diff --git a/authelia/configuration.yml b/authelia/configuration.yml
index 24e0f6b..18fbcc7 100644
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -18,6 +18,10 @@ access_control:
   rules:
     - domain: 'pgadmin.test.3launchpad.com'
       policy: 'two_factor'
+    - domain: 'beszel.test.3launchpad.com'
+      policy: 'two_factor'
+    - domain: 'traefik.test.3launchpad.com'
+      policy: 'two_factor'
     - domain: '*.test.3launchpad.com'
       policy: 'one_factor'
 
@@ -36,10 +40,16 @@ storage:
 
 notifier:
   disable_startup_check: true
+  # Configure SMTP for production email notifications
+  # For testing, you can use filesystem notifier instead:
+  # filesystem:
+  #   filename: /config/notification.txt
   smtp:
-    address: 'smtp://localhost:25'
-    username: 'authelia'
-    sender: 'authelia@example.com'
+    address: 'submissions://smtp.gmail.com:465'
+    username: 'your-email@gmail.com'
+    sender: 'Authelia <noreply@3launchpad.com>'
+    # For Gmail, use an App Password (not your regular password)
+    # Generate at: https://myaccount.google.com/apppasswords
 
 identity_validation:
   reset_password: {}
diff --git a/docker-compose.yml b/docker-compose.yml
index d64cdb6..435dfd5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -97,34 +97,31 @@ services:
       - --log.level=INFO
       - --metrics.prometheus=true
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/rundocker.sock:ro
       - traefik_letsencrypt:/letsencrypt
       - traefik_logs:/var/log/traefik
     labels:
-      - traefik.enable=true
+      - "traefik.enable=true"
 
-      # Reusable security headers
-      - traefik.http.middlewares.security-headers.headers.stsSeconds=31536000
-      - traefik.http.middlewares.security-headers.headers.stsIncludeSubdomains=true
-      - traefik.http.middlewares.security-headers.headers.stsPreload=true
-      - traefik.http.middlewares.security-headers.headers.browserXssFilter=true
-      - traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true
-      - traefik.http.middlewares.security-headers.headers.referrerPolicy=no-referrer-when-downgrade
-
-      # # Basic Auth middleware
-      # - traefik.http.middlewares.basic-auth.basicauth.users=${BASIC_AUTH_USERS}
+      # Reusable security headers middleware
+      - "traefik.http.middlewares.security-headers.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.security-headers.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.security-headers.headers.stsPreload=true"
+      - "traefik.http.middlewares.security-headers.headers.browserXssFilter=true"
+      - "traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true"
+      - "traefik.http.middlewares.security-headers.headers.referrerPolicy=no-referrer-when-downgrade"
 
       # Authelia middleware
-      - traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth
-      - traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true
-      - traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name
+      - "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth"
+      - "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true"
+      - "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name"
 
       # Traefik dashboard (protected)
-      - traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.traefik.entrypoints=websecure
-      - traefik.http.routers.traefik.tls.certresolver=le
-      - traefik.http.routers.traefik.service=api@internal
-      - traefik.http.routers.traefik.middlewares=authelia@docker,security-headers
+      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - "traefik.http.routers.traefik.tls.certresolver=le"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.middlewares=authelia@docker,security-headers@docker"
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/ping"]
       interval: 30s
@@ -160,11 +157,12 @@ services:
     depends_on:
       - authelia-db
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.authelia.entrypoints=websecure
-      - traefik.http.routers.authelia.tls.certresolver=le
-      - traefik.http.services.authelia.loadbalancer.server.port=9091
+      - "traefik.enable=true"
+      - "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.authelia.entrypoints=websecure"
+      - "traefik.http.routers.authelia.tls.certresolver=le"
+      - "traefik.http.routers.authelia.middlewares=security-headers@docker"
+      - "traefik.http.services.authelia.loadbalancer.server.port=9091"
 
   ## ─────────────────────────────────────────────
   ## Authelia Database — PostgreSQL
@@ -200,12 +198,12 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
       - portainer_data:/data
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.portainer.rule=Host(`portainer.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.portainer.entrypoints=websecure
-      - traefik.http.routers.portainer.tls.certresolver=le
-      - traefik.http.routers.portainer.middlewares=security-headers
-      - traefik.http.services.portainer.loadbalancer.server.port=9000
+      - "traefik.enable=true"
+      - "traefik.http.routers.portainer.rule=Host(`portainer.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.portainer.entrypoints=websecure"
+      - "traefik.http.routers.portainer.tls.certresolver=le"
+      - "traefik.http.routers.portainer.middlewares=security-headers@docker"
+      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
 
   ## ─────────────────────────────────────────────
   ## Uptime Kuma — status page / checks
@@ -218,12 +216,12 @@ services:
       - uptime_kuma_data:/app/data
     networks: [traefik_proxy]
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.kuma.rule=Host(`uptime.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.kuma.entrypoints=websecure
-      - traefik.http.routers.kuma.tls.certresolver=le
-      - traefik.http.routers.kuma.middlewares=security-headers
-      - traefik.http.services.kuma.loadbalancer.server.port=3001
+      - "traefik.enable=true"
+      - "traefik.http.routers.kuma.rule=Host(`uptime.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.kuma.entrypoints=websecure"
+      - "traefik.http.routers.kuma.tls.certresolver=le"
+      - "traefik.http.routers.kuma.middlewares=security-headers@docker"
+      - "traefik.http.services.kuma.loadbalancer.server.port=3001"
 
   ## ─────────────────────────────────────────────
   ## Umami — web analytics
@@ -240,14 +238,14 @@ services:
     depends_on:
       - umami-db
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.umami.rule=Host(`umami.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.umami.entrypoints=websecure
-      - traefik.http.routers.umami.tls.certresolver=le
-      - traefik.http.routers.umami.middlewares=security-headers
-      - traefik.http.services.umami.loadbalancer.server.port=3000
+      - "traefik.enable=true"
+      - "traefik.http.routers.umami.rule=Host(`umami.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.umami.entrypoints=websecure"
+      - "traefik.http.routers.umami.tls.certresolver=le"
+      - "traefik.http.routers.umami.middlewares=security-headers@docker"
+      - "traefik.http.services.umami.loadbalancer.server.port=3000"
     healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3000"]
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000"]
       interval: 30s
       timeout: 10s
       retries: 3
@@ -295,12 +293,12 @@ services:
     volumes:
       - pgadmin_data:/var/lib/pgadmin
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.pgadmin.rule=Host(`pgadmin.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.pgadmin.entrypoints=websecure
-      - traefik.http.routers.pgadmin.tls.certresolver=le
-      - traefik.http.routers.pgadmin.middlewares=security-headers
-      - traefik.http.services.pgadmin.loadbalancer.server.port=80
+      - "traefik.enable=true"
+      - "traefik.http.routers.pgadmin.rule=Host(`pgadmin.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.pgadmin.entrypoints=websecure"
+      - "traefik.http.routers.pgadmin.tls.certresolver=le"
+      - "traefik.http.routers.pgadmin.middlewares=security-headers@docker"
+      - "traefik.http.services.pgadmin.loadbalancer.server.port=80"
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:80"]
       interval: 30s
@@ -319,18 +317,12 @@ services:
     volumes:
       - beszel_data:/beszel_data
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.beszel.rule=Host(`beszel.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.beszel.entrypoints=websecure
-      - traefik.http.routers.beszel.tls.certresolver=le
-      - traefik.http.routers.beszel.middlewares=security-headers
-      - traefik.http.services.beszel.loadbalancer.server.port=8090
-    healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8090"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-      start_period: 40s
+      - "traefik.enable=true"
+      - "traefik.http.routers.beszel.rule=Host(`beszel.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.beszel.entrypoints=websecure"
+      - "traefik.http.routers.beszel.tls.certresolver=le"
+      - "traefik.http.routers.beszel.middlewares=security-headers@docker"
+      - "traefik.http.services.beszel.loadbalancer.server.port=8090"
 
   ## ─────────────────────────────────────────────
   ## Gitea — self-hosted Git service
@@ -348,6 +340,7 @@ services:
       - GITEA__database__NAME=${GITEA_DB_NAME}
       - GITEA__database__USER=${GITEA_DB_USER}
       - GITEA__database__PASSWD=${GITEA_DB_PASSWORD}
+      - GITEA__database__SSL_MODE=disable
       - GITEA__server__DOMAIN=git.${DOMAIN_PREFIX}.${DOMAIN}
       - GITEA__server__SSH_DOMAIN=git.${DOMAIN_PREFIX}.${DOMAIN}
       - GITEA__server__ROOT_URL=https://git.${DOMAIN_PREFIX}.${DOMAIN}/
@@ -364,12 +357,12 @@ services:
     depends_on:
       - gitea-db
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.gitea.rule=Host(`git.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.gitea.entrypoints=websecure
-      - traefik.http.routers.gitea.tls.certresolver=le
-      - traefik.http.routers.gitea.middlewares=security-headers
-      - traefik.http.services.gitea.loadbalancer.server.port=3000
+      - "traefik.enable=true"
+      - "traefik.http.routers.gitea.rule=Host(`git.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.gitea.entrypoints=websecure"
+      - "traefik.http.routers.gitea.tls.certresolver=le"
+      - "traefik.http.routers.gitea.middlewares=security-headers@docker"
+      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:3000/api/healthz"]
       interval: 30s