diff --git a/.gitignore b/.gitignore
index b5b9d47..a91c288 100644
--- a/.gitignore
+++ b/.gitignore
@@ -205,3 +205,4 @@ cython_debug/
 #.idea/
 
 .decrypt-pass.txt
+.become-pass.txt
diff --git a/.justfile b/.justfile
index 2bed613..ed7e387 100644
--- a/.justfile
+++ b/.justfile
@@ -1,8 +1,9 @@
 export ANSIBLE_VAULT_PASSWORD_FILE := ".decrypt-pass.txt"
+export ANSIBLE_BECOME_PASSWORD_FILE := ".become-pass.txt"
 
 # Debug output, disabled in CI
 export ANSIBLE_DISPLAY_ARGS_TO_STDOUT := if env('CI', '') == 'true' { 'false' } else { 'true' }
-export ANSIBLE_ENABLE_TASK_DEBUGGER := if env('CI', '') == 'true' { 'false' } else { 'true' }
+# export ANSIBLE_ENABLE_TASK_DEBUGGER := if env('CI', '') == 'true' { 'false' } else { 'true' }
 
 
 play +ARGS:
diff --git a/hosts/inventory.yaml b/hosts/inventory.yaml
index 8793944..1332003 100644
--- a/hosts/inventory.yaml
+++ b/hosts/inventory.yaml
@@ -1,4 +1,6 @@
 homelab:
+  vars:
+    ansible_become_method: doas
   children:
     docker:
 
diff --git a/playbooks/teardown/docker.yaml b/playbooks/teardown/docker.yaml
index a0b4a74..62ee565 100644
--- a/playbooks/teardown/docker.yaml
+++ b/playbooks/teardown/docker.yaml
@@ -35,3 +35,15 @@
         networks: true
         builder_cache: true
 
+    - name: Remove network interface
+      become: true
+      ansible.builtin.command:
+        cmd: ip link delete docker_gwbridge
+      when: ansible_facts['interfaces'] | select('match', 'docker_gwbridge') | list | length > 0
+
+    - name: Restart docker
+      become: true
+      ansible.builtin.service:
+        name: docker
+        state: restarted
+
diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml
index 93936b6..97801ca 100644
--- a/roles/common/tasks/main.yaml
+++ b/roles/common/tasks/main.yaml
@@ -16,7 +16,7 @@
   ansible.posix.authorized_key:
     user: "{{ item.key }}"
     state: present
-    exclusive: true
+    exclusive: false
     key: "{{ lookup('file', item.value.ssh_keys.pub) }}"
     key_options: "{{ 'command=\"' + robo_allowed_commands | join('; ') + '\"' if robo_allowed_commands is defined and item.key == 'robo' else omit }}"
 
@@ -27,6 +27,15 @@
     current_user: "{{ users[user_name] | default(None) }}"
   when: current_user
   block:
+    - name: Creates directory
+      run_once: True
+      local_action:
+        module: file
+        path: "{{ user_dir }}/.ssh/credentials"
+        state: directory
+        owner: "{{ user_name }}"
+        group: "{{ user_name }}"
+
     - name: Save SSH Key in localhost
       run_once: True
       local_action:
diff --git a/roles/docker/tasks/docker_alpine.yaml b/roles/docker/tasks/docker_alpine.yaml
index b73338b..58fe2f2 100644
--- a/roles/docker/tasks/docker_alpine.yaml
+++ b/roles/docker/tasks/docker_alpine.yaml
@@ -19,3 +19,11 @@
     owner: root
     group: root
 
+- name: Enable TCP access to Docker daemon
+  when: "'docker_managers' in group_names"
+  lineinfile:
+    path: /etc/conf.d/docker
+    create: yes
+    line: 'DOCKER_OPTS="-H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock"'
+  notify:
+    - Restart docker
diff --git a/roles/docker/tasks/swarm_manager.yaml b/roles/docker/tasks/swarm_manager.yaml
index d9dd926..0322887 100644
--- a/roles/docker/tasks/swarm_manager.yaml
+++ b/roles/docker/tasks/swarm_manager.yaml
@@ -4,78 +4,54 @@
   register: swarm_info
   community.docker.docker_swarm:
     state: present
+    # default_addr_pool:
+    #   - 10.10.0.0/24
 
-- name: Create Traefik network
-  community.docker.docker_network:
-    name: reverse-proxy
-    driver: overlay
-    attachable: true
-
-- name: Check if Docker context exists
-  local_action: ansible.builtin.command docker context inspect {{ ansible_hostname }}
-  register: context_exists
-  ignore_errors: true
+- name: Disable workload on managers
+  community.docker.docker_node:
+    hostname: "{{ ansible_hostname }}"
+    role: manager
+    availability: drain
 
 - name: Create Docker context for each Swarm manager machine
+  ignore_errors: true
   local_action: >
     ansible.builtin.command docker context create {{ ansible_hostname }} --docker "host=ssh://{{ ansible_default_ipv4.address }}"
-  when: context_exists.stderr != ''
 
 - name: Deploy Traefik service
-  community.docker.docker_compose_v2:
-    remove_orphans: true
-    project_name: reverse-proxy
-    definition:
-      networks:
-        reverse-proxy:
-          external: true
-      services:
-        traefik:
-          container_name: traefix-proxy
-          image: 'traefik:latest'
-          restart: unless-stopped
-          networks:
-            - reverse-proxy
-          ports:
-            # listen on host ports without ingress network
-            - target: 80
-              published: 80
-              protocol: tcp
-              mode: host
-            - target: 443
-              published: 443
-              protocol: tcp
-              mode: host
-            - target: 8080
-              published: 8080
-              protocol: tcp
-              mode: host
-          volumes:
-            - /var/run/docker.sock:/var/run/docker.sock:ro
-          healthcheck:
-            test: 'wget -qO- http://localhost:80/ping || exit 1'
-            interval: 4s
-            timeout: 2s
-            retries: 5
-          command:
-            - '--ping=true'
-            - '--ping.entrypoint=http'
-            - '--api.dashboard=true'
-            - '--api.insecure=true'
-            - '--entrypoints.http.address=:80'
-            - '--entryPoints.http.forwardedHeaders.trustedIPs=10.0.10.0/24'
-            - '--entrypoints.http.http.encodequerysemicolons=true'
-            - '--entryPoints.http.http2.maxConcurrentStreams=50'
-            # - "--providers.swarm.endpoint=tcp://{{ ansible_default_ipv4.address }}:2375"
-            - --providers.swarm.exposedByDefault=false
-            - --providers.swarm.network=reverse-proxy
-          deploy:
-            mode: global
-            placement:
-              constraints:
-                - node.role==manager
-            labels:
-              - traefik.enable=true
-              - traefik.http.routers.traefik.entrypoints=http
-              - traefik.http.routers.traefik.service=api@internal
-              - traefik.http.services.traefik.loadbalancer.server.port=8080
+  community.docker.docker_stack:
+    prune: true
+    name: reverse_proxy
+    compose:
+      - services:
+          traefik:
+            image: 'traefik:v3.2'
+            restart: unless-stopped
+            deploy:
+              mode: global
+            ports:
+              # listen on host ports without ingress network
+              - target: 80
+                published: 80
+                protocol: tcp
+                mode: host
+              - target: 443
+                published: 443
+                protocol: tcp
+                mode: host
+              - target: 8080
+                published: 8080
+                protocol: tcp
+                mode: host
+            command:
+              - '--log.level=DEBUG'
+              - '--api.dashboard=true'
+              - '--api.insecure=true'
+              - '--entrypoints.http.address=:80'
+              - '--entryPoints.http.forwardedHeaders.trustedIPs=10.0.10.0/24'
+              - '--entrypoints.http.http.encodequerysemicolons=true'
+              - '--entryPoints.http.http2.maxConcurrentStreams=50'
+              - '--providers.swarm=true'
+              - '--providers.swarm.endpoint=tcp://{{ ansible_default_ipv4.address }}:2375'
+              - '--providers.swarm.exposedByDefault=false'
+              - '--providers.swarm.useBindPortIP=true'