diff --git a/nix-system-configs/traefik/traefik-config.nix b/nix-system-configs/traefik/traefik-config.nix
index f2d23b4..89f0ffb 100644
--- a/nix-system-configs/traefik/traefik-config.nix
+++ b/nix-system-configs/traefik/traefik-config.nix
@@ -1,6 +1,6 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
+# and in the NixOS manual (accessible by running 'nixos-help').
 {
   config,
   pkgs,
@@ -124,55 +124,87 @@ in {
   };
 
 
-  # Enable Traefik service (from https://wiki.nixos.org/wiki/Traefik)
-    services.traefik = {
-      enable = true;
+  # Enable Traefik service
+  services.traefik = {
+    enable = true;
+    group = "acme";  # Add traefik to acme group so it can read certificates
 
-      staticConfigOptions = {
-        entryPoints = {
-          web = {
-            address = ":80";
-            asDefault = true;
-            http.redirections.entrypoint = {
-              to = "websecure";
-              scheme = "https";
-            };
-          };
-
-          websecure = {
-            address = ":443";
-            asDefault = true;
-            http.tls.certResolver = "letsencrypt";
+    staticConfigOptions = {
+      entryPoints = {
+        web = {
+          address = ":80";
+          asDefault = true;
+          http.redirections.entrypoint = {
+            to = "websecure";
+            scheme = "https";
           };
         };
 
-        log = {
-          level = "INFO";
-          filePath = "${config.services.traefik.dataDir}/traefik.log";
-          format = "json";
+        websecure = {
+          address = ":443";
+          asDefault = true;
+          http.tls = {
+            # Use the certificates from the file provider
+            domains = [
+              {
+                main = "prg-radio.org";
+                sans = ["*.prg-radio.org"];
+              }
+            ];
+          };
         };
-
-        api.dashboard = true;
-        # Access the Traefik dashboard on <Traefik IP>:8080 of your server
-        api.insecure = true;
       };
 
-      dynamicConfigOptions = {
-        http.routers = {};
-        http.services = {};
+      log = {
+        level = "INFO";
+        filePath = "${config.services.traefik.dataDir}/traefik.log";
+        format = "json";
       };
+
+      # Enable file provider for TLS certificates
+      providers.file = {
+        directory = "${config.services.traefik.dataDir}/conf";
+        watch = true;
+      };
+
+      api.dashboard = true;
+      # Access the Traefik dashboard on <Traefik IP>:8080 of your server
+      api.insecure = true;
     };
 
-    security.acme = {
-      acceptTerms = true;
-      defaults.email = "dtu.prg@gmail.com";
-      certs."prg-radio.org" = {
-        domain = "*.prg-radio.org";
-        group = "nginx";
-        dnsProvider = "cloudflare";
-        environmentFile = "/etc/cloudflare.env";
-      };
+    dynamicConfigOptions = {
+      # Configure TLS to use the ACME certificates
+      tls.certificates = [
+        {
+          certFile = "/var/lib/acme/prg-radio.org/cert.pem";
+          keyFile = "/var/lib/acme/prg-radio.org/key.pem";
+        }
+      ];
+
+      http.routers = {};
+      http.services = {};
     };
+  };
+
+  # ACME certificate configuration
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "dtu.prg@gmail.com";
+    certs."prg-radio.org" = {
+      domain = "*.prg-radio.org";
+      group = "acme";  # Use acme group
+      dnsProvider = "cloudflare";
+      environmentFile = "/home/traefikprg/cloudflare/cloudflare.env";
+      # Reload traefik when certificate is renewed
+      reloadServices = [ "traefik.service" ];
+    };
+  };
+
+  # Ensure traefik service waits for ACME certificates
+  systemd.services.traefik = {
+    after = [ "acme-finished-prg-radio.org.target" ];
+    wants = [ "acme-finished-prg-radio.org.target" ];
+  };
 
 
   # Add extra system packages from example.nix (appended to existing list)
@@ -215,8 +247,7 @@ in {
     enable = true;
     ports = [22];
     settings = {
-      PasswordAuthentication = false;
-      AllowUsers = null;
+      PasswordAuthentication = true;
       UseDns = true;
       PermitRootLogin = "no";
     };
@@ -235,7 +266,7 @@ in {
   users.users.traefikprg = {
     isNormalUser = true;
     description = "NixOS PRG Traefik Service";
-    extraGroups = ["networkmanager" "wheel" "seat"];
+    extraGroups = ["acme" "networkmanager" "wheel" "seat"];
     packages = with pkgs; [];
   };
 
@@ -314,6 +345,12 @@ in {
     nameserver 10.1.1.2
   '';
 
+    # Open ports in the firewall.
+   networking.firewall.allowedTCPPorts = [ 443 ];
+   networking.firewall.allowedUDPPorts = [ 443 ];
+    # Or disable the firewall altogether.
+    # networking.firewall.enable = false;
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
@@ -321,4 +358,4 @@ in {
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "25.11"; # Did you read the comment?
-}
+}
\ No newline at end of file