diff --git a/argocd/ingress.yaml b/argocd/ingress.yaml
new file mode 100644
index 0000000..c33d569
--- /dev/null
+++ b/argocd/ingress.yaml
@@ -0,0 +1,25 @@
+# argocd-ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd
+  namespace: argocd
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - argocd.rogi.casa
+    secretName: argocd-tls
+  rules:
+  - host: argocd.rogi.casa
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              number: 80
diff --git a/cert-manager/cluster-issuer.yaml b/cert-manager/cluster-issuer.yaml
new file mode 100644
index 0000000..4469e37
--- /dev/null
+++ b/cert-manager/cluster-issuer.yaml
@@ -0,0 +1,15 @@
+# cluster-issuer.yaml
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: roger@ruxu.dev
+    privateKeySecretRef:
+      name: letsencrypt-prod-key
+    solvers:
+    - http01:
+        ingress:
+          ingressClassName: traefik
diff --git a/cert-manager/install.sh b/cert-manager/install.sh
new file mode 100644
index 0000000..99fd0a0
--- /dev/null
+++ b/cert-manager/install.sh
@@ -0,0 +1,2 @@
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml
+kubectl wait --for=condition=available --timeout=120s deployment/cert-manager -n cert-manager
diff --git a/gitea/gitea-ingress.yaml b/gitea/gitea-ingress.yaml
new file mode 100644
index 0000000..e940f88
--- /dev/null
+++ b/gitea/gitea-ingress.yaml
@@ -0,0 +1,25 @@
+# gitea-ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea
+  namespace: gitea
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - git.rogi.casa
+    secretName: gitea-tls
+  rules:
+  - host: git.rogi.casa
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: gitea
+            port:
+              number: 80
diff --git a/pihole/pihole.yaml b/pihole/pihole.yaml
index 7d1cebc..4ad4607 100644
--- a/pihole/pihole.yaml
+++ b/pihole/pihole.yaml
@@ -113,7 +113,7 @@ metadata:
   labels:
     app: pihole
 spec:
-  type: LoadBalancer  # Change to NodePort or ClusterIP as needed
+  type: LoadBalancer
   ports:
   - port: 53
     targetPort: 53