diff --git a/tasks/main.yml b/tasks/main.yml
index d4be410..2e8a3be 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -9,6 +9,23 @@
     group: '{{ docker_user }}'
   tags: config
 
+- name: Ensure traefik rules directory exists
+  file:
+    path: /home/{{ docker_user }}/traefik/rules
+    state: directory
+    owner: '{{ docker_user }}'
+    group: '{{ docker_user }}'
+  tags: config
+
+- name: Provide TLS default options
+  template:
+    src: templates/t2-rules-tls-options.toml.j2
+    dest: /home/{{ docker_user }}/traefik/rules/tls-options.toml
+    owner: "{{ docker_user }}"
+    group: "{{ docker_user }}"
+    mode: '0644'
+  tags: config
+
 - name: Provide docker-compose.yml
   template:
     src: templates/docker-compose.traefik.yml.j2
diff --git a/templates/docker-compose.traefik.yml.j2 b/templates/docker-compose.traefik.yml.j2
index f704533..2e3ed38 100644
--- a/templates/docker-compose.traefik.yml.j2
+++ b/templates/docker-compose.traefik.yml.j2
@@ -28,6 +28,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
       - /home/{{ docker_user }}/traefik/traefik.toml:/traefik.toml
       - /home/{{ docker_user }}/traefik/acme.json:/acme.json
+      - /home/{{ docker_user }}/traefik/rules:/rules
 {% if traefik.expose_externally | default(False) %}
     labels:
       - "traefik.enable=true"
diff --git a/templates/t2-rules-tls-options.toml.j2 b/templates/t2-rules-tls-options.toml.j2
new file mode 100644
index 0000000..6f456ec
--- /dev/null
+++ b/templates/t2-rules-tls-options.toml.j2
@@ -0,0 +1,17 @@
+[tls.options]
+  [tls.options.default]
+    minVersion = "VersionTLS12"
+    sniStrict = true
+    cipherSuites = [
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+      "TLS_AES_128_GCM_SHA256",
+      "TLS_AES_256_GCM_SHA384",
+      "TLS_CHACHA20_POLY1305_SHA256",
+      "TLS_FALLBACK_SCSV" # Client is doing version fallback. See RFC 7507.
+  ]
+  [tls.options.mintls13]
+    minVersion = "VersionTLS13"
\ No newline at end of file
diff --git a/templates/traefik.toml.j2 b/templates/traefik.toml.j2
index 3caebc5..5eaf1ce 100644
--- a/templates/traefik.toml.j2
+++ b/templates/traefik.toml.j2
@@ -18,13 +18,14 @@ defaultEntryPoints = ["web", "websecure"]
 #  dashboard = true
 #  insecure = true
 
-[file]
-watch = true
-
 [providers.docker]
   endpoint = "unix:///var/run/docker.sock"
   exposedByDefault = false
 
+[providers.file]
+  directory = "/rules"
+  watch = true
+
 {% if traefik.enable_acme %}
 [certificatesResolvers.defaultresolver.acme]
 {% if traefik.use_acme_staging %}