diff --git a/inventory/m2.ini b/inventory/m2.ini
new file mode 100644
index 0000000..8e9e1f9
--- /dev/null
+++ b/inventory/m2.ini
@@ -0,0 +1,7 @@
+[main]
+m2.kadet.net
+
+[main:vars]
+ansible_user=kadet
+main_domain=kadet.net
+swarm_addr=2a01:4f8:c2c:db18::1
diff --git a/inventory/vagrant.ini b/inventory/vagrant.ini
index 1dd1457..5722d1a 100644
--- a/inventory/vagrant.ini
+++ b/inventory/vagrant.ini
@@ -4,4 +4,7 @@
 [main:vars]
 ansible_user=vagrant
 ansible_ssh_private_key_file=./.vagrant/machines/default/virtualbox/private_key
-ansible_ssh_common_args='-o StrictHostKeyChecking=no'
\ No newline at end of file
+ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+main_domain=kadet.local
+swarm_addr=eth0
+lets_encrypt_url=https://acme-staging-v02.api.letsencrypt.org/directory
diff --git a/services/cojedzie/stack.yml b/services/cojedzie/stack.yml
index f43b278..f9b4d6c 100644
--- a/services/cojedzie/stack.yml
+++ b/services/cojedzie/stack.yml
@@ -15,6 +15,8 @@ services:
         - traefik.enable=true
         - traefik.http.routers.{{ service }}-api.rule=(Host(`{{ service }}.{{ main_domain }}`) || Host(`cojedzie.pl`)) && PathPrefix(`/api/`)
         - traefik.http.routers.{{ service }}-api.priority=100
+        - traefik.http.routers.{{ service }}-api.tls=true
+        - traefik.http.routers.{{ service }}-api.tls.certresolver=lets-encrypt
         - traefik.http.services.{{ service }}-api.loadbalancer.server.port=8080
 
   update-job:
@@ -55,6 +57,8 @@ services:
       labels:
         - traefik.enable=true
         - traefik.http.routers.{{ service }}-front.rule=Host(`{{ service }}.{{ main_domain }}`) || Host(`cojedzie.pl`)
+        - traefik.http.routers.{{ service }}-front.tls=true
+        - traefik.http.routers.{{ service }}-front.tls.certresolver=lets-encrypt
         - traefik.http.services.{{ service }}-front.loadbalancer.server.port=3000
 
 volumes:
diff --git a/services/gitea/stack.yml b/services/gitea/stack.yml
index b428226..7a6ce3a 100644
--- a/services/gitea/stack.yml
+++ b/services/gitea/stack.yml
@@ -29,4 +29,6 @@ services:
       labels:
         - traefik.enable=true
         - traefik.http.routers.{{ service }}.rule=Host(`git.{{ main_domain }}`)
+        - traefik.http.routers.{{ service }}.tls=true
+        - traefik.http.routers.{{ service }}.tls.certresolver=lets-encrypt
         - traefik.http.services.{{ service }}.loadbalancer.server.port=3000
diff --git a/services/portainer/stack.yml b/services/portainer/stack.yml
index 35f574c..9d4f30b 100644
--- a/services/portainer/stack.yml
+++ b/services/portainer/stack.yml
@@ -29,6 +29,8 @@ services:
       labels:
         - traefik.enable=true
         - traefik.http.routers.{{ service }}.rule=Host(`{{ service }}.{{ main_domain }}`)
+        - traefik.http.routers.{{ service }}.tls=true
+        - traefik.http.routers.{{ service }}.tls.certresolver=lets-encrypt
         - traefik.http.services.{{ service }}.loadbalancer.server.port=9000
 
 networks:
diff --git a/services/traefik/config/dynamic/alcoholic-calendar.yaml b/services/traefik/config/dynamic/alcoholic-calendar.yaml
index af1c2b5..79ab768 100644
--- a/services/traefik/config/dynamic/alcoholic-calendar.yaml
+++ b/services/traefik/config/dynamic/alcoholic-calendar.yaml
@@ -4,3 +4,5 @@ http:
     alcoholic-calendar:
       rule: Host(`alcoholic.{{ main_domain }}`)
       service: legacy@docker
+      tls:
+        certresolver: lets-encrypt
diff --git a/services/traefik/config/dynamic/dashboard.yaml b/services/traefik/config/dynamic/dashboard.yaml
index 2c5a52d..0c070e6 100644
--- a/services/traefik/config/dynamic/dashboard.yaml
+++ b/services/traefik/config/dynamic/dashboard.yaml
@@ -6,6 +6,8 @@ http:
     dashboard:
       rule: Host(`traefik.{{ main_domain }}`)
       service: api@internal
+      tls:
+        certresolver: lets-encrypt
 {% if dashboard_users is defined %}
       middlewares:
         - dashboard_auth
diff --git a/services/traefik/config/dynamic/nginx.yaml b/services/traefik/config/dynamic/nginx.yaml
index 3493ecc..c85f257 100644
--- a/services/traefik/config/dynamic/nginx.yaml
+++ b/services/traefik/config/dynamic/nginx.yaml
@@ -4,3 +4,5 @@ http:
     nginx:
       rule: Host(`{{ main_domain }}`)
       service: legacy@docker
+      tls:
+        certresolver: lets-encrypt
diff --git a/services/traefik/config/dynamic/paa.yaml b/services/traefik/config/dynamic/paa.yaml
index a41981c..17460d5 100644
--- a/services/traefik/config/dynamic/paa.yaml
+++ b/services/traefik/config/dynamic/paa.yaml
@@ -4,3 +4,5 @@ http:
     paa:
       rule: Host(`paa.{{ main_domain }}`)
       service: legacy@docker
+      tls:
+        certresolver: lets-encrypt
diff --git a/services/traefik/config/dynamic/pastebin.yaml b/services/traefik/config/dynamic/pastebin.yaml
index 170f6ef..06ff770 100644
--- a/services/traefik/config/dynamic/pastebin.yaml
+++ b/services/traefik/config/dynamic/pastebin.yaml
@@ -4,3 +4,5 @@ http:
     pastebin:
       rule: Host(`bin.{{ main_domain }}`)
       service: legacy@docker
+      tls:
+        certresolver: lets-encrypt
diff --git a/services/traefik/config/traefik.yaml b/services/traefik/config/traefik.yaml
index 8d65011..5a284d2 100644
--- a/services/traefik/config/traefik.yaml
+++ b/services/traefik/config/traefik.yaml
@@ -9,6 +9,12 @@ global:
 entryPoints:
   web:       
     address: :80
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+
   websecure: 
     address: :443
 
@@ -59,3 +65,11 @@ providers:
     swarmMode: true
     exposedByDefault: false
     network: "traefik"
+
+certificatesResolvers:
+  lets-encrypt:
+    acme:
+      caServer: "{{ lets_encrypt_url|default('https://acme-v02.api.letsencrypt.org/directory') }}"
+      email: "kacper@kadet.net"
+      storage: "/etc/traefik/acme/lets-encrypt.json"
+      tlsChallenge: {}
diff --git a/services/traefik/stack.yml b/services/traefik/stack.yml
index 4808412..8a946b2 100644
--- a/services/traefik/stack.yml
+++ b/services/traefik/stack.yml
@@ -5,9 +5,9 @@ services:
     image: traefik:v2.4
     ports:
       - 80:80
-      - 8080:8080
       - 443:443
     volumes:
+      - ./config/acme:/etc/traefik/acme
       - ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro
       - ./config/dynamic:/etc/traefik/dynamic:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
diff --git a/services/traefik/tasks/config.yml b/services/traefik/tasks/config.yml
index 7e454e3..e1b4c9d 100644
--- a/services/traefik/tasks/config.yml
+++ b/services/traefik/tasks/config.yml
@@ -1,6 +1,6 @@
 ---
 - name: 'Copy static config for "{{ service }}"'
-  copy:
+  template:
     src: "{{ service_path }}/config/traefik.yaml"
     dest: "{{ remote_service_path }}/config/traefik.yaml"
   tags:
@@ -14,6 +14,14 @@
   tags:
     - config
 
+- name: 'Ensure acme config directory exists'
+  file:
+    path: "{{ remote_service_path }}/config/acme"
+    state: directory
+    owner: "{{ ansible_user }}"
+  tags:
+    - config
+
 - name: 'Copy dynamic config'
   template:
     src: "{{ file }}"
diff --git a/vars/environment.yml b/vars/environment.yml
index 1953663..a186e83 100644
--- a/vars/environment.yml
+++ b/vars/environment.yml
@@ -8,7 +8,6 @@ ansible_python_interpreter: /usr/bin/python3
 pip_package: python3-pip
 pip_executable: pip3
 
-swarm_addr: eth0
 swarm_global_networks:
  - name: traefik
 swarm_host_address: "{{ ansible_docker0.ipv4.address }}"
diff --git a/vars/services.yml b/vars/services.yml
index bf6fd5d..f90e91a 100644
--- a/vars/services.yml
+++ b/vars/services.yml
@@ -8,11 +8,8 @@ remote_services_root: /var/services
 remote_service_path: "{{ remote_services_root }}/{{ service }}"
 
 compose_version: "3.7"
-
 ingress_network: traefik
 
-main_domain: kadet.local
-
 database_mysql_host: "{{ swarm_host_address }}"
 
 services_to_restart: []