diff --git a/apps/base/traefik/kustomization.yaml b/apps/base/traefik/kustomization.yaml
deleted file mode 100644
index 056e8a3..0000000
--- a/apps/base/traefik/kustomization.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - rbac.yaml
-  - traefik.yaml
-  - svc.yaml
diff --git a/apps/production/cert-manager/certificates/fascinated-cc.yml b/apps/production/cert-manager/certificates/fascinated-cc.yml
new file mode 100644
index 0000000..45dd1e1
--- /dev/null
+++ b/apps/production/cert-manager/certificates/fascinated-cc.yml
@@ -0,0 +1,15 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: fascinated-cc
+  namespace: traefik
+spec:
+  secretName: fascinated-cc
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "*.fascinated.cc"
+  dnsNames:
+    - "fascinated.cc"
+    - "*.fascinated.cc"
diff --git a/apps/production/cert-manager/certificates/local-fascinated-cc.yml b/apps/production/cert-manager/certificates/local-fascinated-cc.yml
new file mode 100644
index 0000000..af9dc2b
--- /dev/null
+++ b/apps/production/cert-manager/certificates/local-fascinated-cc.yml
@@ -0,0 +1,14 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: local-fascinated-cc
+  namespace: traefik
+spec:
+  secretName: local-fascinated-cc
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "*.local.fascinated.cc"
+  dnsNames:
+    - "*.local.fascinated.cc"
diff --git a/apps/production/cert-manager/certificates/mcutils-xyz.yml b/apps/production/cert-manager/certificates/mcutils-xyz.yml
new file mode 100644
index 0000000..a955591
--- /dev/null
+++ b/apps/production/cert-manager/certificates/mcutils-xyz.yml
@@ -0,0 +1,15 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mcutils-xyz
+  namespace: traefik
+spec:
+  secretName: mcutils-xyz
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "*.mcutils.xyz"
+  dnsNames:
+    - "mcutils.xyz"
+    - "*.mcutils.xyz"
diff --git a/apps/production/cert-manager/issuer.yml b/apps/production/cert-manager/issuer.yml
new file mode 100644
index 0000000..e9a4f7c
--- /dev/null
+++ b/apps/production/cert-manager/issuer.yml
@@ -0,0 +1,23 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+  namespace: cert-manager
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: liam@fascinated.cc
+    privateKeySecretRef:
+      name: letsencrypt-production
+    solvers:
+      - dns01:
+          cloudflare:
+            email: liam@fascinated.cc
+            apiTokenSecretRef:
+              name: cloudflare-token-secret
+              key: cloudflare-token
+        selector:
+          dnsZones:
+            - "fascinated.cc"
+            - "mcutils.xyz"
diff --git a/apps/production/cert-manager/kustomization.yaml b/apps/production/cert-manager/kustomization.yaml
new file mode 100644
index 0000000..e95818b
--- /dev/null
+++ b/apps/production/cert-manager/kustomization.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+resources:
+  - namespace.yaml
+  - certificates/*.yaml
+  - issuers.yaml
diff --git a/apps/production/cert-manager/namespace.yaml b/apps/production/cert-manager/namespace.yaml
new file mode 100644
index 0000000..6bc19f4
--- /dev/null
+++ b/apps/production/cert-manager/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
diff --git a/apps/production/traefik/kustomization.yaml b/apps/production/traefik/kustomization.yaml
index 00f9e9a..32d350d 100644
--- a/apps/production/traefik/kustomization.yaml
+++ b/apps/production/traefik/kustomization.yaml
@@ -4,7 +4,6 @@ kind: Kustomization
 namespace: traefik-production
 resources:
   - namespace.yaml
-  - ../../base/traefik
-
-patchesStrategicMerge:
-  - traefik-patch.yaml
+  - rbac.yaml
+  - traefik.yaml
+  - service.yaml
diff --git a/apps/base/traefik/rbac.yaml b/apps/production/traefik/rbac.yaml
similarity index 100%
rename from apps/base/traefik/rbac.yaml
rename to apps/production/traefik/rbac.yaml
diff --git a/apps/base/traefik/svc.yaml b/apps/production/traefik/service.yaml
similarity index 93%
rename from apps/base/traefik/svc.yaml
rename to apps/production/traefik/service.yaml
index 725f450..56a089e 100644
--- a/apps/base/traefik/svc.yaml
+++ b/apps/production/traefik/service.yaml
@@ -12,7 +12,6 @@ spec:
     app.kubernetes.io/name: traefik
   type: LoadBalancer
   loadBalancerIP: 10.0.69.250
-  externalTrafficPolicy: Local
   ports:
     - port: 80
       name: web
diff --git a/apps/production/traefik/traefik-patch.yaml b/apps/production/traefik/traefik-patch.yaml
deleted file mode 100644
index 2b3de6a..0000000
--- a/apps/production/traefik/traefik-patch.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: traefik
-spec:
-  template:
-    spec:
-      containers:
-        - name: traefik
-          args:
-            - "--entryPoints.web.address=:8000/tcp"
-            - "--entryPoints.websecure.address=:8443/tcp"
-            - "--ping=true"
-            - "--global.sendanonymoususage=false"
-            - "--global.checknewversion=false"
-            - "--serversTransport.insecureSkipVerify=true"
-            - "--log.level=INFO"
-            - "--providers.kubernetescrd"
-            - "--providers.kubernetescrd.allowCrossNamespace=true"
-            - "--providers.kubernetescrd.allowExternalNameServices=true"
-            - "--providers.kubernetesingress.allowCrossNamespace=true"
-            - "--providers.kubernetesingress.allowExternalNameServices=true"
diff --git a/apps/base/traefik/traefik.yaml b/apps/production/traefik/traefik.yaml
similarity index 79%
rename from apps/base/traefik/traefik.yaml
rename to apps/production/traefik/traefik.yaml
index f7a2250..d13764c 100644
--- a/apps/base/traefik/traefik.yaml
+++ b/apps/production/traefik/traefik.yaml
@@ -26,11 +26,16 @@ spec:
           args:
             - "--entryPoints.web.address=:8000/tcp"
             - "--entryPoints.websecure.address=:8443/tcp"
-            - "--api=true"
-            - "--api.dashboard=true"
             - "--ping=true"
+            - "--global.sendanonymoususage=false"
+            - "--global.checknewversion=false"
+            - "--serversTransport.insecureSkipVerify=true"
+            - "--log.level=INFO"
             - "--providers.kubernetescrd"
             - "--providers.kubernetescrd.allowCrossNamespace=true"
+            - "--providers.kubernetescrd.allowExternalNameServices=true"
+            - "--providers.kubernetesingress.allowCrossNamespace=true"
+            - "--providers.kubernetesingress.allowExternalNameServices=true"
           readinessProbe:
             httpGet:
               path: /ping