diff --git a/apps/adguard/deployment.yaml b/apps/adguard/deployment.yaml
index 454774d..1371ce6 100644
--- a/apps/adguard/deployment.yaml
+++ b/apps/adguard/deployment.yaml
@@ -28,7 +28,7 @@ spec:
         env:
         - name: TZ
           value: Europe/Berlin
-        image: adguard/adguardhome:v0.107.7
+        image: adguard/adguardhome:v0.107.41
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3
diff --git a/apps/adguard/ingress.yaml b/apps/adguard/ingress.yaml
index d0ed6b6..4a60da7 100644
--- a/apps/adguard/ingress.yaml
+++ b/apps/adguard/ingress.yaml
@@ -1,42 +1,15 @@
-# apiVersion: traefik.containo.us/v1alpha1
-# kind: Middleware
-# metadata:
-#   name: authentik-auth
-#   namespace: adguard
-# spec:
-#   forwardAuth:
-#     address: https://adguard.kluster.moll.re/outpost.goauthentik.io/auth/traefik
-#     trustForwardHeader: true
-#     authResponseHeaders:
-#       - X-authentik-username
-#       - X-authentik-groups
-#       - X-authentik-email
-#       - X-authentik-name
-#       - X-authentik-uid
-#       - X-authentik-jwt
-#       - X-authentik-meta-jwks
-#       - X-authentik-meta-outpost
-#       - X-authentik-meta-provider
-#       - X-authentik-meta-app
-#       - X-authentik-meta-version
-
-# ---
-
 apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
+kind: IngressRouteTCP
 metadata:
-  name: adguard-ingress
+  name: adguard-tls-ingress
   namespace: adguard
 spec:
   entryPoints:
-    - websecure
+    - dnsovertls
   routes:
-    - match: Host(`adguard.kluster.moll.re`)
-      kind: Rule
-      # middlewares:
-      #   - name: authentik-auth
+    - match: HostSNI(`adguard.kluster.moll.re`)
       services:
-        - name: adguard-home
-          port: 3000
+        - name: adguard-adguard-home-dns-tcp
+          port: 53
   tls:
     certResolver: default-tls
diff --git a/infrastructure/traefik-system/config.values.yaml b/infrastructure/traefik-system/config.values.yaml
deleted file mode 100644
index bd209f7..0000000
--- a/infrastructure/traefik-system/config.values.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-name: traefik
-chart: traefik/traefik
\ No newline at end of file
diff --git a/infrastructure/traefik-system/configmap.yml b/infrastructure/traefik-system/configmap.yaml
similarity index 95%
rename from infrastructure/traefik-system/configmap.yml
rename to infrastructure/traefik-system/configmap.yaml
index 3123b0c..35b0220 100644
--- a/infrastructure/traefik-system/configmap.yml
+++ b/infrastructure/traefik-system/configmap.yaml
@@ -2,7 +2,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: traefik-config
-  namespace: traefik-system
 data:
   traefik.toml: |
     [ping]
@@ -69,6 +68,8 @@ data:
         address = ":9100"
       [entryPoints.traefik]
         address = ":9000"
+      [entryPoints.dnsovertls] # route dns over https to other pods but provide own certificate
+        address = ":853"
 
     [metrics]
       [metrics.influxDB2]
diff --git a/infrastructure/traefik-system/kustomization.yaml b/infrastructure/traefik-system/kustomization.yaml
new file mode 100644
index 0000000..5782bb4
--- /dev/null
+++ b/infrastructure/traefik-system/kustomization.yaml
@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - pvc.yaml
+  - configmap.yaml
+
+namespace: traefik-system
+
+helmCharts:
+  - name: traefik
+    releaseName: traefik
+    version: 26.0.0
+    valuesFile: values.yaml
+    repo: https://helm.traefik.io/traefik
+  # - name: telegraf
+  #   releaseName: telegraf?
+  #   version: "?"
+  #   valuesFile: telegraf.values.yaml
+  #   repo: https://helm.influxdata.com/
diff --git a/infrastructure/traefik-system/namespace.yaml b/infrastructure/traefik-system/namespace.yaml
new file mode 100644
index 0000000..0a074bd
--- /dev/null
+++ b/infrastructure/traefik-system/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder
diff --git a/infrastructure/traefik-system/pvc.yaml b/infrastructure/traefik-system/pvc.yaml
index 5fb040b..3f3ad7e 100644
--- a/infrastructure/traefik-system/pvc.yaml
+++ b/infrastructure/traefik-system/pvc.yaml
@@ -1,13 +1,10 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  namespace: traefik-system
   name: traefik-certificate
 spec:
-  # storageClassName: fast
   capacity:
     storage: "10Mi"
-  # volumeMode: Filesystem
   accessModes:
     - ReadWriteOnce
   nfs:
@@ -17,10 +14,8 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  namespace: traefik-system
   name: traefik-certificate
 spec:
-  # storageClassName: fast
   accessModes:
     - ReadWriteOnce
   resources:
diff --git a/infrastructure/traefik-system/telegraf.config.values.yaml b/infrastructure/traefik-system/telegraf.config.values.yaml
deleted file mode 100644
index a1eec38..0000000
--- a/infrastructure/traefik-system/telegraf.config.values.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-name: telegraf-traefik
-chart: influxdata/telegraf
\ No newline at end of file
diff --git a/infrastructure/traefik-system/values.yaml b/infrastructure/traefik-system/values.yaml
index 8e9e637..f75c3a5 100644
--- a/infrastructure/traefik-system/values.yaml
+++ b/infrastructure/traefik-system/values.yaml
@@ -1,11 +1,3 @@
-# Default values for Traefik
-image:
-  name: traefik
-  # defaults to appVersion
-  tag: ""
-  pullPolicy: IfNotPresent
-
-
 #
 # Configure the deployment
 #
@@ -158,12 +150,6 @@ volumes: []
   #     name: traefik-config
 
   
-# - name: public-cert
-#   mountPath: "/certs"
-#   type: secret
-# - name: '{{ printf "%s-configs" .Release.Name }}'
-#   mountPath: "/config"
-#   type: configMap
 
 # Additional volumeMounts to add to the Traefik container
 additionalVolumeMounts:
@@ -192,24 +178,17 @@ additionalArguments: []
 env:
   - name: TZ
     value: "Europe/Berlin"
-# - name: SOME_VAR
-#   value: some-var-value
-# - name: SOME_VAR_FROM_CONFIG_MAP
-#   valueFrom:
-#     configMapRef:
-#       name: configmap-name
-#       key: config-key
-# - name: SOME_SECRET
-#   valueFrom:
-#     secretKeyRef:
-#       name: secret-name
-#       key: secret-key
-
 
 
 
 # Configure ports
-ports: {} # leave unconfigured to use the values from the toml file
+ports:
+  # add a new one, the other ones are kept the same.
+  dnsovertls:
+    port: 853
+    expose: true
+    exposedPort: 853
+    protocol: TCP
 
 
 envFrom: []
diff --git a/kluster-deployments/kustomization.yaml b/kluster-deployments/kustomization.yaml
index 056da08..d6f2d4c 100644
--- a/kluster-deployments/kustomization.yaml
+++ b/kluster-deployments/kustomization.yaml
@@ -5,10 +5,14 @@ namespace: argocd
 
 
 resources:
+  # infrastructure
   - projects.yaml
   - nfs/
   - backup/
   - argocd-imageupdate/
+  - traefik/
+
+  # simple apps
   - whoami/
   - journal/
   - immich/
diff --git a/kluster-deployments/traefik/application.yaml b/kluster-deployments/traefik/application.yaml
new file mode 100644
index 0000000..ed074c0
--- /dev/null
+++ b/kluster-deployments/traefik/application.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik-application
+  namespace: argocd
+
+spec:
+  project: infrastructure
+  source:
+    repoURL: https://github.com/moll-re/k3s-infra.git
+    targetRevision: main
+    path: infrastructure/traefik-system
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: traefik-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
diff --git a/kluster-deployments/traefik/kustomization.yaml b/kluster-deployments/traefik/kustomization.yaml
new file mode 100644
index 0000000..977dcfe
--- /dev/null
+++ b/kluster-deployments/traefik/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - application.yaml