diff --git a/ansible/roles/traefik/files/docker-compose.yml b/ansible/roles/traefik/files/docker-compose.yml
index dd826f0..92c7ad8 100644
--- a/ansible/roles/traefik/files/docker-compose.yml
+++ b/ansible/roles/traefik/files/docker-compose.yml
@@ -6,6 +6,7 @@ services:
     user: "{{ docker_user.id }}"
     environment:
       - CF_DNS_API_TOKEN={{ cloudflare_api_token }}
+      - GANDI_API_KEY={{ gandi_api_key }}
     volumes:
       - /tmp/traefik-logs:/var/log/traefik
       - ./traefik:/etc/traefik
diff --git a/ansible/roles/traefik/files/traefik.yml b/ansible/roles/traefik/files/traefik.yml
index d78a853..e380d1d 100644
--- a/ansible/roles/traefik/files/traefik.yml
+++ b/ansible/roles/traefik/files/traefik.yml
@@ -61,6 +61,17 @@ certificatesResolvers:
           - 1.1.1.1:53
           - 1.0.0.1:53
 
+  gandi:
+    acme:
+      email: "{{ letsencrypt_email }}"
+      storage: /etc/traefik/acme.json
+      dnsChallenge:
+        provider: gandi
+        delayBeforeCheck: 0
+        resolvers:
+          - 1.1.1.1:53
+          - 1.0.0.1:53
+
 serversTransport:
   insecureSkipVerify: true
 
diff --git a/ansible/roles/traefik/tasks/main.yml b/ansible/roles/traefik/tasks/main.yml
index 7393812..273ea55 100644
--- a/ansible/roles/traefik/tasks/main.yml
+++ b/ansible/roles/traefik/tasks/main.yml
@@ -1,3 +1,6 @@
+- name: Include vault
+  include_vars: vault.yml
+
 - name: Create network
   docker_network:
     name: traefik
diff --git a/ansible/roles/traefik/vars/main.yml b/ansible/roles/traefik/vars/main.yml
index 12f39e3..a1df6d8 100644
--- a/ansible/roles/traefik/vars/main.yml
+++ b/ansible/roles/traefik/vars/main.yml
@@ -1,16 +1,3 @@
-cloudflare_api_token: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  34353463353334326561626566613464363537393238353437376463376135623831343634643735
-  6136613231333531356137326333616264663865363139630a653939343435393061666366643332
-  38646539666631646337396137376232373037643934356363666462333835643464613431346366
-  3466383231363632310a346661383838633630643236623561373962356635346162653936393562
-  32646530656632393133356436653365356163313961343837633138383561376237306638313362
-  3636373939656462613032653530643536643466363135346139
-
-letsencrypt_email: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  64373438363639363238333264313861316239383234633536326330333333386361646266396438
-  6330303063623032653066643838313931613030663931640a333839633630613936343530663666
-  62633331616264623932303031663130623135623566323964656162656265633863336333373538
-  3963303639373032620a363434643539393838303233653037383765363961373363333034343534
-  37663462663235613062633837373334366163636362386364356635313730363566
+gandi_api_key: "{{ vault_gandi_api_key }}"
+letsencrypt_email: "{{ vault_letsencrypt_email }}"
+cloudflare_api_token: "{{ vault_cloudflare_api_token }}"
diff --git a/ansible/roles/traefik/vars/vault.yml b/ansible/roles/traefik/vars/vault.yml
new file mode 100644
index 0000000..90152b2
--- /dev/null
+++ b/ansible/roles/traefik/vars/vault.yml
@@ -0,0 +1,14 @@
+$ANSIBLE_VAULT;1.1;AES256
+31313232616161386566653162613930663362326333663436396238343036356262613137663233
+6534326163616236316230346334306165323532363561310a376366313063346161333265393831
+34616263323665313534656366613230356162663665326233613036326137626536316138376466
+3566386434303364620a653532613063333863616437363330303230613833636136626166326663
+61636637663263323962396665376533663566626163353030393430636530616162663334636330
+65323433626431346666616334663063373464386165623334336661643833303161626235396235
+33666364623231633565613739623362613239663532333566623966616536353038666164316534
+65396361323863373764396138333036363936323632393231376363323963306662303363343936
+31346135343335313763366339636538373061316262666230633534626661303132353937666530
+34303664666637313234633935303463373335373433333165396638666138343636353735643463
+64336230613666623439646235326437343062613831373137383465616133393562306639323933
+31666166666437303332306537336262626163626536373830613361306137613030313133623233
+3132