diff --git a/config.yml b/config.yml
index be2915d..7fdf400 100644
--- a/config.yml
+++ b/config.yml
@@ -17,6 +17,7 @@
     - role: cron_mail_redirect
       tags: cron_mail_redirect
   tags: common
+
 - name: Configure router roles
   hosts: device_roles_router
   roles:
@@ -26,39 +27,29 @@
       tags: dns_slave
     - role: gw
       tags: gw
+
 - name: Configure backups
   hosts: tags_backup
   roles:
     - backed_up
   tags: backed_up
+
 - name: Configure ssh gateways
   hosts: device_roles_ssh-gateway
   roles:
     - role: ssh_gateway
       tags: ssh_gateway
-# - name: Configure containers dev
-#   hosts: CONTAINERS-1
-#   roles:
-#     - role: docker
-#       tags: docker
-#     - role: containers_dev
-#       tags: containers_dev
-# - name: Configure containers prod
-#   hosts: CONTAINERS-2
-#   roles:
-#     - role: docker
-#       tags: docker
-#     - role: containers_prod
-#       tags: containers_prod
-# - name: Configure containers secure
-#   hosts: CONTAINERS-3
-#   roles:
-#     - role: docker
-#       tags: docker
-#     - role: containers_secure
-#       tags: containers_secure
+
 - name: Configure VM hosts
   hosts: device_roles_lxd-host
   roles:
     - role: vms
       tags: vms
+
+- name: Configure containers-dev
+  hosts: CONTAINERS-1
+  roles:
+    - role: docker
+      tags: docker
+    - role: docker_traefik
+      tags: docker-traefik
diff --git a/group_vars/all/docker.yml b/group_vars/all/docker.yml
new file mode 100644
index 0000000..ca921fa
--- /dev/null
+++ b/group_vars/all/docker.yml
@@ -0,0 +1,12 @@
+docker_user:
+  id: 3000
+  name: dockeruser
+
+docker_compose_file_mask: "664"
+docker_compose_directory_mask: "775"
+
+# HACK: Use compose-switch as the install for compose, so the commands still work.
+# Run this task manually, as version comparisons usually fail
+docker_compose_url: https://github.com/docker/compose-switch/releases/latest/download/docker-compose-linux-amd64
+
+docker_update_command: docker-compose pull && docker-compose down --remove-orphans && docker-compose rm && docker-compose up -d
diff --git a/group_vars/all/traefik.yml b/group_vars/all/traefik.yml
new file mode 100644
index 0000000..ff11651
--- /dev/null
+++ b/group_vars/all/traefik.yml
@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+63653162363038646532353937383833346135376466653335373236643764373533316661386635
+6364336361306333346437353030346536316264363633370a316263353739313731653236343834
+63393333353033613664663638306539643434643930346634323764633332666432373166343565
+6134313863653638650a303663333732623534386134346135636666383464323261373638376535
+30646135373133336263623766373831633664653838376431383766623831666136323966316432
+6535366130633530343263613236363338366666666464353437
diff --git a/host_vars/CONTAINERS-1/traefik.yml b/host_vars/CONTAINERS-1/traefik.yml
new file mode 100644
index 0000000..513ce09
--- /dev/null
+++ b/host_vars/CONTAINERS-1/traefik.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+30363737373163356362363264323963313966333966653238303166646336363336373334336333
+3536653965356531613433306631623965386564303632310a333264376565363130363033633234
+37663263346161343430396130343034653938666339323637383961383439346536393863656532
+3963653132613231660a333831316336316238323833386433313163643338303436383639336231
+30643238313564666332396661663437303237663761643339326134613336343430343034666139
+37373064333133383431316562613933613130343266353432306432636136613330333430396434
+37386533373264363439633261623933623136393137643436363633343334303732383434333431
+62626562323264356535316165383233383161353130633633356439353337303363313634643266
+6565
diff --git a/roles/containers_dev/tasks/containers.yml b/roles/containers_dev/tasks/containers.yml
deleted file mode 100644
index 80e078e..0000000
--- a/roles/containers_dev/tasks/containers.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-- name: Install git
-  ansible.builtin.apt:
-    name: git
-    state: present
-
-- name: Checkout container configuration
-  ansible.builtin.git:
-    repo: git@github.com:sown/containers-dev-docker-config.git
-    dest: /docker/managed
-    version: master
-
-- name: Setup containers
-  community.docker.docker_compose_v2:
-    project_src: "{{ item }}"
-  with_items:
-    # setup utility containers first
-    - /docker/managed/traefik
-    # setup remaining containers
diff --git a/roles/containers_dev/tasks/main.yml b/roles/containers_dev/tasks/main.yml
deleted file mode 100644
index 5758196..0000000
--- a/roles/containers_dev/tasks/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-- name: Configure containers
-  import_tasks: containers.yml
diff --git a/roles/containers_prod/tasks/containers.yml b/roles/containers_prod/tasks/containers.yml
deleted file mode 100644
index 4dfa3d3..0000000
--- a/roles/containers_prod/tasks/containers.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-- name: Install git
-  ansible.builtin.apt:
-    name: git
-    state: present
-
-- name: Checkout container configuration
-  ansible.builtin.git:
-    repo: git@github.com:sown/containers-prod-docker-config.git
-    dest: /docker
-    version: master
-
-- name: Setup containers
-  community.docker.docker_compose_v2:
-    project_src: "{{ item }}"
-  with_items:
-    # setup utility containers first
-    - /docker/traefik
-    # setup remaining containers
-    - /docker/suws_website_default
-    - /docker/suws_wordpress
-    - /docker/suws_wiki
-    - /docker/prometheus
-    - /docker/grafana
diff --git a/roles/containers_prod/tasks/main.yml b/roles/containers_prod/tasks/main.yml
deleted file mode 100644
index 5758196..0000000
--- a/roles/containers_prod/tasks/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-- name: Configure containers
-  import_tasks: containers.yml
diff --git a/roles/containers_secure/tasks/containers.yml b/roles/containers_secure/tasks/containers.yml
deleted file mode 100644
index f25e50b..0000000
--- a/roles/containers_secure/tasks/containers.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-- name: Install git
-  ansible.builtin.apt:
-    name: git
-    state: present
-
-- name: Checkout container configuration
-  ansible.builtin.git:
-    repo: git@github.com:sown/containers-secure-docker-config.git
-    dest: /docker
-    version: master
-
-- name: Setup containers
-  community.docker.docker_compose_v2:
-    project_src: "{{ item }}"
-  with_items:
-    # setup utility containers first
-    - /docker/traefik
-    # setup remaining containers
diff --git a/roles/containers_secure/tasks/main.yml b/roles/containers_secure/tasks/main.yml
deleted file mode 100644
index 5758196..0000000
--- a/roles/containers_secure/tasks/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-- name: Configure containers
-  import_tasks: containers.yml
diff --git a/roles/docker/tasks/cleanup.yml b/roles/docker/tasks/cleanup.yml
new file mode 100644
index 0000000..be09e38
--- /dev/null
+++ b/roles/docker/tasks/cleanup.yml
@@ -0,0 +1,39 @@
+- name: Create install directory
+  file:
+    path: /usr/local/bin/
+    state: directory
+    mode: "0755"
+
+- name: Install compose-switch
+  get_url:
+    url: "{{ docker_compose_url }}"
+    dest: /usr/local/bin/docker-compose
+    mode: "0755"
+
+- name: Install python3-requests for ansible.community.docker
+  package:
+    name:
+      - python3-requests
+    state: present
+
+- name: Create docker group
+  group:
+    name: "{{ docker_user.name }}"
+    state: present
+    gid: "{{ docker_user.id }}"
+
+- name: Create docker user
+  user:
+    name: "{{ docker_user.name }}"
+    uid: "{{ docker_user.id }}"
+    group: "{{ docker_user.name }}"
+    create_home: false
+
+- name: Clean up docker containers
+  cron:
+    name: clean up docker containers
+    hour: 1
+    minute: 0
+    job: docker system prune -af --volumes
+    cron_file: docker_cleanup
+    user: root
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 9e4dc0c..bec17b2 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -1,3 +1,5 @@
----
 - name: Configure docker
   import_tasks: docker.yml
+
+- name: Configure docker cleanup stuff
+  import_tasks: cleanup.yml
diff --git a/roles/docker_traefik/files/docker-compose.yml b/roles/docker_traefik/files/docker-compose.yml
new file mode 100644
index 0000000..80eb545
--- /dev/null
+++ b/roles/docker_traefik/files/docker-compose.yml
@@ -0,0 +1,69 @@
+services:
+  traefik:
+    image: traefik:v2.11
+    user: "{{ docker_user.id }}"
+    volumes:
+      - ./traefik:/etc/traefik
+    restart: unless-stopped
+    ports:
+      - 80:80
+      - 443:443
+    depends_on:
+      - docker_proxy
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.traefik.rule=Host(`containers-dev.sown.org.uk`)
+      - traefik.http.services.traefik.loadbalancer.server.port=8080
+      - traefik.http.routers.traefik.tls.certresolver=le
+      - traefik.http.routers.traefik.middlewares=authentik
+    networks:
+      - default
+      - traefik
+      - proxy_private
+
+  docker_proxy:
+    image: lscr.io/linuxserver/socket-proxy:latest
+    restart: unless-stopped
+    environment:
+      - CONTAINERS=1
+      - INFO=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - proxy_private
+    tmpfs:
+      - /run
+    logging:
+      driver: none
+  certs:
+    image: slocomptech/traefik-cert-extract:latest
+    restart: unless-stopped
+    networks: []
+    volumes:
+      - ./traefik:/data:ro
+      - ./certs:/config/certs
+    logging:
+      driver: none
+
+  authentik-proxy:
+    image: ghcr.io/goauthentik/proxy
+    environment:
+      - AUTHENTIK_HOST=https://sso.sown.org.uk
+      - AUTHENTIK_TOKEN={{ vault_authentik_proxy_token }}
+    labels:
+      - traefik.enable=true
+      - traefik.port=9000
+      - traefik.http.routers.authentik-proxy.rule=PathPrefix(`/outpost.goauthentik.io/`)
+      - traefik.http.routers.authentik-proxy.tls.certresolver=le
+      - traefik.http.middlewares.authentik.forwardauth.address=http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
+      - traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true
+      - traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
+    networks:
+      - default
+      - traefik
+
+networks:
+  traefik:
+    external: true
+  proxy_private:
+    internal: true
diff --git a/roles/docker_traefik/files/traefik.yml b/roles/docker_traefik/files/traefik.yml
new file mode 100644
index 0000000..cd94c8c
--- /dev/null
+++ b/roles/docker_traefik/files/traefik.yml
@@ -0,0 +1,52 @@
+entryPoints:
+  web:
+    address: :80
+    http:
+      redirections:
+        entryPoint:
+          to: web-secure
+          scheme: https
+  web-secure:
+    address: :443
+
+  traefik:
+    address: :8080
+
+ping: {}
+
+providers:
+  docker:
+    endpoint: tcp://docker_proxy:2375
+    watch: true
+    exposedByDefault: false
+    network: traefik
+  file:
+    directory: /etc/traefik/conf
+
+api:
+  dashboard: true
+  insecure: true
+
+certificatesResolvers:
+  le:
+    acme:
+      email: "{{ vault_letsencrypt_email }}"
+      storage: /etc/traefik/acme.json
+      caServer: https://acme-v02.api.letsencrypt.org/directory
+      httpChallenge:
+        entryPoint: web
+
+serversTransport:
+  insecureSkipVerify: true
+
+metrics:
+  prometheus:
+    entryPoint: traefik
+
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+
+pilot:
+  dashboard: false
diff --git a/roles/docker_traefik/handlers/main.yml b/roles/docker_traefik/handlers/main.yml
new file mode 100644
index 0000000..2f2b1c6
--- /dev/null
+++ b/roles/docker_traefik/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: Restart Traefik  # noqa: no-changed-when
+  command:
+    chdir: /opt/traefik
+    cmd: "{{ docker_update_command }}"
diff --git a/roles/docker_traefik/tasks/main.yml b/roles/docker_traefik/tasks/main.yml
new file mode 100644
index 0000000..714023f
--- /dev/null
+++ b/roles/docker_traefik/tasks/main.yml
@@ -0,0 +1,44 @@
+- name: Create network
+  community.docker.docker_network:
+    name: traefik
+    internal: true
+
+- name: Create install directory
+  file:
+    path: /opt/traefik
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+
+- name: Create config directory
+  file:
+    path: /opt/traefik/traefik/
+    state: directory
+    mode: "{{ docker_compose_directory_mask }}"
+    owner: "{{ docker_user.name }}"
+
+- name: Create file provider directory
+  file:
+    path: /opt/traefik/traefik/conf
+    state: directory
+    mode: "{{ docker_compose_directory_mask }}"
+    owner: "{{ docker_user.name }}"
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/traefik/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: Restart Traefik
+
+- name: Install config
+  template:
+    src: files/traefik.yml
+    dest: /opt/traefik/traefik/traefik.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    lstrip_blocks: true
+    trim_blocks: true
+  notify: Restart Traefik