diff --git a/manifests/authentik-gitea-secret.sh b/manifests/authentik-gitea-secret.sh
new file mode 100755
index 0000000..81443a4
--- /dev/null
+++ b/manifests/authentik-gitea-secret.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -euo pipefail
+source "$(dirname "$0")/../.env"
+
+kubectl create secret generic authentik-gitea-oauth \
+  --namespace gitea \
+  --from-literal=client-id="${AUTHENTIK_GITEA_CLIENT_ID}" \
+  --from-literal=client-secret="${AUTHENTIK_GITEA_CLIENT_SECRET}" \
+  --dry-run=client -o yaml | kubectl apply -f -
\ No newline at end of file
diff --git a/manifests/authentik-public-ingress.yaml b/manifests/authentik-public-ingress.yaml
new file mode 100644
index 0000000..cfc8c13
--- /dev/null
+++ b/manifests/authentik-public-ingress.yaml
@@ -0,0 +1,31 @@
+# authentik public ingress
+# Apply: kubectl apply -f manifests/authentik-public-ingress.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: authentik-public-tls
+  namespace: authentik
+spec:
+  secretName: authentik-public-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  dnsNames:
+    - auth.nik4nao.com
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authentik-public
+  namespace: authentik
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`auth.nik4nao.com`)
+      kind: Rule
+      services:
+        - name: authentik-server
+          port: 80
+  tls:
+    secretName: authentik-public-tls
\ No newline at end of file
diff --git a/manifests/traefik-dashboard-ingress.yaml b/manifests/traefik-dashboard-ingress.yaml
index 7b96fa8..6985fe9 100644
--- a/manifests/traefik-dashboard-ingress.yaml
+++ b/manifests/traefik-dashboard-ingress.yaml
@@ -15,6 +15,14 @@ spec:
         - name: authentik-proxy-outpost
           namespace: authentik
           port: 9000
+    - match: Host(`traefik.home.arpa`) && Path(`/`)
+      kind: Rule
+      middlewares:
+        - name: redirect-to-dashboard
+          namespace: traefik
+      services:
+        - name: api@internal
+          kind: TraefikService
     - match: Host(`traefik.home.arpa`) && PathPrefix(`/dashboard`)
       kind: Rule
       middlewares:
@@ -34,6 +42,17 @@ spec:
   tls:
     secretName: traefik-dashboard-tls
 ---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-to-dashboard
+  namespace: traefik
+spec:
+  redirectRegex:
+    regex: ^https://traefik.home.arpa/$
+    replacement: https://traefik.home.arpa/dashboard/
+    permanent: true
+---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
diff --git a/values/gitea.yaml b/values/gitea.yaml
index b90e19e..b3c4727 100644
--- a/values/gitea.yaml
+++ b/values/gitea.yaml
@@ -74,4 +74,23 @@ service:
     loadBalancerIP: 192.168.7.77
 
 postgresql-ha:
-  enabled: false
\ No newline at end of file
+  enabled: false
+
+deployment:
+  env:
+    - name: SSL_CERT_FILE
+      value: /etc/ssl/internal-ca/ca.crt
+
+extraVolumes:
+  - name: internal-ca
+    configMap:
+      name: internal-ca-cert
+
+extraVolumeMounts:
+  - name: internal-ca
+    mountPath: /etc/ssl/internal-ca
+    readOnly: true
+
+initPreScript: |
+  cp /etc/ssl/internal-ca/ca.crt /usr/local/share/ca-certificates/internal-ca.crt
+  update-ca-certificates
\ No newline at end of file