diff --git a/environment/uat/docker-compose.yml b/environment/uat/docker-compose.yml
index d83d3ea..97140f2 100644
--- a/environment/uat/docker-compose.yml
+++ b/environment/uat/docker-compose.yml
@@ -4,7 +4,7 @@ services:
   # Traefik reverse proxy
   # https://doc.traefik.io/traefik/
   reverse-proxy:
-    image: traefik:v2.6
+    image: traefik:v2.6.3
     restart: unless-stopped
     ports:
       - "80:80"
@@ -13,19 +13,15 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
       # See traefik/traefik.toml for static config
       - ./traefik:/etc/traefik
-#    labels:
-#      - "traefik.enable=true"
-#      # Expose traefik dashboard at https://uat.traefik.retropilot.org
-#      - "traefik.http.routers.dashboard.rule=Host(`uat.traefik.retropilot.org`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
-#      - "traefik.http.routers.dashboard.entrypoints=websecure"
-#      - "traefik.http.routers.dashboard.service=api@internal"
-#      - "traefik.http.routers.dashboard.tls=true"
-#      - "traefik.http.routers.dashboard.tls.certresolver=retropilot"
-#      # Secure the dashboard with BasicAuth middleware
-#      - "traefik.http.routers.dashboard.middlewares=dashboard-auth@docker"
-#      # BasicAuth: username=admin, password=password
-#      # Generate new password: sudo apt install -y apache2-utils; echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
-#      - "traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$2y$$05$$iT4z7pjcdNRYU9Y89VlUUe.13TdQ9H7rBtIO6PJruuK.RAW8lvmxW"
+    labels:
+      - "traefik.enable=true"
+      # Expose traefik dashboard at http://localhost:8080
+      - "traefik.http.routers.dashboard.rule=Host(`localhost`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+      - "traefik.http.routers.dashboard.entrypoints=dashboard"
+      - "traefik.http.routers.dashboard.service=api@internal"
+      # Secure the dashboard with IPWhiteList middleware
+      - "traefik.http.routers.dashboard.middlewares=dashboard-allowlist@docker"
+      - "traefik.http.middlewares.dashboard-allowlist.ipwhitelist.sourcerange=127.0.0.1/32"
 
   # PostgreSQL database
   db:
@@ -55,19 +51,23 @@ services:
       # API service forwards requests to container port 8080
       - "traefik.http.services.api.loadbalancer.server.port=8080"
       # Expose api at https://uat.api.retropilot.org
-      - "traefik.http.routers.api.rule=Host(`uat.api.retropilot.org`)"
+      - "traefik.http.routers.api.rule=Host(`api.uat.retropilot.org`)"
       - "traefik.http.routers.api.entrypoints=websecure"
       - "traefik.http.routers.api.service=api@docker"
       - "traefik.http.routers.api.tls=true"
       - "traefik.http.routers.api.tls.certresolver=retropilot"
-#      # Athena service forwards requests to container port 4040
-#      - "traefik.http.services.athena.loadbalancer.server.port=4040"
-#      # Expose athena at https://uat.athena.retropilot.org
-#      - "traefik.http.routers.athena.rule=Host(`uat.athena.retropilot.org`)"
-#      - "traefik.http.routers.athena.entrypoints=websecure"
-#      - "traefik.http.routers.athena.service=athena@docker"
-#      - "traefik.http.routers.athena.tls=true"
-#      - "traefik.http.routers.athena.tls.certresolver=retropilot"
+
+      # Athena service forwards requests to container port 4040
+      - "traefik.http.services.athena.loadbalancer.server.port=4040"
+      # Expose athena at https://uat.athena.retropilot.org
+      - "traefik.http.routers.athena.rule=Host(`athena.uat.retropilot.org`)"
+      - "traefik.http.routers.athena.entrypoints=websecure"
+      - "traefik.http.routers.athena.service=athena@docker"
+      - "traefik.http.routers.athena.tls=true"
+      - "traefik.http.routers.athena.tls.certresolver=retropilot"
+
+      # Monitor for image updates and restart automatically
+      - "com.centurylinklabs.watchtower.enable=true"
 
   # API worker
   worker:
@@ -80,10 +80,13 @@ services:
       - ./realdata:/realdata
     env_file:
       - .env
+    labels:
+      # Monitor for image updates and restart automatically
+      - "com.centurylinklabs.watchtower.enable=true"
 
-#  watchtower:
-#    # automatically update containers when new images are released
-#    image: containrrr/watchtower
-#    volumes:
-#      - /var/run/docker.sock:/var/run/docker.sock
-#    command: --interval 30
+  watchtower:
+    # automatically update containers when new images are released
+    image: containrrr/watchtower
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    command: --interval 30 --label-enable
diff --git a/environment/uat/traefik/traefik.toml b/environment/uat/traefik/traefik.toml
index 7d14cf0..c953af2 100644
--- a/environment/uat/traefik/traefik.toml
+++ b/environment/uat/traefik/traefik.toml
@@ -21,6 +21,8 @@
           to = "websecure"
   [entryPoints.websecure]
     address = ":443"
+  [entryPoints.dashboard]
+    address = ":8080"
 
 [certificatesResolvers]
   [certificatesResolvers.retropilot]