diff --git a/machines/rigel/networking.nix b/machines/rigel/networking.nix
index 66e2b21..1db8413 100644
--- a/machines/rigel/networking.nix
+++ b/machines/rigel/networking.nix
@@ -36,9 +36,69 @@ in
     };
   };
 
+  services.traefik = {
+    enable = true;
+    staticConfigOptions = {
+      # log.level = "DEBUG";
+      log = {
+        level = "DEBUG";
+        filePath = "/data/traefik/traefik.log";
+      };
+
+      serversTransport.insecureSkipVerify = true;
+
+      entryPoints = {
+        web = {
+          address = ":80";
+          transport.respondingTimeouts = {
+            readTimeout = "3600s";
+            writeTimeout = "0";
+            idleTimeout = "300s";
+          };
+        };
+        websecure = {
+          address = ":443";
+          transport.respondingTimeouts = {
+            readTimeout = "3600s";
+            writeTimeout = "0";
+            idleTimeout = "300s";
+          };
+        };
+      };
+      global = {
+        checkNewVersion = false;
+        sendAnonymousUsage = false;
+      };
+    };
+    dynamicConfigOptions = {
+      http.middlewares = {
+        redirect-to-https.redirectscheme = {
+          scheme = "https";
+          permanent = true;
+        };
+        redirect-to-www.redirectregex = {
+          permanent = true;
+          regex = "^https?://(?:www\\.)?(.+)";
+          replacement = "https://www.\${1}";
+        };
+      };
+      http = {
+        routers.ata-web = {
+          rule = "";
+          service = "ata-web";
+        };
+        services.ata-web.loadBalancer.servers = [ { url = "http://192.168.254.96"; } ];
+      };
+    };
+  };
+
   networking.firewall.allowedUDPPorts = [
     53
     67
   ];
-  networking.firewall.allowedTCPPorts = [ 53 ];
+  networking.firewall.allowedTCPPorts = [
+    53
+    80
+    443
+  ];
 }