Traefik Nomad deployment with Consul Connect

I’m trying to get nomad Traefik deployment with Consul Connect to work but no rule is working.
My goal is that Traefik is deployed by nomad as a system service on every node, listening on TCP 80 / 443 / 8090. For the moment the traefik dashboard should be on 8090.
I do must admit that I don’t know how to configure traefik with consul connect and that I feel a bit lost. This is a test environment and in theory this sounds like a great solution.

job "traefik2-b2" {
  datacenters = ["dc1"]
  type        = "system"

  group "traefik" {
    network{
      mode = "host"
      port "http" {
        static = 80
      }
      port "https" {
        static = 443
      }
      port "api" {
        static = 8090
      }
    }

    service {
      name = "traefik-web"
      port = "http"
      #check {
      #  name     = "Alive"
      #  type     = "tcp"
      #  port     = "http"
      #  interval = "10s"
      #  timeout  = "2s"
      #}
      #connect {
      #  native = true
      #}
    }

    service {
      name = "traefik-websecure"
      port = "https"
      #check {
      #  name     = "Alive"
      #  type     = "tcp"
      #  port     = "https"
      #  interval = "10s"
      #  timeout  = "2s"
      #}
      #connect {
      #  native = true
      #}
    }

    service {
      name = "traefik-api"
      port = "api"
      #check {
      #  name     = "Alive"
      #  type     = "tcp"
      #  port     = "api"
      #  interval = "10s"
      #  timeout  = "2s"
      #}
      tags = [
        "traefik",
        "metrics",
        "metrics_port=8090",
        "metrics_scheme=http",
        "metrics_path=/metrics",
        "traefik.tags=clusterservice",
        "traefik.enable=true",
        #"traefik.consulcatalog.connect=false",
        "traefik.http.routers.metrics.rule=PathPrefix(`/metrics`)",
        "traefik.http.routers.metrics.entrypoints=api",
        "traefik.http.routers.metrics.service=prometheus@internal",
        "traefik.http.routers.api.rule=(PathPrefix(`/api`) || PathPrefix(`/dashboard`))",
        "traefik.http.routers.api.entrypoints=api",
        "traefik.http.routers.api.service=api@internal",
        "traefik.http.routers.api.middlewares=AdminAuth@file"
      ]
      connect {
        native = true
      }
    }

    task "traefik" {
      driver = "docker"

      config {
        image        = "traefik:v2.6.6"
        #network_mode = "host"

        volumes = [
          "local/dynamic.toml:/etc/traefik/dynamic.toml",
        ]

        args = [
          "--api.dashboard=true",
          "--global.checkNewVersion=true",
          "--global.sendAnonymousUsage=true",
          "--log.level=DEBUG",
          "--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000",
          "--metrics.prometheus.manualRouting=true",
          "--metrics.prometheus.entrypoint=api",
          "--entrypoints.http.address=:80",
          "--entrypoints.https.address=:443",
          "--entrypoints.api.address=:8090",
          "--accesslog=false",
          "--accesslog.fields.defaultmode=keep",
          "--accesslog.fields.headers.defaultmode=keep",
          "--providers.file.filename=/etc/traefik/dynamic.toml",
          "--providers.file.watch=true",
          "--serversTransport.insecureSkipVerify=true",
          "--serversTransport.maxIdleConnsPerHost=0",
          "--providers.consulcatalog.connectAware=true",
          "--providers.consulcatalog.connectByDefault=true",
          "--providers.consulcatalog.exposedByDefault=false",
          "--providers.consulcatalog.prefix=traefik",
          "--providers.consulcatalog.constraints=Tag(`traefik.tags=clusterservice`)",
          "--providers.consulcatalog.endpoint.address=node01.example.com:8501",
          "--providers.consulcatalog.endpoint.scheme=https",
          "--providers.consulcatalog.endpoint.tls.insecureskipverify=true",
        ]
      }

      template {
        change_mode   = "signal"
        change_signal = "SIGHUP"

        data = <<EOF
# Dynamic config preparation
[http.middlewares]
  [http.middlewares.AdminAuth.basicAuth]
    removeHeader = false
    realm = "Services"
    headerField = "X-WebAuth-User"
    users = [
      "admin:<SECRET>",
    ]
EOF

        destination = "local/dynamic.toml"
      }

      resources {
        cpu    = 300
        memory = 128
      }
    }
  }
}

I must admit that I haven’t described the actual problem. So no wonder that there is no response.
I am unable to access the node port on 8090. Connection refused. Also on the host I can’t see traefik listening on any port, via “ss -tlpn”. Though a traefik container is started on every node.