diff --git a/clusters/cl01tl/services/traefik/Chart.yaml b/clusters/cl01tl/services/traefik/Chart.yaml
new file mode 100644
index 000000000..f02ce9bd1
--- /dev/null
+++ b/clusters/cl01tl/services/traefik/Chart.yaml
@@ -0,0 +1,21 @@
+apiVersion: v2
+name: traefik
+version: 1.0.0
+description: Traefik
+keywords:
+  - traefik
+  - reverse-proxy
+  - tls
+  - kubernetes
+home: https://wiki.alexlebens.dev/doc/traefik-nMRQxYCVUF
+sources:
+  - https://github.com/traefik/traefik
+  - https://github.com/traefik/traefik-helm-chart
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: traefik
+    version: 30.0.2
+    repository: https://traefik.github.io/charts
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/traefik.png
+appVersion: v3.0.3
diff --git a/clusters/cl01tl/services/traefik/templates/certificate.yaml b/clusters/cl01tl/services/traefik/templates/certificate.yaml
new file mode 100644
index 000000000..53b030523
--- /dev/null
+++ b/clusters/cl01tl/services/traefik/templates/certificate.yaml
@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: traefik-certificate
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretName: traefik-secret-tls
+  dnsNames:
+    - "alexlebens.net"
+    - "*.alexlebens.net"
+  issuerRef:
+    name: letsencrypt-issuer
+    kind: ClusterIssuer
diff --git a/clusters/cl01tl/services/traefik/values.yaml b/clusters/cl01tl/services/traefik/values.yaml
new file mode 100644
index 000000000..d2717df6c
--- /dev/null
+++ b/clusters/cl01tl/services/traefik/values.yaml
@@ -0,0 +1,88 @@
+traefik:
+  deployment:
+    kind: DaemonSet
+  ingressClass:
+    enabled: true
+    isDefaultClass: true
+  ingressRoute:
+    dashboard:
+      enabled: true
+      matchRule: (Host(`traefik-cl01tl.alexlebens.net`) && (PathPrefix(`/api/`) || PathPrefix(`/dashboard/`)))
+      entryPoints: ["websecure"]
+  providers:
+    kubernetesCRD:
+      allowCrossNamespace: true
+      allowEmptyServices: true
+    kubernetesIngress:
+      allowEmptyServices: true
+      publishedService:
+        enabled: true
+  metrics:
+    prometheus:
+      service:
+        enabled: true
+      disableAPICheck:
+      serviceMonitor:
+        enabled: true
+      prometheusRule:
+        enabled: false
+  globalArguments: []
+  ports:
+    web:
+      expose:
+        default: true
+      exposedPort: 80
+      redirectTo:
+        port: websecure
+        priority: 10
+      forwardedHeaders:
+        trustedIPs:
+          - 10.0.0.0/8
+          - 172.16.0.0/16
+          - 192.168.0.0/16
+          - fc00::/7
+        insecure: false
+      proxyProtocol:
+        trustedIPs:
+          - 10.0.0.0/8
+          - 172.16.0.0/16
+          - 192.168.0.0/16
+          - fc00::/7
+        insecure: false
+    websecure:
+      port: 8443
+      expose:
+        default: true
+      exposedPort: 443
+      forwardedHeaders:
+        trustedIPs:
+          - 10.0.0.0/8
+          - 172.16.0.0/16
+          - 192.168.0.0/16
+          - fc00::/7
+        insecure: false
+      proxyProtocol:
+        trustedIPs:
+          - 10.0.0.0/8
+          - 172.16.0.0/16
+          - 192.168.0.0/16
+          - fc00::/7
+        insecure: false
+      tls:
+        enabled: true
+    metrics:
+      expose:
+        default: false
+  tlsStore:
+    default:
+      defaultCertificate:
+        secretName: traefik-secret-tls
+  service:
+    enabled: true
+    type: LoadBalancer
+    annotations:
+      metallb.universe.tf/allow-shared-ip: "external"
+    externalIPs:
+      - 192.168.1.17
+      - 192.168.1.16
+      - 192.168.1.15