diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml
index a85fd4aaa1..5329aa4fa7 100644
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@@ -9,18 +9,35 @@ traefik_enabled: false
 # directories
 traefik_data_directory: "{{ docker_home }}/traefik"
 
+# files
+traefik_template_files:
+  - src: traefik.toml.j2
+    dest: "{{ traefik_data_directory }}/traefik.toml"
+    force: "Yes"
+traefik_template_files_custom: []
+
 # network
 traefik_port_http: "80"
 traefik_port_https: "443"
 traefik_port_ui: "8083"
 
-traefik_docker_image: traefik:latest
+traefik_image: traefik:v2.5
+traefik_volumes:
+  - "{{ traefik_data_directory }}/letsencrypt:/letsencrypt:rw"
+  - "{{ traefik_data_directory }}/traefik.toml:/etc/traefik/traefik.toml:ro"
+  - "/var/run/docker.sock:/var/run/docker.sock:ro"
+traefik_volumes_custom: []
 traefik_log_level: "INFO"
 
 # find the relevant name and environment variables for your DNS provider at https://go-acme.github.io/lego/dns/
 traefik_dns_provider: cloudflare
 traefik_environment_variables:
   CF_DNS_API_TOKEN: "abcdabcd123412341234"
+traefik_letsencrypt_tls: no
+
+traefik_domain_san:
+  - "*.{{ ansible_nas_domain_root }}"
+traefik_domain_san_custom: []
 
 # Ansible-NAS requests a wildcard certificate for your domain, so there should be no reason to have to use the staging
 # letsencrypt acme server. If you do want to flip between staging/production, you might need to stop Traefik and clear
diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
index 451112e4b7..d58cc1b9e8 100644
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -1,29 +1,41 @@
 ---
 - name: Create Traefik Directories
   file:
-    path: "{{ item }}"
-    state: directory
+    mode: "{{ item.mode | default('0750') }}"
+    path: "{{ item.path }}"
+    state: "directory"
+  tags:
+    - traefik
+    - traefik:dir
   with_items:
-    - "{{ traefik_data_directory }}"
-    - "{{ traefik_data_directory }}/letsencrypt"
+    - path: "{{ traefik_data_directory }}"
+      mode: "0755"
+    - path: "{{ traefik_data_directory }}/letsencrypt"
+      mode: "0700"
 
-- name: Template Traefik config.toml
-  template:
-    src: traefik.toml
-    dest: "{{ traefik_data_directory }}/traefik.toml"
+- name: Template Traefik Files
   register: template_config
+  tags:
+    - traefik
+    - traefik:template
+  template:
+    dest: "{{ item.dest }}"
+    force: "{{ item.force | default('No') }}"
+    mode: "{{ item.mode | default('0600') }}"
+    src: "{{ item.src }}"
+  with_items: "{{ traefik_template_files + traefik_template_files_custom | sort }}"
 
 - name: Traefik Docker Container
   docker_container:
-    name: traefik
-    image: "{{ traefik_docker_image }}"
-    pull: true
-    network_mode: host
-    volumes:
-      - "{{ traefik_data_directory }}/traefik.toml:/etc/traefik/traefik.toml:ro"
-      - "{{ traefik_data_directory }}/letsencrypt:/letsencrypt:rw"
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
     env: "{{ traefik_environment_variables }}"
-    restart_policy: unless-stopped
+    image: "{{ traefik_image }}"
     memory: "{{ traefik_memory }}"
+    name: traefik
+    network_mode: host
+    pull: true
     recreate: "{{ template_config is changed }}"
+    restart_policy: unless-stopped
+    volumes: "{{ traefik_volumes + traefik_volumes_custom | sort }}"
+  tags:
+    - traefik
+    - traefik:docker
diff --git a/roles/traefik/templates/traefik.toml b/roles/traefik/templates/traefik.toml.j2
similarity index 64%
rename from roles/traefik/templates/traefik.toml
rename to roles/traefik/templates/traefik.toml.j2
index 51555ba1d4..bd00d885b0 100644
--- a/roles/traefik/templates/traefik.toml
+++ b/roles/traefik/templates/traefik.toml.j2
@@ -12,9 +12,9 @@
         certResolver = "letsencrypt"
 
         [entryPoints.websecure.http.tls.domains]
-          main = "{{ ansible_nas_domain }}"
+          main = "{{ ansible_nas_domain_root }}"
           sans = [
-            "*.{{ ansible_nas_domain }}"
+            "{{ (traefik_domain_san + traefik_domain_san_custom) | join("\",\n            \"") }}"
           ]
 
   [entryPoints.traefik]
@@ -30,7 +30,7 @@
   dashboard = true
 
 [log]
-  level = "{{ traefik_log_level }}"
+  level = "{{ traefik_log_level | upper }}"
 
 [ping]
   terminatingStatusCode = 0
@@ -44,3 +44,13 @@
 
       [certificatesResolvers.letsencrypt.acme.dnsChallenge]
         provider = "{{ traefik_dns_provider }}"
+
+{% if traefik_letsencrypt_tls %}
+  [certificatesResolvers.letsencryptTls]
+    [certificatesResolvers.letsencryptTls.acme]
+      email = "{{ ansible_nas_email }}"
+      storage = "/letsencrypt/acme.json"
+      caserver = "https://acme-v02.api.letsencrypt.org/directory"
+
+      [certificatesResolvers.letsencryptTls.acme.tlsChallenge]
+{% endif %}
\ No newline at end of file