diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml
index a85fd4aaa1..73d8d72a69 100644
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@@ -9,18 +9,36 @@ traefik_enabled: false
 # directories
 traefik_data_directory: "{{ docker_home }}/traefik"
 
+# files
+traefik_template_files:
+  - src: traefik.toml.j2
+    dest: "{{ traefik_data_directory }}/traefik.toml"
+    force: "Yes"
+traefik_template_files_custom: []
+
 # network
 traefik_port_http: "80"
 traefik_port_https: "443"
 traefik_port_ui: "8083"
+traefik_trusted_ips: []
 
-traefik_docker_image: traefik:latest
+traefik_image: traefik:v2.5
+traefik_volumes:
+  - "{{ traefik_data_directory }}/letsencrypt:/letsencrypt:rw"
+  - "{{ traefik_data_directory }}/traefik.toml:/etc/traefik/traefik.toml:ro"
+  - "/var/run/docker.sock:/var/run/docker.sock:ro"
+traefik_volumes_custom: []
 traefik_log_level: "INFO"
 
 # find the relevant name and environment variables for your DNS provider at https://go-acme.github.io/lego/dns/
 traefik_dns_provider: cloudflare
 traefik_environment_variables:
   CF_DNS_API_TOKEN: "abcdabcd123412341234"
+traefik_letsencrypt_tls: no
+
+traefik_domain_san:
+  - "*.{{ ansible_nas_domain_root }}"
+traefik_domain_san_custom: []
 
 # Ansible-NAS requests a wildcard certificate for your domain, so there should be no reason to have to use the staging
 # letsencrypt acme server. If you do want to flip between staging/production, you might need to stop Traefik and clear
diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
index 451112e4b7..d58cc1b9e8 100644
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -1,29 +1,41 @@
 ---
 - name: Create Traefik Directories
   file:
-    path: "{{ item }}"
-    state: directory
+    mode: "{{ item.mode | default('0750') }}"
+    path: "{{ item.path }}"
+    state: "directory"
+  tags:
+    - traefik
+    - traefik:dir
   with_items:
-    - "{{ traefik_data_directory }}"
-    - "{{ traefik_data_directory }}/letsencrypt"
+    - path: "{{ traefik_data_directory }}"
+      mode: "0755"
+    - path: "{{ traefik_data_directory }}/letsencrypt"
+      mode: "0700"
 
-- name: Template Traefik config.toml
-  template:
-    src: traefik.toml
-    dest: "{{ traefik_data_directory }}/traefik.toml"
+- name: Template Traefik Files
   register: template_config
+  tags:
+    - traefik
+    - traefik:template
+  template:
+    dest: "{{ item.dest }}"
+    force: "{{ item.force | default('No') }}"
+    mode: "{{ item.mode | default('0600') }}"
+    src: "{{ item.src }}"
+  with_items: "{{ traefik_template_files + traefik_template_files_custom | sort }}"
 
 - name: Traefik Docker Container
   docker_container:
-    name: traefik
-    image: "{{ traefik_docker_image }}"
-    pull: true
-    network_mode: host
-    volumes:
-      - "{{ traefik_data_directory }}/traefik.toml:/etc/traefik/traefik.toml:ro"
-      - "{{ traefik_data_directory }}/letsencrypt:/letsencrypt:rw"
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
     env: "{{ traefik_environment_variables }}"
-    restart_policy: unless-stopped
+    image: "{{ traefik_image }}"
     memory: "{{ traefik_memory }}"
+    name: traefik
+    network_mode: host
+    pull: true
     recreate: "{{ template_config is changed }}"
+    restart_policy: unless-stopped
+    volumes: "{{ traefik_volumes + traefik_volumes_custom | sort }}"
+  tags:
+    - traefik
+    - traefik:docker
diff --git a/roles/traefik/templates/traefik.toml b/roles/traefik/templates/traefik.toml
deleted file mode 100644
index 6d356da950..0000000000
--- a/roles/traefik/templates/traefik.toml
+++ /dev/null
@@ -1,46 +0,0 @@
-[entryPoints]
-  [entryPoints.web]
-    address = ":80"
-
-  [entryPoints.web.http.redirections.entryPoint]
-    to = "websecure"
-
-  [entryPoints.websecure]
-    address = ":{{ traefik_port_https }}"
-
-      [entryPoints.websecure.http.tls]
-        certResolver = "letsencrypt"
-
-        [entryPoints.websecure.http.tls.domains]
-          main = "{{ ansible_nas_domain }}"
-          sans = [
-            "*.{{ ansible_nas_domain }}"
-          ]
-
-  [entryPoints.traefik]
-    address = ":{{ traefik_port_ui }}"
-
-[providers]
-  providersThrottleDuration = "2s"
-  [providers.docker]
-    exposedbydefault = false
-
-[api]
-  insecure = true
-  dashboard = true
-
-[log]
-  level = "{{ traefik_log_level }}"
-
-[ping]
-  terminatingStatusCode = 0
-
-[certificatesResolvers]
-  [certificatesResolvers.letsencrypt]
-    [certificatesResolvers.letsencrypt.acme]
-      email = "{{ ansible_nas_email }}"
-      storage = "/letsencrypt/acme.json"
-      caserver = "{{ traefik_acme_server }}"
-
-      [certificatesResolvers.letsencrypt.acme.dnsChallenge]
-        provider = "{{ traefik_dns_provider }}"
diff --git a/roles/traefik/templates/traefik.toml.j2 b/roles/traefik/templates/traefik.toml.j2
new file mode 100644
index 0000000000..bd8c3f9069
--- /dev/null
+++ b/roles/traefik/templates/traefik.toml.j2
@@ -0,0 +1,62 @@
+[entryPoints]
+  [entryPoints.web]
+    address = ":{{ traefik_port_http }}"
+
+{% if traefik_trusted_ips %}
+    [entryPoints.web.forwardedHeaders]
+      trustedIPs = {{ traefik_trusted_ips | to_nice_json(indent=2) | trim | indent(6) }}
+{% endif %}
+  [entryPoints.web.http.redirections.entryPoint]
+    to = "websecure"
+
+  [entryPoints.websecure]
+    address = ":{{ traefik_port_https }}"
+
+{% if traefik_trusted_ips %}
+    [entryPoints.websecure.forwardedHeaders]
+      trustedIPs = {{ traefik_trusted_ips | to_nice_json(indent=2) | trim | indent(6) }}
+{% endif %}
+      [entryPoints.websecure.http.tls]
+        certResolver = "letsencrypt"
+
+        [entryPoints.websecure.http.tls.domains]
+          main = "{{ ansible_nas_domain_root }}"
+          sans = {{ (traefik_domain_san + traefik_domain_san_custom ) | to_nice_json(indent=2) | trim | indent(10) }}
+
+  [entryPoints.traefik]
+    address = ":{{ traefik_port_ui }}"
+
+[providers]
+  providersThrottleDuration = "2s"
+  [providers.docker]
+    exposedbydefault = false
+
+[api]
+  insecure = true
+  dashboard = true
+
+[log]
+  level = "{{ traefik_log_level | upper }}"
+
+[ping]
+  terminatingStatusCode = 0
+
+[certificatesResolvers]
+  [certificatesResolvers.letsencrypt]
+    [certificatesResolvers.letsencrypt.acme]
+      email = "{{ ansible_nas_email }}"
+      storage = "/letsencrypt/acme.json"
+      caserver = "{{ traefik_acme_server }}"
+
+      [certificatesResolvers.letsencrypt.acme.dnsChallenge]
+        provider = "{{ traefik_dns_provider }}"
+
+{% if traefik_letsencrypt_tls %}
+  [certificatesResolvers.letsencryptTls]
+    [certificatesResolvers.letsencryptTls.acme]
+      email = "{{ ansible_nas_email }}"
+      storage = "/letsencrypt/acme.json"
+      caserver = "https://acme-v02.api.letsencrypt.org/directory"
+
+      [certificatesResolvers.letsencryptTls.acme.tlsChallenge]
+{% endif %}