pdns.sh b/lib/pdns.sh
new file mode 100644
index 0000000..cddbfc3
--- /dev/null
+++ b/lib/pdns.sh
@@ -0,0 +1,107 @@
+#!/bin/bash
+#
+# PowerDNS DNS Service
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+config_pdns() {
+  echo -ne "\n* Configuring /federated/apps/pdns container.."
+  spin &
+  SPINPID=$!
+
+  if [ ! -d "/federated/apps/pdns" ]; then
+    mkdir -p /federated/apps/pdns/data/root
+  fi
+
+cat > /federated/apps/pdns/docker-compose.yml <<EOF
+version: '3.7'
+
+services:
+  pdns:
+    image: pschiffe/pdns-mysql:\${IMAGE_VERSION}
+    container_name: pdns
+    hostname: pdns.$DOMAIN
+    domainname: $DOMAIN
+    restart: always
+    networks:
+      federated:
+        ipv4_address: 172.99.0.9
+    ports:
+      - "53:53"
+      - "53:53/udp"
+    env_file:
+      - ./.env
+    volumes:
+      - ./data/root:/root
+
+networks:
+  federated:
+    external: true
+EOF
+
+MYSQL_PASSWORD=`grep MYSQL_PASSWORD /federated/apps/pdnsmysql/.env | awk -F= '{ print $2 }'`
+PDNS_APIKEY=$(create_password);
+PDNS_WEBSERVER_PASSWORD=$(create_password);
+
+cat > /federated/apps/pdns/.env <<EOF
+IMAGE_VERSION="4.7"
+PDNS_gmysql_host=pdnsmysql.$DOMAIN
+PDNS_gmysql_port=3306
+PDNS_gmysql_user=pdns
+PDNS_gmysql_dbname=pdns
+PDNS_gmysql_password=$MYSQL_PASSWORD
+PDNS_master=yes
+PDNS_api=yes
+PDNS_api_key=$PDNS_APIKEY
+PDNSCONF_API_KEY=$PDNS_APIKEY
+PDNS_webserver=yes
+PDNS_webserver-allow-from=127.0.0.1,10.0.0.0/8,172.0.0.0/8,192.0.0.0/24,172.99.0.0/16
+PDNS_webserver_address=0.0.0.0
+PDNS_webserver_password=$PDNS_WEBSERVER_PASSWORD
+PDNS_version_string=anonymous
+PDNS_default_ttl=1500
+PDNS_allow_notify_from=0.0.0.0
+PDNS_allow_axfr_ips=127.0.0.1
+PDNS_default_soa_content=ns1.@ hostmaster.@ 0 10800 3600 604800 3600
+PDNS_allow_dnsupdate_from=127.0.0.0/8,::1,172.99.0.0/16
+PDNS_dnsupdate=yes
+EOF
+chmod 600 /federated/apps/pdns/.env
+
+cat > /federated/apps/pdns/data/root/createrecords.sh <<EOF
+#!/bin/bash
+
+# Create the default domain DNS zone
+curl -X POST --data '{"name":"$DOMAIN.", "kind": "Master", "masters": []}' -v -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones
+
+# Create the MX and SPF TXT record for domain
+curl -X PATCH --data '{"rrsets": [ {"name": "$DOMAIN.", "type": "MX", "ttl": 86400, "changetype": "REPLACE", "records": [ {"content": "10 mail.$DOMAIN.", "disabled": false } ] } ] }' -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones/$DOMAIN.
+curl -X PATCH --data '{"rrsets": [ {"name": "$DOMAIN.", "type": "TXT", "ttl": 86400, "changetype": "REPLACE", "records": [ {"content": "\"v=spf1 mx a:$DOMAIN ~all\"", "disabled": false } ] } ] }' -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones/$DOMAIN.
+
+# Create the A records for domain
+for i in ns1 ns2 mail www computer panel nextcloud collabora jitsi matrix element listmonk vaultwarden vpn baserow gitea blog documentation; do
+  curl -X PATCH --data "{\"rrsets\": [ {\"name\": \"\$i.$DOMAIN.\", \"type\": \"A\", \"ttl\": 86400, \"changetype\": \"REPLACE\", \"records\": [ {\"content\": \"$EXTERNALIP\", \"disabled\": false } ] } ] }" -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones/$DOMAIN.
+done
+
+# Create catchall A record for domain
+#curl -X PATCH --data '{"rrsets": [ {"name": "*.$DOMAIN.", "type": "A", "ttl": 86400, "changetype": "REPLACE", "records": [ {"content": "$EXTERNALIP", "disabled": false } ] } ] }' -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones/$DOMAIN.
+
+# Create CNAME record for domain to www
+curl -X PATCH --data '{"rrsets": [ {"name": "*.$DOMAIN.", "type": "CNAME", "ttl": 86400, "changetype": "REPLACE", "records": [ {"content": "www.$DOMAIN.", "disabled": false } ] } ] }' -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones/$DOMAIN.
+EOF
+chmod +x /federated/apps/pdns/data/root/createrecords.sh
+ 
+kill -9 $SPINPID &> /dev/null
+echo -ne "done."
+}
+start_pdns() {
+  # Start service with command to make sure it's up before proceeding
+  start_service "pdns" "nc -z 172.99.0.9 8081 &> /dev/null"
+
+  # Run createrecords.sh inside baserow container
+  docker exec -it pdns /root/createrecords.sh
+  [ $? -ne 0 ] && fail "Couldn't run createrecords.sh in /federated/apps/pdns container"
+
+  kill -9 $SPINPID &> /dev/null
+  echo -ne "done."
+}
diff --git a/lib/pdnsadmin.sh b/lib/pdnsadmin.sh
new file mode 100644
index 0000000..de09d1d
--- /dev/null
+++ b/lib/pdnsadmin.sh
@@ -0,0 +1,104 @@
+#!/bin/bash
+#
+# PowerDNS Admin Service
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+config_pdnsadmin() {
+  echo -ne "\n* Configuring /federated/apps/pdnsadmin container.."
+  spin &
+  SPINPID=$!
+
+  if [ ! -d "/federated/apps/pdnsadmin" ]; then
+    mkdir -p /federated/apps/pdnsadmin/data/etc
+  fi
+
+cat > /federated/apps/pdnsadmin/docker-compose.yml <<EOF
+version: '3.7'
+
+services:
+  pdnsadmin:
+    image: pschiffe/pdnsadmin-uwsgi\${IMAGE_VERSION}
+    container_name: pdnsadmin
+    hostname: pdnsadmin.$DOMAIN
+    domainname: $DOMAIN
+    restart: always
+    networks:
+      federated:
+        ipv4_address: 172.99.0.10
+    env_file:
+      - ./.env
+    volumes:
+      - ./data/etc/uwsgi.ini:/etc/uwsgi.ini
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.listmonk.rule=Host(\`pdnsadmin.$DOMAIN\`)"
+      - "traefik.http.routers.listmonk.entrypoints=websecure"
+      - "traefik.http.routers.listmonk.tls.certresolver=letsencrypt"
+
+networks:
+  federated:
+    external: true
+EOF
+
+MYSQL_PASSWORD=`grep MYSQL_PASSWORD /federated/apps/pdns-mysql/.env | awk -F= '{ print $2 }'`
+PDNS_APIKEY=`grep PDNS_api_key /federated/apps/pdns/.env | awk -F= '{ print $2 }'`
+PDNS_ADMIN_WEBSERVER_PASSWORD_SALT=`htpasswd -bnBC 10 "" $ADMINPASS | tr -d ':\n' | sed 's/$2y/$2b/'`
+PDNS_MYSQL_COMMAND="insert into user (id, username, password, firstname, lastname, email, otp_secret, role_id, confirmed) values (\"1\", \"admin\", \"$PDNS_ADMIN_WEBSERVER_PASSWORD_SALT\", \"Admin\", \"Federated\", \"admin@$DOMAIN\", \"\", \"1\", \"0\");"
+
+cat > /federated/apps/pdnsadmin/.env <<EOF
+IMAGE_VERSION="@sha256:d4bcc2cd76bd1711c1501555a8db3b932ad58425a4ecc362aac13e97b082d5c2"
+PDNS_ADMIN_SQLA_DB_HOST="'mysql'"
+PDNS_ADMIN_SQLA_DB_PORT="'3306'"
+PDNS_ADMIN_SQLA_DB_USER="'pdns'"
+PDNS_ADMIN_SQLA_DB_PASSWORD="'$MYSQL_PASSWORD'"
+PDNS_ADMIN_SQLA_DB_NAME="'pdns'"
+PDNS_API_URL="http://pdns.$DOMAIN:8081/"
+PDNS_API_KEY="$PDNS_APIKEY"
+PDNS_VERSION="4.7.0"
+EOF
+chmod 600 /federated/apps/pdnsadmin/.env
+
+cat > /federated/apps/pdnsadmin/data/etc/uwsgi.ini <<'EOF'
+[uwsgi]
+strict = true
+master = true
+die-on-term = true
+need-app = true
+
+plugins = python3
+
+uid = uwsgi
+gid = uwsgi
+
+chdir = /opt/powerdns-admin
+pythonpath = /opt/powerdns-admin
+
+mount = /=run.py
+manage-script-name = true
+callable = app
+
+vacuum = true
+harakiri = 20
+buffer-size = 32768
+post-buffering = 8192
+protocol = http
+http-socket = 0.0.0.0:9494
+pidfile = /run/uwsgi/%n.pid
+
+enable-threads = true
+EOF
+ 
+kill -9 $SPINPID &> /dev/null
+echo -ne "done."
+}
+start_pdnsadmin() {
+  # Start service with command to make sure it's up before proceeding
+  start_service "pdnsadmin" "nc -z 172.99.0.10 9494 &> /dev/null"
+
+  # Run MySQL command to create admin user for pdns admin interface
+  docker exec -it pdns-mysql bash -c "mysql -updns -p$MYSQL_PASSWORD pdns -e '$PDNS_MYSQL_COMMAND;'"
+
+  kill -9 $SPINPID &> /dev/null
+  echo -ne "done."
+}
diff --git a/lib/pdnsmysql.sh b/lib/pdnsmysql.sh
new file mode 100644
index 0000000..4a815e4
--- /dev/null
+++ b/lib/pdnsmysql.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+#
+# PowerDNS MySQL Service
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+config_pdnsmysql() {
+  echo -ne "\n* Configuring /federated/apps/pdnsmysql container.."
+  spin &
+  SPINPID=$!
+
+  if [ ! -d "/federated/apps/pdnsmysql" ]; then
+    mkdir -p /federated/apps/pdnsmysql/data/var/lib/mysql
+  fi
+
+cat > /federated/apps/pdnsmysql/docker-compose.yml <<EOF
+version: '3.7'
+
+services:
+  mysql:
+    image: mariadb:\${IMAGE_VERSION}
+    container_name: pdnsmysql
+    hostname: pdnsmysql.$DOMAIN
+    domainname: $DOMAIN
+    restart: always
+    networks:
+      federated:
+        ipv4_address: 172.99.0.8
+    env_file:
+      - ./.env
+    volumes:
+      - ./data/var/lib/mysql:/var/lib/mysql
+
+networks:
+  federated:
+    external: true
+EOF
+
+MYSQL_ROOTPASSWORD=$(create_password);
+MYSQL_PASSWORD=$(create_password);
+
+cat > /federated/apps/pdnsmysql/.env <<EOF
+IMAGE_VERSION="10.7.8"
+MYSQL_ROOT_PASSWORD=$MYSQL_ROOTPASSWORD
+MYSQL_PASSWORD=$MYSQL_PASSWORD
+MYSQL_DATABASE=pdns
+MYSQL_USER=pdns
+EOF
+chmod 600 /federated/apps/pdnsmysql/.env
+ 
+kill -9 $SPINPID &> /dev/null
+echo -ne "done."
+}
+start_pdnsmysql() {
+  # Start service with command to make sure it's up before proceeding
+  start_service "pdnsmysql" "nc -z 172.99.0.8 3306 &> /dev/null"
+
+  kill -9 $SPINPID &> /dev/null
+  echo -ne "done."
+}
diff --git a/lib/pdnsstatic.sh b/lib/pdnsstatic.sh
new file mode 100644
index 0000000..66ad834
--- /dev/null
+++ b/lib/pdnsstatic.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+#
+# PowerDNS Nginx Service
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+config_pdnsstatic() {
+  echo -ne "\n* Configuring /federated/apps/pdns-static container.."
+  spin &
+  SPINPID=$!
+
+  DOMAIN_ARRAY=(${DOMAIN//./ })
+  DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
+  DOMAIN_MIDDLE=${DOMAIN_ARRAY[1]}
+  DOMAIN_LAST=${DOMAIN_ARRAY[2]}
+
+  if [ ! -d "/federated/apps/pdns-static" ]; then
+    mkdir -p /federated/apps/pdns-static
+  fi
+
+#  DOMAIN_ARRAY=(${DOMAIN//./ })
+#  DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
+#  DOMAIN_LAST=${DOMAIN_ARRAY[1]}
+
+cat > /federated/apps/pdns-static/docker-compose.yml <<EOF
+version: '3.7'
+
+services:
+  pdns-static:
+    image: pschiffe/pdns-admin-static\${IMAGE_VERSION}
+    container_name: pdns-static
+    hostname: pdns-static.$DOMAIN
+    domainname: $DOMAIN
+    restart: always
+    networks:
+      federated:
+        ipv4_address: 172.99.0.7
+    ports:
+      - "8989:80"
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+    env_file:
+      - ./.env
+
+networks:
+  federated:
+    external: true
+EOF
+
+cat > /federated/apps/pdns-static/.env <<EOF
+IMAGE_VERSION="@sha256:c75fd98215db2ac2d4abe6e56710f93fecf3394e984c017fa9fffa5228d7b35a"
+EOF
+chmod 600 /federated/apps/pdns-static/.env
+ 
+kill -9 $SPINPID &> /dev/null
+echo -ne "done."
+}
+start_pdnsstatic() {
+  # Start service with command to make sure it's up before proceeding
+  start_service "pdns-static" "nc -z 172.99.0.7 80 &> /dev/null"
+
+  kill -9 $SPINPID &> /dev/null
+  echo -ne "done."
+}
diff --git a/lib/postgresql.sh b/lib/postgresql.sh
index 1c07b0d..b38f447 100644
--- a/lib/postgresql.sh
+++ b/lib/postgresql.sh
@@ -11,16 +11,12 @@ config_postgresql() {
 
   if [ ! -d "/federated/apps/postgresql" ]; then
     mkdir -p /federated/apps/postgresql/data/var/lib/postgresql /federated/apps/postgresql/data/docker-entrypoint-initdb.d
-    cp /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/fullchain1.pem /federated/apps/postgresql/data/var/lib/postgresql/server.crt
-    cp /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/privkey1.pem /federated/apps/postgresql/data/var/lib/postgresql/server.key
-    chown 999 /federated/apps/postgresql/data/var/lib/postgresql/server.*
-    chmod 600 /federated/apps/postgresql/data/var/lib/postgresql/server.*
+    cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/postgresql/data/var/lib/postgresql/server.crt
+    cp /federated/apps/certs/private/$DOMAIN.key /federated/apps/postgresql/data/var/lib/postgresql/server.key
+    chown 999 /federated/apps/postgresql/data/var/lib/postgresql/server.crt /federated/apps/postgresql/data/var/lib/postgresql/server.key
+    chmod 600 /federated/apps/postgresql/data/var/lib/postgresql/server.crt /federated/apps/postgresql/data/var/lib/postgresql/server.key
   fi
 
-  DOMAIN_ARRAY=(${DOMAIN//./ })
-  DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
-  DOMAIN_LAST=${DOMAIN_ARRAY[1]}
-
 cat > /federated/apps/postgresql/docker-compose.yml <<EOF
 version: "3.7"
 
diff --git a/lib/proxy.sh b/lib/proxy.sh
index ccc2a7c..7ce3157 100644
--- a/lib/proxy.sh
+++ b/lib/proxy.sh
@@ -9,15 +9,20 @@ config_proxy() {
   spin &
   SPINPID=$!
 
-  if [ ! -d "/federated/apps/proxy" ]; then
-    mkdir -p /federated/apps/proxy/data/root/certs &> /dev/null
-    cp /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/fullchain1.pem /federated/apps/proxy/data/root/certs/$DOMAIN.crt
-    cp /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/privkey1.pem /federated/apps/proxy/data/root/certs/$DOMAIN.key
-  fi
-
   DOMAIN_ARRAY=(${DOMAIN//./ })
   DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
-  DOMAIN_LAST=${DOMAIN_ARRAY[1]}
+  DOMAIN_MIDDLE=${DOMAIN_ARRAY[1]}
+  DOMAIN_LAST=${DOMAIN_ARRAY[2]}
+
+  if [ ! -d "/federated/apps/proxy" ]; then
+    mkdir -p /federated/apps/proxy/data/root/certs &> /dev/null
+    cp /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN_MIDDLE.$DOMAIN_LAST/fullchain1.pem /federated/apps/proxy/data/root/certs/$DOMAIN_MIDDLE.$DOMAIN_LAST.crt
+    cp /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN_MIDDLE.$DOMAIN_LAST/privkey1.pem /federated/apps/proxy/data/root/certs/$DOMAIN_MIDDLE.$DOMAIN_LAST.key
+  fi
+
+#  DOMAIN_ARRAY=(${DOMAIN//./ })
+#  DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
+#  DOMAIN_LAST=${DOMAIN_ARRAY[1]}
 
 cat > /federated/apps/proxy/docker-compose.yml <<EOF
 version: '3.7'
@@ -33,8 +38,8 @@ services:
       federated:
         ipv4_address: 172.99.0.15
     ports:
-      - 80:80
-      - 443:443
+      - "80:80"
+      - "443:443"
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
       - ./data/root/certs:/etc/nginx/certs
diff --git a/lib/traefik.sh b/lib/traefik.sh
new file mode 100644
index 0000000..6e0dc0d
--- /dev/null
+++ b/lib/traefik.sh
@@ -0,0 +1,119 @@
+#!/bin/bash
+#
+# Traefik Service
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+config_traefik() {
+  echo -ne "\n* Configuring /federated/apps/traefik container.."
+  spin &
+  SPINPID=$!
+
+  if [ ! -d "/federated/apps/traefik" ]; then
+    mkdir -p /federated/apps/traefik/data/letsencrypt
+  fi
+
+TRAEFIK_HTTPAUTH_STRING=$(echo `htpasswd -nb admin $ADMINPASS` | sed -e s/\\$/\\$\\$/g)
+
+cat > /federated/apps/traefik/docker-compose.yml <<EOF
+version: "3.7"
+
+services:
+  traefik:
+    image: traefik:\${IMAGE_VERSION}
+    container_name: traefik
+    hostname: traefik.$DOMAIN
+    domainname: $DOMAIN
+    restart: always
+    networks:
+      federated:
+        ipv4_address: 172.99.0.5
+    command:
+      # Tell Traefik to discover containers using the Docker API
+      - --providers.docker=true
+      # Enable the Trafik dashboard
+      - --api.dashboard=true
+      # Set up LetsEncrypt
+      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
+      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=pdns
+      - --certificatesresolvers.letsencrypt.acme.email=hostmaster@$DOMAIN
+      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
+      - --certificatesresolvers.letsencrypt.acme.dnschallenge.DisablePropagationCheck=true
+      # --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+      - --log.level=DEBUG
+      # Set up an insecure listener that redirects all traffic to HTTPS
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --entrypoints.web.http.redirections.entrypoint.to=websecure
+      - --entrypoints.web.http.redirections.entrypoint.scheme=https
+      # Set up the TLS configuration for our websecure listener
+      - --entrypoints.websecure.http.tls=true
+      - --entrypoints.websecure.http.tls.certResolver=letsencrypt
+      - --entrypoints.websecure.http.tls.domains[0].main=$DOMAIN
+      - --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAIN
+    env_file:
+      - ./.env
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./data/letsencrypt:/letsencrypt
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.rule=Host(\`traefik.$DOMAIN\`)"
+      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.middlewares=strip"
+      - "traefik.http.middlewares.strip.stripprefix.prefixes=/traefik"
+      - "traefik.http.routers.traefik.middlewares=traefik-auth"
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=$TRAEFIK_HTTPAUTH_STRING"
+
+networks:
+  federated:
+    external: true
+EOF
+
+cat > /federated/apps/traefik/.env <<EOF
+IMAGE_VERSION="v2.10.1"
+PDNS_API_KEY=$PDNS_APIKEY
+PDNS_API_URL=http://pdns.$DOMAIN:8081
+EOF
+chmod 600 /federated/apps/traefik/.env
+
+kill -9 $SPINPID &> /dev/null
+echo -ne "done."
+}
+
+start_traefik() {
+  if [ $DEBUG ]; then
+    # Start /federated/apps/traefik with output to console for debug
+    docker-compose -f /federated/apps/traefik/docker-compose.yml -p traefik up
+    [ $? -eq 0 ] && echo -ne "done.\n" || fail "There was a problem starting service /federated/apps/traefik"
+  else
+    # Start /federated/apps/traefik with output to /dev/null
+    docker-compose -f /federated/apps/traefik/docker-compose.yml -p traefik up -d &> /dev/null
+
+    # Keep trying to see that certificates are generated
+    RETRY="20"
+    while [ $RETRY -gt 0 ]; do
+      traefik-certs-dumper file --version v2 --source /federated/apps/traefik/data/letsencrypt/acme.json --dest /federated/certs &> /dev/null
+
+      # Check if certs are generated
+      ls /federated/certs/private/$DOMAIN.key /federated/certs/certs/$DOMAIN.crt &> /dev/null
+      if [ $? -eq 0 ]; then
+        kill -9 $SPINPID &> /dev/null
+        echo -ne "done."
+        break
+      else
+        if [ "$RETRY" == 1 ]; then
+          docker-compose -f /federated/apps/traefik/docker-compose.yml -p traefik down &> /dev/null
+          fail "There was a problem starting service /federated/apps/traefik\nCheck the output of 'docker logs traefik' or turn on\ndebug with -d"
+        fi
+        ((RETRY--))
+        sleep 9
+      fi
+    done
+  fi
+}
diff --git a/lib/vaultwarden.sh b/lib/vaultwarden.sh
index f95576a..c274d61 100644
--- a/lib/vaultwarden.sh
+++ b/lib/vaultwarden.sh
@@ -9,13 +9,18 @@ config_vaultwarden() {
   spin &
   SPINPID=$!
 
+  DOMAIN_ARRAY=(${DOMAIN//./ })
+  DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
+  DOMAIN_MIDDLE=${DOMAIN_ARRAY[1]}
+  DOMAIN_LAST=${DOMAIN_ARRAY[2]}
+
   if [ ! -d "/federated/apps/vaultwarden" ]; then
     mkdir -p /federated/apps/vaultwarden/data/data
   fi
 
-  DOMAIN_ARRAY=(${DOMAIN//./ })
-  DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
-  DOMAIN_LAST=${DOMAIN_ARRAY[1]}
+#  DOMAIN_ARRAY=(${DOMAIN//./ })
+#  DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
+#  DOMAIN_LAST=${DOMAIN_ARRAY[1]}
 
 cat > /federated/apps/vaultwarden/docker-compose.yml <<EOF
 version: '3.7'
@@ -34,6 +39,11 @@ services:
       - ./.env
     volumes:
       - ./data/data:/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.vaultwarden.rule=Host(\`vaultwarden.$DOMAIN\`)"
+      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
+      - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
 
 networks:
   federated:
@@ -43,9 +53,6 @@ EOF
 cat > /federated/apps/vaultwarden/.env <<EOF
 IMAGE_VERSION="1.27.0"
 DATABASE_URL=postgresql://vaultwarden:$VAULTWARDEN_SECRET@postgresql.$DOMAIN:5432/vaultwarden
-VIRTUAL_PROTO=http
-VIRTUAL_PORT=80
-VIRTUAL_HOST=vaultwarden.$DOMAIN
 WEBSOCKET_ENABLED=true
 ADMIN_TOKEN=$VAULTWARDEN_SECRET
 #- SIGNUPS_ALLOWED=false