diff --git a/clusters/cl01tl/applications/vikunja/Chart.yaml b/clusters/cl01tl/applications/vikunja/Chart.yaml
index 2b7ac5d51..d889f7fdc 100644
--- a/clusters/cl01tl/applications/vikunja/Chart.yaml
+++ b/clusters/cl01tl/applications/vikunja/Chart.yaml
@@ -13,6 +13,14 @@ dependencies:
   - name: redis
     version: 19.5.0
     repository: https://charts.bitnami.com/bitnami
+  - name: app-template
+    alias: cloudflared-api
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.2.1
+  - name: app-template
+    alias: cloudflared-front
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.2.1
   - name: postgres-cluster
     alias: postgres-16-cluster
     version: 3.1.0
diff --git a/clusters/cl01tl/applications/vikunja/templates/external-secret.yaml b/clusters/cl01tl/applications/vikunja/templates/external-secret.yaml
index b6e1d8ade..460a6c8d5 100644
--- a/clusters/cl01tl/applications/vikunja/templates/external-secret.yaml
+++ b/clusters/cl01tl/applications/vikunja/templates/external-secret.yaml
@@ -4,7 +4,7 @@ metadata:
   name: vikunja-config-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/name: vikunja-config-secret
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
@@ -18,14 +18,14 @@ spec:
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /vikunja/config
+        key: /cl01tl/vikunja/config
         metadataPolicy: None
         property: config.yml
     - secretKey: redis-password
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /vikunja/config
+        key: /cl01tl/vikunja/config
         metadataPolicy: None
         property: redis-password
 
diff --git a/clusters/cl01tl/applications/vikunja/values.yaml b/clusters/cl01tl/applications/vikunja/values.yaml
index ca35a74b0..818db7f79 100644
--- a/clusters/cl01tl/applications/vikunja/values.yaml
+++ b/clusters/cl01tl/applications/vikunja/values.yaml
@@ -18,23 +18,10 @@ vikunja:
         enabled: false
     ingress:
       main:
-        enabled: true
-        className: traefik
-        annotations:
-          cert-manager.io/cluster-issuer: letsencrypt-issuer
-          traefik.ingress.kubernetes.io/router.entrypoints: websecure
-          traefik.ingress.kubernetes.io/router.tls: "true"
-        hosts:
-          - host: vikunja.alexlebens.net
-            paths:
-              - path: /api/v1/
-        tls:
-          - hosts:
-              - vikunja.alexlebens.net
-            secretName: vikunja-secret-tls
+        enabled: false
     env:
-      VIKUNJA_SERVICE_FRONTENDURL: https://vikunja.alexlebens.net
-      VIKUNJA_SERVICE_ENABLEREGISTRATION: "true"
+      VIKUNJA_SERVICE_FRONTENDURL: https://vikunja.alexlebens.dev
+      VIKUNJA_SERVICE_ENABLEREGISTRATION: "false"
       VIKUNJA_SERVICE_TIMEZONE: US/Central
       VIKUNJA_REDIS_ENABLED: "true"
       VIKUNJA_REDIS_HOST: vikunja-redis-headless:6379
@@ -69,23 +56,10 @@ vikunja:
       repository: vikunja/frontend
       tag: 0.22.1
     env:
-      VIKUNJA_API_URL: https://vikunja.alexlebens.net/api/v1/
+      VIKUNJA_API_URL: https://vikunja-api.alexlebens.dev/api/v1/
     ingress:
       main:
-        enabled: true
-        className: traefik
-        annotations:
-          cert-manager.io/cluster-issuer: letsencrypt-issuer
-          traefik.ingress.kubernetes.io/router.entrypoints: websecure
-          traefik.ingress.kubernetes.io/router.tls: "true"
-        hosts:
-          - host: vikunja.alexlebens.net
-            paths:
-              - path: /
-        tls:
-          - hosts:
-              - vikunja.alexlebens.net
-            secretName: vikunja-secret-tls
+        enabled: false
   postgresql:
     enabled: false
   redis:
@@ -98,6 +72,64 @@ redis:
     enabled: true
     existingSecret: vikunja-config-secret
     existingSecretPasswordKey: redis-password
+cloudflared-api:
+  global:
+    nameOverride: cloudflared-api
+  controllers:
+    main:
+      type: deployment
+      strategy: Recreate
+      containers:
+        main:
+          image:
+            repository: cloudflare/cloudflared
+            tag: "2024.5.0"
+            pullPolicy: IfNotPresent
+          args:
+            - tunnel
+            - --no-autoupdate
+            - run
+            - --token
+            - $(CF_MANAGED_TUNNEL_TOKEN)
+          env:
+            - name: CF_MANAGED_TUNNEL_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: vikunja-api-cloudflared-secret
+                  key: cf-tunnel-token
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+cloudflared-front:
+  global:
+    nameOverride: cloudflared-front
+  controllers:
+    main:
+      type: deployment
+      strategy: Recreate
+      containers:
+        main:
+          image:
+            repository: cloudflare/cloudflared
+            tag: "2024.5.0"
+            pullPolicy: IfNotPresent
+          args:
+            - tunnel
+            - --no-autoupdate
+            - run
+            - --token
+            - $(CF_MANAGED_TUNNEL_TOKEN)
+          env:
+            - name: CF_MANAGED_TUNNEL_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: vikunja-front-cloudflared-secret
+                  key: cf-tunnel-token
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi              
 postgres-16-cluster:
   mode: standalone
   kubernetesClusterName: cl01tl