diff --git a/roles/infra/files/http.socket b/roles/infra/files/http.socket
new file mode 100644
index 0000000..0759995
--- /dev/null
+++ b/roles/infra/files/http.socket
@@ -0,0 +1,7 @@
+[Socket]
+ListenStream=80
+FileDescriptorName=http
+Service=traefik.service
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/infra/files/https.socket b/roles/infra/files/https.socket
new file mode 100644
index 0000000..032c137
--- /dev/null
+++ b/roles/infra/files/https.socket
@@ -0,0 +1,7 @@
+[Socket]
+ListenStream=443
+FileDescriptorName=https
+Service=traefik.service
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/infra/tasks/traefik.yml b/roles/infra/tasks/traefik.yml
index ce41119..1ba091b 100644
--- a/roles/infra/tasks/traefik.yml
+++ b/roles/infra/tasks/traefik.yml
@@ -2,6 +2,18 @@
 ---
 # tasks file for traefik
 
+- name: Create systemd user directory
+  ansible.builtin.file:
+    path: ~/.config/systemd/user
+    state: directory
+    mode: "0755"
+
+- name: Create podman quadlet directory
+  ansible.builtin.file:
+    path: ~/.config/containers/systemd
+    state: directory
+    mode: "0755"
+
 - name: Create acme file
   ansible.builtin.file:
     path: "~/{{ infra_acme.storage }}"
@@ -15,40 +27,54 @@
     enabled: true
     scope: user
 
-- name: Create main traefik container
-  containers.podman.podman_container:
-    name: traefik
-    image: docker.io/library/traefik:latest
-    ports:
-      - "80:80"
-      - "443:443"
-      - "8080:8080"
-    network:
-      - podman
-    security_opt:
-      - "label=type:container_runtime_t"
-    volumes:
-      - "/run/user/1000/podman/podman.sock:/var/run/docker.sock:z"
-      - "/home/apps/acme.json:/acme.json:z"
-    command: >-
-      --api.dashboard=true
-      --api.insecure=true
-      --certificatesresolvers.lets-encrypt.acme.email={{ infra_acme.email }}
-      --certificatesresolvers.lets-encrypt.acme.storage=/{{ infra_acme.storage }}
-      --certificatesresolvers.lets-encrypt.acme.tlschallenge=true
-      --entrypoints.http.address=:80
-      --entrypoints.http.http.redirections.entryPoint.to=https
-      --entrypoints.http.http.redirections.entryPoint.scheme=https
-      --entrypoints.https.address=:443
-      --providers.docker=true
-    generate_systemd:
-      new: true
-      restart_policy: "always"
-      path: "~/.config/systemd/user/"
-
-- name: Activate traefik container service
+- name: Stop legacy generated traefik service
   ansible.builtin.systemd_service:
     name: container-traefik.service
+    state: stopped
+    enabled: false
+    scope: user
+  failed_when: false
+
+- name: Remove legacy generated traefik service
+  ansible.builtin.file:
+    path: ~/.config/systemd/user/container-traefik.service
+    state: absent
+
+- name: Install traefik http socket
+  ansible.builtin.copy:
+    src: http.socket
+    dest: ~/.config/systemd/user/http.socket
+    mode: "0644"
+
+- name: Install traefik https socket
+  ansible.builtin.copy:
+    src: https.socket
+    dest: ~/.config/systemd/user/https.socket
+    mode: "0644"
+
+- name: Install traefik quadlet
+  ansible.builtin.template:
+    src: traefik.container.j2
+    dest: ~/.config/containers/systemd/traefik.container
+    mode: "0644"
+
+- name: Reload systemd user units
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+    scope: user
+
+- name: Activate traefik sockets
+  ansible.builtin.systemd_service:
+    name: "{{ item }}"
     state: started
     enabled: true
     scope: user
+  loop:
+    - http.socket
+    - https.socket
+
+- name: Activate traefik service
+  ansible.builtin.systemd_service:
+    name: traefik.service
+    state: started
+    scope: user
diff --git a/roles/infra/templates/traefik.container.j2 b/roles/infra/templates/traefik.container.j2
new file mode 100644
index 0000000..80bcc24
--- /dev/null
+++ b/roles/infra/templates/traefik.container.j2
@@ -0,0 +1,18 @@
+[Unit]
+After=podman.socket http.socket https.socket
+Requires=podman.socket http.socket https.socket
+
+[Service]
+Sockets=http.socket https.socket
+Restart=always
+
+[Container]
+ContainerName=traefik
+Image=docker.io/library/traefik:latest
+Exec=--api.dashboard=true --api.insecure=true --certificatesresolvers.lets-encrypt.acme.email={{ infra_acme.email }} --certificatesresolvers.lets-encrypt.acme.storage=/{{ infra_acme.storage }} --certificatesresolvers.lets-encrypt.acme.tlschallenge=true --entrypoints.http --entrypoints.http.http.redirections.entryPoint.to=https --entrypoints.http.http.redirections.entryPoint.scheme=https --entrypoints.https --providers.docker=true
+Network=podman
+Notify=true
+PublishPort=8080:8080
+SecurityLabelDisable=true
+Volume=%t/podman/podman.sock:/var/run/docker.sock
+Volume=%h/{{ infra_acme.storage }}:/{{ infra_acme.storage }}:Z