diff --git a/.gitignore b/.gitignore
index 7b623bc..427c365 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,8 @@
 
+# ignore environment files
+.env
+
+# whatever the hell this file is
 core
 
 cloudflare/tailscale/
@@ -23,13 +27,20 @@ pdf/stirling/latest/logs/
 pdf/stirling/latest/config/db/backup/
 pdf/stirling/latest/config/*.db
 
+# beszel
+beszel/beszel_data/*
+beszel/beszel_data/auxiliary.db
+
 # pangolin
 pangolin/config/db/db.sqlite
+pangolin/config/db/backups/db*.sqlite
 pangolin/config/letsencrypt/acme.json
 pangolin/config/key
 pangolin/config/config.yml.bak
 pangolin/installer
-
-# ignore environment files
-.env
-
+pangolin/config/traefik-dashboard/positions/.position
+pangolin/config/traefik-dashboard/geoip/*.mmdb
+pangolin/config/traefik-dashboard/dashboard/*.db-wal
+pangolin/config/traefik/logs/access.log
+pangolin/config/traefik-dashboard/dashboard/*.db
+pangolin/config/traefik-dashboard/dashboard/*.db-shm
diff --git a/README.md b/README.md
index a84eca5..ce9cc52 100644
--- a/README.md
+++ b/README.md
@@ -3,16 +3,26 @@
 
 ## Useful aliases
 
+These are defined in <https://github.com/acedanger/shell>
+
 `dcdn`=`docker compose down`
+
 `dcupd`=`docker compose up -d`
+
 `dcpull`=`docker compose pull`
+
 `dsta`=`docker stop $(docker ps -q)`
+
 `dclf`=`docker compose logs -f`
+
 `dxcit`=`docker container exec -it`
+
 `lzd`=`lazydocker`
 
 ## Putting it all together
 
-Shut it down, pull the latest images, and start it up again:
+Shut it down, pull the latest images, start it up in the background, and follow the logs:
 
-`dcdn; dcpull; dcupd`
+```bash
+dcdn && dcpull && dcupd && dclf
+```
diff --git a/pangolin/config/config.yml b/pangolin/config/config.yml
new file mode 100644
index 0000000..1b7830e
--- /dev/null
+++ b/pangolin/config/config.yml
@@ -0,0 +1,76 @@
+app:
+  dashboard_url: https://pangolin.acedanger.com
+  log_level: info
+  save_logs: false
+domains:
+  domain1:
+    base_domain: acedanger.com
+    cert_resolver: letsencrypt
+  domain2:
+    base_domain: peterwood.rocks
+    cert_resolver: letsencrypt
+  domain3:
+    base_domain: peterwood.dad
+    cert_resolver: letsencrypt
+  domain4:
+    base_domain: ptrwd.com
+    cert_resolver: letsencrypt
+  domain5:
+    base_domain: margotwood.xyz
+    cert_resolver: letsencrypt
+server:
+  external_port: 3000
+  internal_port: 3001
+  next_port: 3002
+  internal_hostname: pangolin
+  session_cookie_name: p_session_token
+  resource_access_token_param: p_token
+  resource_access_token_headers:
+    id: P-Access-Token-Id
+    token: P-Access-Token
+  resource_session_request_param: p_session_request
+  secret: EkiOH3KRHNzde3euT1yTaYIKXchPmHqz
+  cors:
+    origins:
+      - https://pangolin.acedanger.com
+    methods:
+      - GET
+      - POST
+      - PUT
+      - DELETE
+      - PATCH
+    headers:
+      - X-CSRF-Token
+      - Content-Type
+    credentials: false
+traefik:
+  cert_resolver: letsencrypt
+  http_entrypoint: web
+  https_entrypoint: websecure
+gerbil:
+  start_port: 51820
+  base_endpoint: pangolin.acedanger.com
+  use_subdomain: false
+  block_size: 24
+  site_block_size: 30
+  subnet_group: 100.89.137.0/20
+rate_limits:
+  global:
+    window_minutes: 1
+    max_requests: 500
+email:
+  smtp_host: smtp.fastmail.com
+  smtp_port: 465
+  smtp_user: peter@peterwood.dev
+  smtp_pass: 7v5x943m4g58384q
+  no_reply: no-reply@peterwood.dev
+users:
+  server_admin:
+    email: peter@peterwood.dev
+    password: 23!hA1F^RCjT28
+flags:
+  require_email_verification: true
+  disable_signup_without_invite: true
+  disable_user_create_org: false
+  allow_raw_resources: true
+  allow_base_domain_resources: true
diff --git a/pangolin/config/traefik-dashboard/geoip/COPYRIGHT.txt b/pangolin/config/traefik-dashboard/geoip/COPYRIGHT.txt
new file mode 100644
index 0000000..7076361
--- /dev/null
+++ b/pangolin/config/traefik-dashboard/geoip/COPYRIGHT.txt
@@ -0,0 +1 @@
+Database and Contents Copyright (c) 2025 MaxMind, Inc.
diff --git a/pangolin/config/traefik-dashboard/geoip/LICENSE.txt b/pangolin/config/traefik-dashboard/geoip/LICENSE.txt
new file mode 100644
index 0000000..ee7434d
--- /dev/null
+++ b/pangolin/config/traefik-dashboard/geoip/LICENSE.txt
@@ -0,0 +1,3 @@
+Use of this MaxMind product is governed by MaxMind's GeoLite2 End User License Agreement, which can be viewed at https://www.maxmind.com/en/geolite2/eula.
+
+This database incorporates GeoNames [https://www.geonames.org] geographical data, which is made available under the Creative Commons Attribution 4.0 License. To view a copy of this license, visit https://creativecommons.org/licenses/by/4.0/.
diff --git a/pangolin/config/traefik-dashboard/geoip/README.txt b/pangolin/config/traefik-dashboard/geoip/README.txt
new file mode 100644
index 0000000..16e29ad
--- /dev/null
+++ b/pangolin/config/traefik-dashboard/geoip/README.txt
@@ -0,0 +1 @@
+Latitude and longitude are not precise and should not be used to identify a particular street address or household.
diff --git a/pangolin/config/traefik/dynamic_config.yml b/pangolin/config/traefik/dynamic_config.yml
index 810bdc9..09888cc 100644
--- a/pangolin/config/traefik/dynamic_config.yml
+++ b/pangolin/config/traefik/dynamic_config.yml
@@ -41,13 +41,44 @@ http:
       tls:
         certResolver: letsencrypt
 
+    # Traefik Log Dashboard router
+    traefik-dashboard-redirect:
+      rule: "Host(`traefik-logs.acedanger.com`)"
+      service: traefik-dashboard-service
+      entryPoints:
+        - web
+      middlewares:
+        - redirect-to-https
+
+    traefik-dashboard-router:
+      rule: "Host(`traefik-logs.acedanger.com`)"
+      service: traefik-dashboard-service
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+
   services:
     next-service:
       loadBalancer:
         servers:
-          - url: "http://pangolin:3002"  # Next.js server
+          - url: "http://pangolin:3002" # Next.js server
 
     api-service:
       loadBalancer:
         servers:
-          - url: "http://pangolin:3000"  # API/WebSocket server
+          - url: "http://pangolin:3000" # API/WebSocket server
+
+    traefik-dashboard-service:
+      loadBalancer:
+        servers:
+          - url: "http://traefik-dashboard:3000"
+
+tcp:
+  serversTransports:
+    pp-transport-v1:
+      proxyProtocol:
+        version: 1
+    pp-transport-v2:
+      proxyProtocol:
+        version: 2
diff --git a/pangolin/config/traefik/traefik_config.yml b/pangolin/config/traefik/traefik_config.yml
index 5f4466a..2185f71 100644
--- a/pangolin/config/traefik/traefik_config.yml
+++ b/pangolin/config/traefik/traefik_config.yml
@@ -19,6 +19,20 @@ log:
   level: "INFO"
   format: "common"
 
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  format: "json"
+  bufferingSize: 100
+  fields:
+    defaultMode: "keep"
+    names:
+      ClientUsername: "drop"
+    headers:
+      defaultMode: "keep"
+      names:
+        Authorization: "drop"
+        Cookie: "drop"
+
 certificatesResolvers:
   letsencrypt:
     acme:
diff --git a/pangolin/docker-compose.yml b/pangolin/docker-compose.yml
index 812be7f..09419ad 100644
--- a/pangolin/docker-compose.yml
+++ b/pangolin/docker-compose.yml
@@ -1,7 +1,7 @@
 name: pangolin
 services:
   pangolin:
-    image: fosrl/pangolin:1.10.3
+    image: fosrl/pangolin:1.12.1
     container_name: pangolin
     restart: unless-stopped
     labels:
@@ -18,7 +18,7 @@ services:
       timeout: 10s
       retries: 15
   gerbil:
-    image: fosrl/gerbil:1.2.1
+    image: fosrl/gerbil:latest
     container_name: gerbil
     restart: unless-stopped
     labels:
@@ -59,6 +59,53 @@ services:
       - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
       - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
       - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs
+  traefik-agent:
+    image: hhftechnology/traefik-log-dashboard-agent:dev-dashboard
+    container_name: traefik-log-dashboard-agent
+    restart: unless-stopped
+    labels:
+      - diun.enable=true
+    ports:
+      - "5000:5000"
+    volumes:
+      - ./config/traefik/logs:/logs:ro
+      - ./config/traefik-dashboard/geoip:/geoip:ro
+      - ./config/traefik-dashboard/positions:/data
+    environment:
+      - TRAEFIK_LOG_DASHBOARD_ACCESS_PATH=/logs/access.log
+      - TRAEFIK_LOG_DASHBOARD_ERROR_PATH=/logs/access.log
+      - TRAEFIK_LOG_DASHBOARD_AUTH_TOKEN=${TRAEFIK_DASHBOARD_AUTH_TOKEN}
+      - TRAEFIK_LOG_DASHBOARD_SYSTEM_MONITORING=true
+      - TRAEFIK_LOG_DASHBOARD_GEOIP_ENABLED=true
+      - TRAEFIK_LOG_DASHBOARD_GEOIP_CITY_DB=/geoip/GeoLite2-City.mmdb
+      - TRAEFIK_LOG_DASHBOARD_GEOIP_COUNTRY_DB=/geoip/GeoLite2-Country.mmdb
+      - TRAEFIK_LOG_DASHBOARD_LOG_FORMAT=json
+      - PORT=5000
+    healthcheck:
+      test: [ "CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:5000/api/logs/status" ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+  traefik-dashboard:
+    image: hhftechnology/traefik-log-dashboard:dev-dashboard
+    container_name: traefik-log-dashboard
+    restart: unless-stopped
+    labels:
+      - diun.enable=true
+    ports:
+      - "3005:3000"
+    volumes:
+      - ./config/traefik-dashboard/dashboard:/app/data
+    environment:
+      - AGENT_API_URL=http://traefik-agent:5000
+      - AGENT_API_TOKEN=${TRAEFIK_DASHBOARD_AUTH_TOKEN}
+      - AGENT_NAME=Pangolin Traefik Agent
+      - NODE_ENV=production
+      - PORT=3000
+    depends_on:
+      traefik-agent:
+        condition: service_healthy
 networks:
   default:
     driver: bridge
diff --git a/tclip/compose.yaml b/tclip/compose.yaml
index 0c3b612..a81a47a 100644
--- a/tclip/compose.yaml
+++ b/tclip/compose.yaml
@@ -7,6 +7,7 @@ services:
     environment:
       - DATA_DIR=/data
       - TS_AUTHKEY=${TS_AUTHKEY}
+      - TSNET_FORCE_LOGIN=1
     restart: always
     labels:
       - diun.enable=true