diff --git a/docker/compose.yml b/docker/compose.yml
index 37b9433..ad554eb 100644
--- a/docker/compose.yml
+++ b/docker/compose.yml
@@ -51,16 +51,11 @@ volumes:
       type: cifs
       o: username=${NETWORK_DRIVE_USERNAME},password=${NETWORK_DRIVE_PASSWORD},vers=3.0,rw
       device: "//${NETWORK_DRIVE}/homelab/uptimekuma"
-  certbot:
+  letsencrypt:
     driver_opts:
       type: cifs
       o: username=${NETWORK_DRIVE_USERNAME},password=${NETWORK_DRIVE_PASSWORD},vers=3.0,rw
-      device: "//${NETWORK_DRIVE}/homelab/certbot"
-  certbot-certs:
-    driver_opts:
-      type: cifs
-      o: username=${NETWORK_DRIVE_USERNAME},password=${NETWORK_DRIVE_PASSWORD},vers=3.0,rw
-      device: "//${NETWORK_DRIVE}/homelab/certbot/certificates"
+      device: "//${NETWORK_DRIVE}/homelab/letsencrypt"
   adgaurd-conf:
     driver_opts:
       type: cifs
@@ -173,7 +168,6 @@ services:
       - 8920 # https
     volumes:
       - media:/data/media/:ro
-      - certbot-certs:/data/certs/:ro
       - jellyfin-config:/config
       - jellyfin-cache:/cache
     environment:
@@ -266,15 +260,28 @@ services:
     volumes:
       - adgaurd-conf:/opt/adguardhome/conf:rw
       - adguard-work:/opt/adguardhome/work:rw
-      - certbot:/opt/adguardhome/certs/:rw
+      - letsencrypt:/opt/adguardhome/certs/:ro
     expose:
-      - 80 # http
-      - 53 # dns
-      # these two are terminated by traefik and forwarded over 80 & 53
-      # and are uneeded
-      # - 853 # dot
+      - 80 # webui
+      - 53 # dns - not used
+      - 853 # dot
       - 443 # doh
 
+  lego:
+    image: goacme/lego
+    container_name: lego-certbot
+    restart: always
+    environment:
+      - CLOUDFLARE_EMAIL=${CF_API_EMAIL}
+      - CLOUDFLARE_API_KEY=${CF_API_KEY}
+    command:
+      --accept-tos
+      --email ${CF_API_EMAIL} --dns cloudflare 
+      --domains dns.${DOMAIN} --path /etc/letsencrypt/ 
+      run
+    volumes:
+      - letsencrypt:/etc/letsencrypt:rw
+
   dashy:
     container_name: dashy
     image: lissy93/dashy
diff --git a/docker/traefik/dynamic.toml b/docker/traefik/dynamic.toml
index a7f0478..0576264 100644
--- a/docker/traefik/dynamic.toml
+++ b/docker/traefik/dynamic.toml
@@ -152,7 +152,6 @@ certResolver = "cloudflare"
 url = "http://adguardhome:80"
 
 [http.routers.doh]
-entryPoints = ["websecure"]
 service = "doh"
 rule = "Host(`dns.sawyer.services`)"
 [http.routers.doh.tls]
@@ -160,15 +159,14 @@ certResolver = "cloudflare"
 
 [http.services.doh.loadBalancer]
 [[http.services.doh.loadBalancer.servers]]
-url = "http://adguard:80" # its already terminated
+url = "https://adguardhome:443"
 
+# not terminating tls and instead pass directly to adguard
 [tcp.routers.dot]
 entryPoints = ["dot"]
 service = "dot"
-rule = "HostSNI(`dns.sawyer.services`)"
-[tcp.routers.dot.tls]
-certResolver = "cloudflare"
+rule = "HostSNI(`*`)"
 
 [tcp.services.dot.loadBalancer]
 [[tcp.services.dot.loadBalancer.servers]]
-address = "172.55.0.10:53" # its already terminated
+address = "172.55.0.10:853"