diff --git a/cert/.gitignore b/cert/.gitignore
new file mode 100644
index 0000000..852cebe
--- /dev/null
+++ b/cert/.gitignore
@@ -0,0 +1,2 @@
+# ignore the generated certificates
+acme.json
diff --git a/cert/.gitkeep b/cert/.gitkeep
deleted file mode 100644
index e69de29..0000000
diff --git a/config/acme.toml b/config/acme.toml
deleted file mode 100644
index bc2192f..0000000
--- a/config/acme.toml
+++ /dev/null
@@ -1,26 +0,0 @@
-# new domains and subdomains can be configured here, the file is read
-# automatically after modification.
-#
-# note that domains and subdomains not defined in this file will still work
-# when defined in a container Host-Rule. However, they will generate
-# their own ACME request, and will count towards LetsEncrypt's rate limit.
-
-#[acme]
-#email = "hostmaster@zom.bi"
-#storage = "cert/acme.json"
-#entryPoint = "https"
-#onDemand = false
-#OnHostRule = true
-#
-#[[acme.domains]]
-#  main = "zom.bi"
-#  sans = [
-#    "blog.zom.bi",
-#    "www.zom.bi",
-#  ]
-
-# You can define multiple of these blocks, each of which will result in one
-# certificate.
-#[[acme.domains]]
-#  main = "zombi.systems"
-#  sans = ["www.zombi.systems", "blog.zombi.systems"]
diff --git a/config/traefik.toml b/config/traefik.toml
index 6132a5a..79d1692 100644
--- a/config/traefik.toml
+++ b/config/traefik.toml
@@ -3,6 +3,13 @@ InsecureSkipVerify = true
 
 defaultEntryPoints = ["http", "https"]
 
+[acme]
+email = "hostmaster@zom.bi"
+storage = "cert/acme.json"
+entryPoint = "https"
+onDemand = false
+OnHostRule = true
+
 [entryPoints]
   [entryPoints.http]
     address = ":80"
@@ -21,12 +28,41 @@ domain = "docker.localhost"
 watch = true
 exposedbydefault = false
 
-# embed acme configuration.
-# new domains and subdomains can be configured here, the file is read
-# automatically after modification.
+# new domains and subdomains can be configured here.
 # note that domains and subdomains not defined in this file will still work,
 # when defined in a container Host-Rule. However, they will generate
 # their own ACME request, and will count towards LetsEncrypt's rate limit.
-[file]
-filename = "acme.toml"
-watch = true
+[[acme.domains]]
+  main = "zom.bi"
+  sans = [
+    "conference.zom.bi",
+    "talk.zom.bi",
+    "mumble.zom.bi",
+    "irc.zom.bi",
+    "mx.zom.bi",
+    "user.zom.bi",
+    "xmpp.zom.bi",
+
+    # web vhosts:
+    "api.zom.bi",
+    "autoconfig.zom.bi",
+    "blog.zom.bi",
+    "download.zom.bi",
+    "git.zom.bi",
+    "kanban.zom.bi",
+    "mail.zom.bi",
+    "music.zom.bi",
+    "org.zom.bi",
+    "push.zom.bi",
+    "static.zom.bi",
+    "stream.zom.bi",
+    "tube.zom.bi",
+    "wiki.zom.bi",
+    "www.zom.bi",
+  ]
+
+# You can define multiple of these blocks, each of which will result in one
+# certificate.
+#[[acme.domains]]
+#  main = "zombi.systems"
+#  sans = ["www.zombi.systems", "blog.zombi.systems"]
diff --git a/docker-compose.yml b/docker-compose.yml
index 4266f8e..baac2b2 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,20 +4,20 @@ services:
   proxy:
     image: traefik
     command: --logLevel=INFO
-    networks:
-      - "webgateway"
     ports:
       - "80:80"
       - "443:443"
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock"
       - "./cert/:/cert/"
-      - "./traefik.toml:/traefik.toml:ro"
       - "./config/:/etc/traefik/:ro"
     labels:
       - "traefik.enable=false" # set to true to expose the Monitoring & API
       - "traefik.backend=proxy"
       - "traefik.port=8080"
+      - "traefik.frontend.rule=Host: api.zom.bi"
+    networks:
+      - "web"
 
 networks:
   web: