diff --git a/apps/authelia/release.yaml b/apps/authelia/release.yaml
index c69078b..83ca2f4 100644
--- a/apps/authelia/release.yaml
+++ b/apps/authelia/release.yaml
@@ -80,6 +80,9 @@ spec:
           - domain: traefik.${domain}
             policy: one_factor
             subject: "group:lldap_admin"
+          - domain: ceph.${domain}
+            policy: one_factor
+            subject: "group:lldap_admin"
           - domain: grafana.${domain}
             policy: one_factor
           # Deny by default, mainly a placeholder to allow patching in other rules
diff --git a/apps/grafana/release.yaml b/apps/grafana/release.yaml
index c7da8ba..74a86a6 100644
--- a/apps/grafana/release.yaml
+++ b/apps/grafana/release.yaml
@@ -23,7 +23,7 @@ spec:
         - secretName: ${domain//./-}-tls
       annotations:
         traefik.ingress.kubernetes.io/router.entryPoints: "websecure"
-        traefik.ingress.kubernetes.io/router.middlewares: "authelia-forwardauth-authelia@kubernetescrd" # name of your middleware, as defined in your middleware.yml
+        traefik.ingress.kubernetes.io/router.middlewares: "authelia-forwardauth-authelia@kubernetescrd"
         traefik.ingress.kubernetes.io/router.tls: "true"
 
     envValueFrom:
diff --git a/clusters/titan.lan.huizinga.dev/infrastructure.yaml b/clusters/titan.lan.huizinga.dev/infrastructure.yaml
index 561c9e1..c9d9813 100644
--- a/clusters/titan.lan.huizinga.dev/infrastructure.yaml
+++ b/clusters/titan.lan.huizinga.dev/infrastructure.yaml
@@ -14,6 +14,12 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  postBuild:
+    substitute:
+      domain: staging.huizinga.dev
+      # Specifically for authelia
+      subdomain: .staging
+      topdomain: huizinga.dev
   path: ./infrastructure/controllers
   prune: true
   wait: true
diff --git a/infrastructure/controllers/rook/helm-release-cluster.yaml b/infrastructure/controllers/rook/helm-release-cluster.yaml
index 243f3ab..640d888 100644
--- a/infrastructure/controllers/rook/helm-release-cluster.yaml
+++ b/infrastructure/controllers/rook/helm-release-cluster.yaml
@@ -17,6 +17,19 @@ spec:
   values:
     toolbox:
       enabled: true
+    # TODO: Not sure we really need this is we have prometheus + grafana set up
+    ingress:
+      dashboard:
+        annotations:
+          traefik.ingress.kubernetes.io/router.entryPoints: "websecure"
+          traefik.ingress.kubernetes.io/router.middlewares: "authelia-forwardauth-authelia@kubernetescrd"
+          traefik.ingress.kubernetes.io/router.tls: "true"
+        host:
+          name: ceph.${domain}
+        tls:
+          - hosts:
+              - ceph.${domain}
+            secretName: ${domain//./-}-tls
     # Uncomment once prometheus stack has been added
     # monitoring:
     #   enabled: true
@@ -26,6 +39,8 @@ spec:
     cephFileSystemVolumeSnapshotClass:
       enabled: true
     cephClusterSpec:
+      dashboard:
+        ssl: false
       storage:
         useAllDevices: false
         deviceFilter: "^nvme."