diff --git a/templates/inverseproxy.yaml.j2 b/templates/inverseproxy.yaml.j2
index 2ff16b184f8ae3a15bc187c322cae1279f5b84b7..82c7a15a2d011c4b14c10ef2c03469cfc9a2d225 100644
--- a/templates/inverseproxy.yaml.j2
+++ b/templates/inverseproxy.yaml.j2
@@ -46,9 +46,17 @@ services:
             - "0.0.0.0:80:80/tcp"
             - "0.0.0.0:443:443/tcp"
             - "0.0.0.0:443:443/udp"
+{% if inventory_hostname in groups['maintenance_contract'] %}
+            - "0.0.0.0:8443:8443/tcp"
+            - "0.0.0.0:8443:8443/udp"
+{% endif %}
             - "[::]:80:80/tcp"
             - "[::]:443:443/tcp"
             - "[::]:443:443/udp"
+{% if inventory_hostname in groups['maintenance_contract'] %}
+            - "[::]:8443:8443/tcp"
+            - "[::]:8443:8443/udp"
+{% endif %}
         depends_on:
             - dockersocket
         restart: unless-stopped
diff --git a/templates/traefik.toml.j2 b/templates/traefik.toml.j2
index c1e564ae3e0711c2d340f4ba0c82025cf52e52ab..8efdd6bb0ebf0c71686059f397a2f7298e56114e 100644
--- a/templates/traefik.toml.j2
+++ b/templates/traefik.toml.j2
@@ -17,6 +17,16 @@
     [entryPoints.websecure.http3]
       advertisedPort = 443
 
+  [entryPoints.websecure_updater]
+    address = ":8443"
+    [entryPoints.websecure_updater.http]
+      middlewares = ["security-headers@file"{% if inventory_hostname not in groups.docker_tuleap | default([]) %}, "limit@file"{% endif %}, "compression@file"]
+      [entryPoints.websecure_updater.http.tls]
+        options = "default"
+        certResolver = "le"
+    [entryPoints.websecure_updater.http3]
+      advertisedPort = 8443
+
 [providers]
   [providers.docker]
     endpoint = "http://dockersocket:2375"