diff --git a/docker/compose.staging.yaml b/docker/compose.staging.yaml
index 9295f089..256079a7 100644
--- a/docker/compose.staging.yaml
+++ b/docker/compose.staging.yaml
@@ -18,9 +18,15 @@
 x-env-file-db: &env-file-db ${ARPAV_PPCV_DEPLOYMENT_ENV_FILE_DB_SERVICE:-/home/arpav/environment-files/db-service.env}
 x-env-file-legacy-db: &env-file-legacy-db ${ARPAV_PPCV_DEPLOYMENT_ENV_FILE_LEGACY_DB_SERVICE:-/home/arpav/environment-files/legacy-db-service.env}
 x-env-file-webapp: &env-file-webapp ${ARPAV_PPCV_DEPLOYMENT_ENV_FILE_WEBAPP_SERVICE:-/home/arpav/environment-files/webapp-service.env}
+x-env-file-martin: &env-file-martin ${ARPAV_PPCV_DEPLOYMENT_ENV_FILE_MARTIN_SERVICE:-/home/arpav/environment-files/martin-service.env}
 
 name: arpav-ppcv-staging
 
+networks:
+
+  front:
+  back:
+
 services:
 
   # NOTE: this traefik instance does not deal with TLS at all, as we assume there
@@ -28,19 +34,29 @@ services:
   # by the staging env
   reverse-proxy:
     command: --configFile /opt/traefik/traefik.toml
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.outside-router-arpav-backend.entrypoints=webSecure"
+      - "traefik.http.routers.outside-router-arpav-backend.tls=true"
+      - "traefik.http.routers.outside-router-arpav-backend.tls.certResolver=letsEncryptResolver"
+      - "traefik.http.routers.outside-router-arpav-backend.rule=Host(`arpav.geobeyond.dev`)"
+      - "exposed.outside=true"
+    networks:
+      - front
+      - back
     volumes:
       - type: bind
         source: /home/arpav/docker/traefik/staging-config.toml
         target: /opt/traefik/traefik.toml
 
   webapp:
+    networks:
+      - back
     env_file:
       - *env-file-webapp
     labels:
-      - "traefik.http.routers.arpav-backend.entrypoints=webSecure"
-      - "traefik.http.routers.arpav-backend.tls=true"
-      - "traefik.http.routers.arpav-backend.tls.certResolver=letsEncryptResolver"
-      - "traefik.http.routers.arpav-backend.rule=Host(`arpav.geobeyond.dev`)"
+      - "traefik.http.routers.arpav-backend.entrypoints=web"
+      - "exposed.inside=true"
     volumes:
       - type: bind
         source: $HOME/data/arpav-ppcv/datasets
@@ -51,6 +67,8 @@ services:
     restart: unless-stopped
 
   legacy-db:
+    networks:
+      - back
     env_file:
       - *env-file-legacy-db
     volumes:
@@ -58,6 +76,8 @@ services:
     restart: unless-stopped
 
   db:
+    networks:
+      - back
     env_file:
       - *env-file-db
     volumes:
@@ -65,16 +85,23 @@ services:
     restart: unless-stopped
 
   martin:
+    command: ["--config", "/martin-config.yaml"]
+    networks:
+      - back
     env_file:
-      - *env-file-webapp
+      - *env-file-martin
     labels:
-      - "traefik.http.routers.martin-router.entrypoints=webSecure"
-      - "traefik.http.routers.martin-router.tls=true"
-      - "traefik.http.routers.martin-router.tls.certResolver=letsEncryptResolver"
-      - "traefik.http.routers.martin-router.rule=Host(`arpav.geobeyond.dev`)"
+      - "traefik.http.routers.martin-router.entrypoints=web"
+      - "exposed.inside=true"
+    volumes:
+      - type: bind
+        source: /home/arpav/docker/martin/config.yaml
+        target: /martin-config.yaml
     restart: unless-stopped
 
   thredds:
+    networks:
+      - back
     image: unidata/thredds-docker:5.4
     env_file:
       - *env-file-webapp
diff --git a/docker/traefik/staging-config.toml b/docker/traefik/staging-config.toml
index 61c1a3ca..b3921bd1 100644
--- a/docker/traefik/staging-config.toml
+++ b/docker/traefik/staging-config.toml
@@ -22,3 +22,5 @@ insecure = true
 
 [providers.docker]
 exposedByDefault = false
+network = "back"
+constraints = "Label(`exposed.inside`, `true`)"