diff --git a/.agenix_config.nix b/.agenix_config.nix
index 70914c7..13c7930 100644
Binary files a/.agenix_config.nix and b/.agenix_config.nix differ
diff --git a/machines/magenta/default.nix b/machines/magenta/default.nix
index 7a4ec9c..c1a206d 100644
--- a/machines/magenta/default.nix
+++ b/machines/magenta/default.nix
@@ -10,9 +10,10 @@ in
 
     ../modules/common.nix
     ../modules/nix.nix
-    ../modules/nginx.nix
     ../modules/fail2ban.nix
 
+    ./services/nginx.nix
+    ./services/traefik.nix
     ./services/mailserver.nix
     ./services/gitea.nix
   ];
diff --git a/machines/magenta/services/gitea.nix b/machines/magenta/services/gitea.nix
index 206fba2..c478924 100644
--- a/machines/magenta/services/gitea.nix
+++ b/machines/magenta/services/gitea.nix
@@ -9,6 +9,8 @@ let
     User-agent: *
     Disallow: /github
   '';
+
+  magentaData = import ../data.secret.nix;
 in
 {
   services.postgresql.package = pkgs.postgresql_14;
@@ -104,11 +106,35 @@ in
     cp -f ${robotsTxt} ${giteaCfg.stateDir}/custom/robots.txt
   '';
 
-  services.nginx.virtualHosts.${hostname} = {
+  services.traefik.dynamicConfigOptions.http = {
+    routers = {
+      to_gitea_http = {
+        rule = "Host(`${hostname}`)";
+        entryPoints = [ "http" ];
+        middlewares = [ "https_redirect" ];
+        service = "noop@internal";
+      };
+      to_gitea_https = {
+        rule = "Host(`${hostname}`)";
+        entryPoints = [ "https" ];
+        tls.certResolver = "le";
+        service = "gitea";
+      };
+    };
+    services.gitea = {
+      loadBalancer.servers = [
+        { url = "http://localhost:${toString giteaCfg.httpPort}"; }
+      ];
+    };
+  };
+
+  /*
+    services.nginx.virtualHosts.${hostname} = {
     enableACME = true;
     forceSSL = true;
     locations."/".proxyPass = "http://localhost:${toString giteaCfg.httpPort}/";
-  };
+    };
+  */
 
   age.secrets.gitea-smtp-passfile = {
     file = ../../../secrets/gitea-smtp-passfile.age;
diff --git a/machines/magenta/services/mailserver-accounts.secret.nix b/machines/magenta/services/mailserver-accounts.secret.nix
index ccc70ba..d265686 100644
Binary files a/machines/magenta/services/mailserver-accounts.secret.nix and b/machines/magenta/services/mailserver-accounts.secret.nix differ
diff --git a/machines/magenta/services/mailserver.nix b/machines/magenta/services/mailserver.nix
index 25e1a03..f73f028 100644
--- a/machines/magenta/services/mailserver.nix
+++ b/machines/magenta/services/mailserver.nix
@@ -15,4 +15,18 @@
 
     hierarchySeparator = "/";
   };
+
+  # required for certificateScheme = 3
+  # TODO: Try to use traefik
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    defaultHTTPListenPort = 10080;
+    defaultSSLListenPort = 10443;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 10080 10443 ];
 }
diff --git a/machines/modules/nginx.nix b/machines/magenta/services/nginx.nix
similarity index 60%
rename from machines/modules/nginx.nix
rename to machines/magenta/services/nginx.nix
index 185498d..3aadbe3 100644
--- a/machines/modules/nginx.nix
+++ b/machines/magenta/services/nginx.nix
@@ -5,7 +5,9 @@
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
+    defaultHTTPListenPort = 10080;
+    defaultSSLListenPort = 10443;
   };
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [ 10080 10443 ];
 }
diff --git a/machines/magenta/services/traefik.nix b/machines/magenta/services/traefik.nix
new file mode 100644
index 0000000..2cb4118
--- /dev/null
+++ b/machines/magenta/services/traefik.nix
@@ -0,0 +1,54 @@
+{ config, ... }:
+
+let
+  traefikCfg = config.services.traefik;
+
+  magentaData = import ../data.secret.nix;
+in
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 8080 ];
+
+  age.secrets.traefik-dashboard-basicauth-users = {
+    file = ../../../secrets/traefik-dashboard-basicauth-users.age;
+    owner = "traefik";
+    inherit (traefikCfg) group;
+  };
+
+  services.traefik = {
+    enable = true;
+    staticConfigOptions = {
+      entryPoints = {
+        http.address = ":80";
+        https.address = ":443";
+        dashboard.address = ":8080";
+      };
+      api = { };
+      log = { };
+      accessLog = { };
+      certificatesResolvers.le.acme = {
+        storage = "${traefikCfg.dataDir}/acme.json";
+        email = "dmitriy@pleshevski.ru";
+        tlschallenge = true;
+      };
+    };
+    dynamicConfigOptions = {
+      http = {
+        routers.to_traefik_dashboard = {
+          rule = "Host(`${magentaData.addr}`)";
+          entryPoints = [ "dashboard" ];
+          middlewares = [ "traefik_dashboard_auth" ];
+          service = "api@internal";
+        };
+        middlewares = {
+          https_redirect.redirectScheme = {
+            scheme = "https";
+            permanent = true;
+          };
+          traefik_dashboard_auth.basicAuth = {
+            usersFile = config.age.secrets.traefik-dashboard-basicauth-users.path;
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/secrets/traefik-dashboard-basicauth-users.age b/secrets/traefik-dashboard-basicauth-users.age
new file mode 100644
index 0000000..09a42f6
Binary files /dev/null and b/secrets/traefik-dashboard-basicauth-users.age differ