diff --git a/clusters/cl01tl/platform/gitea/templates/tcp-route.yaml b/clusters/cl01tl/platform/gitea/templates/tcp-route.yaml
new file mode 100644
index 000000000..8178d57b1
--- /dev/null
+++ b/clusters/cl01tl/platform/gitea/templates/tcp-route.yaml
@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TCPRoute
+metadata:
+  name: tcp-route-gitea-ssh
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: tcp-route-gitea-ssh
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: gitea-ssh
+          port: 2222
+          weight: 100
diff --git a/clusters/cl01tl/services/traefik/values.yaml b/clusters/cl01tl/services/traefik/values.yaml
index a01acc51f..e74eb2764 100644
--- a/clusters/cl01tl/services/traefik/values.yaml
+++ b/clusters/cl01tl/services/traefik/values.yaml
@@ -27,6 +27,11 @@ traefik:
             name: websecure-gateway-cert
             namespace: traefik
         mode: Terminate
+      ssh:
+        port: 2222
+        hostname: "*.alexlebens.net"
+        protocol: TCP
+        namespacePolicy: All
   ingressRoute:
     dashboard:
       enabled: true
@@ -38,9 +43,6 @@ traefik:
       allowEmptyServices: true
     kubernetesIngress:
       enabled: false
-      allowEmptyServices: true
-      publishedService:
-        enabled: true
     kubernetesGateway:
       enabled: true
       experimentalChannel: true
@@ -54,7 +56,7 @@ traefik:
       serviceMonitor:
         enabled: true
       prometheusRule:
-        enabled: false
+        enabled: true
   globalArguments: []
   ports:
     web:
@@ -102,6 +104,27 @@ traefik:
         insecure: false
       tls:
         enabled: true
+    ssh:
+      port: 2222
+      expose:
+        default: true
+      exposedPort: 22
+      forwardedHeaders:
+        trustedIPs:
+          - 10.0.0.0/8
+          - 172.16.0.0/16
+          - 192.168.0.0/16
+          - fc00::/7
+        insecure: false
+      proxyProtocol:
+        trustedIPs:
+          - 10.0.0.0/8
+          - 172.16.0.0/16
+          - 192.168.0.0/16
+          - fc00::/7
+        insecure: false
+      tls:
+        enabled: true
     metrics:
       expose:
         default: false