diff --git a/compose.yaml b/compose.yaml
index 82301e4..ea8ec37 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -1,33 +1,5 @@
 # Production compose stack for hamprint.
 #
-# What changed from the previous bind-mount / pip-at-runtime version:
-#   - `web` is now BUILT from the Containerfile in this repo. Everything
-#     (Python deps, the Tailwind CLI binary, the built CSS, collectstatic
-#     output) bakes into the image; nothing is installed at container start.
-#   - No host source bind-mount: the container ships its own /app. Code
-#     changes require a `podman-compose up -d --build web`.
-#   - `DJANGO_SETTINGS_MODULE=hamprint.settings.prod` (DEBUG off, secure
-#     cookies, HSTS). DEBUG=True traffic should run from the host venv,
-#     not from this stack.
-#   - Uploaded STLs persist in a named `media` volume so they survive
-#     `podman-compose down` / image rebuilds. Drop with `down -v`.
-#
-# Bring it up:        podman-compose up -d --build
-# Rebuild only web:   podman-compose up -d --build web
-# Logs:               podman-compose logs -f web
-# Tear down:          podman-compose down       # keeps pgdata + media
-#                     podman-compose down -v    # nukes both volumes too
-#
-# `.env` keys you'll want set (see `.env.example` for the full list):
-#   SECRET_KEY            - long random string
-#   ALLOWED_HOSTS         - e.g. "print.hamlab.lt,localhost"
-#   SITE_URL              - e.g. "https://print.hamlab.lt"   (for emails)
-#   POSTGRES_DB / _USER / _PASSWORD
-#   MAILTRAP_API_TOKEN          (+ MAILTRAP_TEST_INBOX_ID for sandbox)
-#   GOOGLE_CLIENT_ID / _SECRET (optional; only if Google sign-in is wanted)
-#
-# TLS termination is the upstream proxy's job -- the `web` container speaks
-# plain HTTP on its mapped host port (default 8000).
 
 services:
   db:
@@ -59,6 +31,17 @@ services:
       - "8000:8000"
     volumes:
       - media:/app/media
+    labels:
+      traefik.enable: "true"
+      traefik.http.routers.hamprint.rule: "Host(`print.hamlab.lt`)"
+      traefik.http.middlewares.hamprint-https-redirect.redirectscheme.scheme: "https"
+      traefik.http.routers.hamprint.middlewares: "hamprint-https-redirect"
+      traefik.http.routers.hamprint-secure.entrypoints: "https"
+      traefik.http.routers.hamprint-secure.rule: "Host(`print.hamlab.lt`)"
+      traefik.http.routers.hamprint-secure.tls: "true"
+      traefik.http.routers.hamprint-secure.tls.certresolver: "lets-encrypt"
+      traefik.http.services.hamprint.loadbalancer.server.port: "8000"
+
     depends_on:
       db:
         condition: service_healthy