diff --git a/clusters/titan.lan.huizinga.dev/flux-system/sops-overlay.yaml b/clusters/titan.lan.huizinga.dev/flux-system/sops-overlay.yaml
index 27c0426..5f7ab94 100644
--- a/clusters/titan.lan.huizinga.dev/flux-system/sops-overlay.yaml
+++ b/clusters/titan.lan.huizinga.dev/flux-system/sops-overlay.yaml
@@ -10,3 +10,7 @@ spec:
     provider: sops
     secretRef:
       name: sops-gpg
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: domain-vars
diff --git a/clusters/titan.lan.huizinga.dev/ingress.yaml b/clusters/titan.lan.huizinga.dev/ingress.yaml
new file mode 100644
index 0000000..53a186c
--- /dev/null
+++ b/clusters/titan.lan.huizinga.dev/ingress.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: flux-webhook
+  namespace: flux-system
+  annotations:
+    traefik.ingress.kubernetes.io/router.entryPoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: authelia-forwardauth-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: flux.${domain}
+      http:
+        paths:
+          - backend:
+              service:
+                name: webhook-receiver
+                port:
+                  number: 80
+            path: /
+            pathType: Prefix
+  tls:
+    - secretName: ${domain//./-}-tls