diff --git a/hosts/sora/services/traefik.nix b/hosts/sora/services/traefik.nix
index bc6067f..fc6c0d6 100644
--- a/hosts/sora/services/traefik.nix
+++ b/hosts/sora/services/traefik.nix
@@ -22,10 +22,16 @@
         };
       };
       http = {
-        middlewares.authelia = {
-          forwardauth = {
-            address = "http://100.121.201.47:9091/api/verify?rd=https://passport.notohh.dev/";
-            trustForwardHeader = true;
+        middlewares = {
+          authelia = {
+            forwardauth = {
+              address = "http://100.121.201.47:9091/api/verify?rd=https://passport.notohh.dev/";
+              trustForwardHeader = true;
+            };
+          };
+          redirect-to-https = {
+            redirectscheme.scheme = "https";
+            redirectscheme.permanent = true;
           };
         };
         routers = {
@@ -34,6 +40,12 @@
             entrypoints = ["websecure"];
             service = "api@internal";
           };
+          uptime-kuma-insecure = {
+            rule = "Host(`status.flake.sh`)";
+            entrypoints = ["web"];
+            service = "uptime-kuma";
+            middlewares = "redirect-to-https";
+          };
           uptime-kuma = {
             rule = "Host(`status.flake.sh`)";
             entrypoints = ["websecure"];
@@ -41,6 +53,12 @@
             tls.domains = [{main = "*.flake.sh";}];
             tls.certresolver = "production";
           };
+          gotify-insecure = {
+            rule = "Host(`gotify.flake.sh`)";
+            entrypoints = ["web"];
+            service = "gotify";
+            middlewares = "redirect-to-https";
+          };
           gotify = {
             rule = "Host(`gotify.flake.sh`)";
             entrypoints = ["websecure"];
@@ -48,6 +66,12 @@
             tls.domains = [{main = "*.flake.sh";}];
             tls.certresolver = "production";
           };
+          conduit-insecure = {
+            rule = "Host(`matrix.flake.sh`)";
+            entrypoints = ["web"];
+            service = "conduit";
+            middlewares = "redirect-to-https";
+          };
           conduit = {
             rule = "Host(`matrix.flake.sh`)";
             entrypoints = ["websecure"];
@@ -55,6 +79,12 @@
             tls.domains = [{main = "*.flake.sh";}];
             tls.certresolver = "production";
           };
+          authelia-insecure = {
+            rule = "Host(`passport.notohh.dev`)";
+            entrypoints = ["web"];
+            service = "authelia";
+            middlewares = "redirect-to-https";
+          };
           authelia = {
             rule = "Host(`passport.notohh.dev`)";
             entrypoints = ["websecure"];
@@ -62,6 +92,12 @@
             tls.domains = [{main = "*.notohh.dev";}];
             tls.certresolver = "production";
           };
+          foundryvtt-insecure = {
+            rule = "Host(`foundry.flake.sh`)";
+            entrypoints = ["web"];
+            service = "authelia";
+            middlewares = "redirect-to-https";
+          };
           foundryvtt = {
             rule = "Host(`foundry.flake.sh`)";
             entrypoints = ["websecure"];
@@ -69,6 +105,12 @@
             tls.domains = [{main = "*.flake.sh";}];
             tls.certresolver = "production";
           };
+          forgejo-insecure = {
+            rule = "Host(`git.flake.sh`)";
+            entrypoints = ["web"];
+            service = "forgejo";
+            middlewares = "redirect-to-https";
+          };
           forgejo = {
             rule = "Host(`git.flake.sh`)";
             entrypoints = ["websecure"];
@@ -76,6 +118,12 @@
             tls.domains = [{main = "*.flake.sh";}];
             tls.certresolver = "production";
           };
+          rustypaste-insecure = {
+            rule = "Host(`i.flake.sh`)";
+            entrypoints = ["web"];
+            service = "rustypaste";
+            middlewares = "redirect-to-https";
+          };
           rustypaste = {
             rule = "Host(`i.flake.sh`)";
             entrypoints = ["websecure"];
@@ -83,6 +131,12 @@
             tls.domains = [{main = "*.flake.sh";}];
             tls.certresolver = "production";
           };
+          grafana-insecure = {
+            rule = "Host(`metrics.flake.sh`)";
+            entrypoints = ["web"];
+            service = "grafana";
+            middlewares = "redirect-to-https";
+          };
           grafana = {
             rule = "Host(`metrics.flake.sh`)";
             entrypoints = ["websecure"];
@@ -90,6 +144,12 @@
             tls.domains = [{main = "*.flake.sh";}];
             tls.certresolver = "production";
           };
+          hedgedoc-insecure = {
+            rule = "Host(`scratch.flake.sh`)";
+            entrypoints = ["web"];
+            service = "hedgedoc";
+            middlewares = "redirect-to-https";
+          };
           hedgedoc = {
             rule = "Host(`scratch.flake.sh`)";
             entrypoints = ["websecure"];
@@ -97,6 +157,12 @@
             tls.domains = [{main = "*.flake.sh";}];
             tls.certresolver = "production";
           };
+          vaultwarden-insecure = {
+            rule = "Host(`vault.flake.sh`)";
+            entrypoints = ["web"];
+            service = "vaultwarden";
+            middlewares = "redirect-to-https";
+          };
           vaultwarden = {
             rule = "Host(`vault.flake.sh`)";
             entrypoints = ["websecure"];
@@ -104,6 +170,12 @@
             tls.domains = [{main = "*.flake.sh";}];
             tls.certresolver = "production";
           };
+          searxng-insecure = {
+            rule = "Host(`search.flake.sh`)";
+            entrypoints = ["web"];
+            service = "searxng";
+            middlewares = "redirect-to-https";
+          };
           searxng = {
             rule = "Host(`search.flake.sh`)";
             entrypoints = ["websecure"];