diff --git a/Makefile b/Makefile
index 59957274d..bcbb04a02 100644
--- a/Makefile
+++ b/Makefile
@@ -35,6 +35,7 @@ k8s:
 	kubectl apply -k k8s/nginx
 	kubectl apply -k k8s/cert-manager
 	kubectl apply -f k8s/lets-encrypt-issuer.yml
+	kubectl apply -f k8s/wildward-erebe-eu.yaml
 	kubectl delete secret gandi-credentials --namespace cert-manager || exit 0
 	kubectl create secret generic gandi-credentials --namespace cert-manager \
 		--from-literal=api-token="$(shell sops -d --extract '["apirest"]["key"]' secrets/gandi.yml)"
diff --git a/k8s/nginx/ingress-nginx-v1.4.0.yml.patch b/k8s/nginx/ingress-nginx-v1.4.0.yml.patch
index 1b40468f9..59903125c 100644
--- a/k8s/nginx/ingress-nginx-v1.4.0.yml.patch
+++ b/k8s/nginx/ingress-nginx-v1.4.0.yml.patch
@@ -19,6 +19,7 @@ spec:
           - --validating-webhook=:8443
           - --validating-webhook-certificate=/usr/local/certificates/cert
           - --validating-webhook-key=/usr/local/certificates/key
+          - --default-ssl-certificate=default/erebe-eu-tls
           - --https-port=444
           - --http-port=81
         ports:
diff --git a/services/app/couber.yml b/services/app/couber.yml
index 065289029..ea55f8825 100644
--- a/services/app/couber.yml
+++ b/services/app/couber.yml
@@ -79,10 +79,6 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
 spec:
   ingressClassName: "nginx"
-  tls:
-  - hosts:
-    - coub.erebe.eu
-    secretName: couber-tls
   rules:
   - host: coub.erebe.eu
     http:
diff --git a/services/app/wstunnel.yml b/services/app/wstunnel.yml
index e25a409ab..f86499175 100644
--- a/services/app/wstunnel.yml
+++ b/services/app/wstunnel.yml
@@ -64,10 +64,6 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
 spec:
   ingressClassName: "nginx"
-  tls:
-  - hosts:
-    - ws.erebe.eu
-    secretName: wstunnel-tls
   rules:
   - host: ws.erebe.eu
     http:
diff --git a/services/dashy/dashy.yml b/services/dashy/dashy.yml
index 5aefc66c1..8fc50f415 100644
--- a/services/dashy/dashy.yml
+++ b/services/dashy/dashy.yml
@@ -87,10 +87,6 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
 spec:
   ingressClassName: "nginx"
-  tls:
-  - hosts:
-    - board.erebe.eu
-    secretName: dashy-tls
   rules:
   - host: board.erebe.eu
     http:
diff --git a/services/nextcloud/nextcloud.yml b/services/nextcloud/nextcloud.yml
index 83bb78262..a07faf922 100644
--- a/services/nextcloud/nextcloud.yml
+++ b/services/nextcloud/nextcloud.yml
@@ -75,10 +75,6 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
 spec:
   ingressClassName: "nginx"
-  tls:
-  - hosts:
-    - cloud.erebe.eu
-    secretName: nextcloud-tls
   rules:
   - host: cloud.erebe.eu
     http:
diff --git a/services/vaultwarden/vaultwarden.yml b/services/vaultwarden/vaultwarden.yml
index ad8dd5188..b22f45771 100644
--- a/services/vaultwarden/vaultwarden.yml
+++ b/services/vaultwarden/vaultwarden.yml
@@ -104,10 +104,6 @@ metadata:
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
 spec:
-  tls:
-  - hosts:
-    - bitwarden.erebe.eu
-    secretName: vaultwarden-tls
   ingressClassName: "nginx"
   rules:
   - host: bitwarden.erebe.eu
diff --git a/services/webhook/webhook.yml b/services/webhook/webhook.yml
index b23e3c8c0..22a472f53 100644
--- a/services/webhook/webhook.yml
+++ b/services/webhook/webhook.yml
@@ -102,10 +102,6 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
 spec:
   ingressClassName: "nginx"
-  tls:
-  - hosts:
-    - hooks.erebe.eu
-    secretName: webhook-tls
   rules:
   - host: hooks.erebe.eu
     http: