diff --git a/ansible/host_vars/pve-docker/main.yml b/ansible/host_vars/pve-docker/main.yml
index dfc549b..a53153a 100644
--- a/ansible/host_vars/pve-docker/main.yml
+++ b/ansible/host_vars/pve-docker/main.yml
@@ -1,5 +1,6 @@
 private_ip: "{{ pve_hosts.docker.ip }}"
 
+traefik_tls_challenge: true
 traefik_provider_jellyfin: true
 traefik_provider_homeassistant: true
 traefik_provider_grafana: true
diff --git a/ansible/main.yml b/ansible/main.yml
index 615ccc1..e00e9fb 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -49,6 +49,7 @@
 
 - hosts:
     - pve-docker
+    - grimes
   roles:
     - traefik
 
diff --git a/ansible/roles/traefik/defaults/main.yml b/ansible/roles/traefik/defaults/main.yml
index e11f7e7..6352074 100644
--- a/ansible/roles/traefik/defaults/main.yml
+++ b/ansible/roles/traefik/defaults/main.yml
@@ -2,3 +2,4 @@ traefik_provider_jellyfin: false
 traefik_provider_homeassistant: false
 traefik_provider_grafana: false
 traefik_provider_uptime_kuma: false
+traefik_tls_challenge: false
diff --git a/ansible/roles/traefik/files/docker-compose.yml b/ansible/roles/traefik/files/docker-compose.yml
index 8c73bba..8140821 100644
--- a/ansible/roles/traefik/files/docker-compose.yml
+++ b/ansible/roles/traefik/files/docker-compose.yml
@@ -3,7 +3,7 @@ services:
     image: traefik:v3
     user: "{{ docker_user.id }}"
     environment:
-      - GANDIV5_PERSONAL_ACCESS_TOKEN={{ vault_gandi_personal_access_token }}
+      - GANDIV5_PERSONAL_ACCESS_TOKEN={{ vault_gandi_personal_access_token if traefik_tls_challenge else "" }}
     volumes:
       - ./traefik:/etc/traefik
     restart: unless-stopped
diff --git a/ansible/roles/traefik/files/traefik.yml b/ansible/roles/traefik/files/traefik.yml
index eae2061..e7a99d6 100644
--- a/ansible/roles/traefik/files/traefik.yml
+++ b/ansible/roles/traefik/files/traefik.yml
@@ -6,11 +6,11 @@ entryPoints:
         entryPoint:
           to: web-secure
           scheme: https
+    {% if ansible_hostname == "docker" %}
     proxyProtocol:
       trustedIPs:
-        - "{{ wireguard.cidr }}"
-        - "{{ pve_hosts.internal_cidr }}"
-        - "{{ tailscale_cidr }}"
+        - "{{ pve_hosts.ingress.ip }}/32"
+    {% endif %}
   web-secure:
     address: :443
     http:
@@ -19,7 +19,8 @@ entryPoints:
         - compress@file
         - secure-headers@file
       tls:
-        certResolver: le
+        certResolver: "{{ 'acme-tls' if traefik_tls_challenge else 'acme-http' }}"
+        {% if traefik_tls_challenge %}
         domains:
           - main: theorangeone.net
             sans: ["*.theorangeone.net"]
@@ -27,12 +28,15 @@ entryPoints:
             sans: ["*.jakehoward.tech"]
           - main: 0rng.one
             sans: ["*.0rng.one"]
+        {% endif %}
+    {% if ansible_hostname == "docker" %}
     proxyProtocol:
       trustedIPs:
         - "{{ pve_hosts.ingress.ip }}/32"
     forwardedHeaders:
       trustedIPs:
         - "{{ wireguard.server.ip }}/32"  # This is obtained from the connecting `proxy_protocol`
+    {% endif %}
     transport:
       respondingTimeouts:
         readTimeout: 180s
@@ -56,7 +60,7 @@ api:
   disableDashboardAd: true
 
 certificatesResolvers:
-  le:
+  acme-tls:
     acme:
       email: "{{ vault_letsencrypt_email }}"
       storage: /etc/traefik/acme.json
@@ -66,6 +70,13 @@ certificatesResolvers:
         resolvers:
           - 9.9.9.9:53
           - 149.112.112.112:53
+  acme-http:
+    acme:
+      email: "{{ vault_letsencrypt_email }}"
+      storage: /etc/traefik/acme.json
+      httpChallenge:
+        entryPoint: web
+
 
 serversTransport:
   insecureSkipVerify: true