diff --git a/docker-stack.yml b/docker-stack.yml
index d90a240..4f2698a 100644
--- a/docker-stack.yml
+++ b/docker-stack.yml
@@ -4,33 +4,60 @@ services:
   traefik:
     image: traefik:v2.9.1
     networks:
-      - ocis-net
+      ocis-net:
+        aliases:
+          - ${OCIS_DOMAIN:-ocis.owncloud.test}
+          - ${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
+          - ${COLLABORA_DOMAIN:-collabora.owncloud.test}
+          - ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
     command:
-      - --log.level=INFO
-      - --api.dashboard=true
-      - --api.insecure=false
-      - --providers.docker=true
-      - --providers.docker.swarmMode=true
-      - --providers.docker.exposedByDefault=false
-      - --entrypoints.web.address=:80
-      - --entrypoints.websecure.address=:443
-      - --certificatesresolvers.mytlschallenge.acme.tlschallenge=true
-      - --certificatesresolvers.mytlschallenge.acme.email=${TRAEFIK_ACME_MAIL}
-      - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
+      - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
+      # letsencrypt configuration
+      - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
+      - "--certificatesResolvers.http.acme.storage=/certs/acme.json"
+      - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
+      # enable dashboard
+      - "--api.dashboard=true"
+      # define entrypoints
+      - "--entryPoints.http.address=:80"
+      - "--entryPoints.http.http.redirections.entryPoint.to=https"
+      - "--entryPoints.http.http.redirections.entryPoint.scheme=https"
+      - "--entryPoints.https.address=:443"
+      # docker provider (get configuration from container labels)
+      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
+      - "--providers.docker.exposedByDefault=false"
+      # access log
+      - "--accessLog=true"
+      - "--accessLog.format=json"
+      - "--accessLog.fields.headers.names.X-Request-Id=keep"
+      # - --log.level=INFO
+      # - --api.dashboard=true
+      # - --api.insecure=false
+      # - --providers.docker=true
+      # - --providers.docker.swarmMode=true
+      # - --providers.docker.exposedByDefault=false
+      # - --entrypoints.web.address=:80
+      # - --entrypoints.websecure.address=:443
+      # - --certificatesresolvers.mytlschallenge.acme.tlschallenge=true
+      # - --certificatesresolvers.mytlschallenge.acme.email=${TRAEFIK_ACME_MAIL}
+      # - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
     ports:
       - "80:80"
       - "443:443"
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - traefik_certs:/letsencrypt
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "certs:/certs"
+    logging:
+      driver: "local"
     deploy:
       labels:
-        - traefik.enable=true
-        - traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN}`)
-        - traefik.http.routers.traefik.service=api@internal
-        - traefik.http.routers.traefik.entrypoints=websecure
-        - traefik.http.routers.traefik.tls.certresolver=mytlschallenge
-        - traefik.http.services.traefik.loadbalancer.server.port=8080  # Specify Traefik service port
+      - "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
+      - "traefik.http.routers.traefik.entrypoints=https"
+      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
+      - "traefik.http.routers.traefik.middlewares=traefik-auth"
+      - "traefik.http.routers.traefik.tls.certresolver=http"
+      - "traefik.http.routers.traefik.service=api@internal"
       placement:
         constraints:
           - node.role==manager
@@ -54,15 +81,32 @@ services:
       PROXY_ENABLE_BASIC_AUTH: ${PROXY_ENABLE_BASIC_AUTH}
       IDM_ADMIN_PASSWORD: ${ADMIN_PASSWORD}
       IDM_CREATE_DEMO_USERS: ${DEMO_USERS}
+      # fulltext search
+      SEARCH_EXTRACTOR_TYPE: tika
+      SEARCH_EXTRACTOR_TIKA_TIKA_URL: http://tika:9998
+      FRONTEND_FULL_TEXT_SEARCH_ENABLED: "true"
+      # make the registry available to the app provider containers
+      MICRO_REGISTRY: "mdns"
     volumes:
-      - ./config/ocis:/etc/ocis
-      - ocis_data:/var/lib/ocis
+      - ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml
+      - ocis-config:/etc/ocis
+      - ocis-data:/var/lib/ocis
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ocis.entrypoints=https"
+      - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
+      - "traefik.http.routers.ocis.tls.certresolver=http"
+      - "traefik.http.routers.ocis.service=ocis"
+      - "traefik.http.services.ocis.loadbalancer.server.port=9200"
+    logging:
+      driver: "local"
     deploy:
       labels:
         - "traefik.enable=true"
-        - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN}`)"
         - "traefik.http.routers.ocis.entrypoints=https"
+        - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
         - "traefik.http.routers.ocis.tls.certresolver=http"
+        - "traefik.http.routers.ocis.service=ocis"
         - "traefik.http.services.ocis.loadbalancer.server.port=9200"
       restart_policy:
         condition: on-failure
@@ -104,8 +148,11 @@ services:
     entrypoint:
       - /bin/sh
       - /entrypoint-override.sh
-    #command: app-provider server
     environment:
+      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
+      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info}
+      OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}"
+      PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
       # use the internal service name of the gateway
       REVA_GATEWAY: ${REVA_GATEWAY:-com.owncloud.api.gateway}
       APP_PROVIDER_GRPC_ADDR: 0.0.0.0:9164