diff --git a/templates/gitea.yaml b/templates/gitea.yaml
index 3613f83..0548561 100644
--- a/templates/gitea.yaml
+++ b/templates/gitea.yaml
@@ -80,8 +80,12 @@ kind: Ingress
 metadata:
   name: gitea-ingress
   annotations:
-      kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.allow-http: "false"
+    traefik.ingress.kubernetes.io/router.middlewares: {{ .Release.Namespace }}-redirect@kubernetescrd
 spec:
+  tls:
+    - hosts:
+      - git.{{ .Values.homey.url }}
   rules:
   - host: git.{{ .Values.homey.url }}
     http:
diff --git a/templates/jackett.yaml b/templates/jackett.yaml
index 96c2d71..4a3ddfe 100644
--- a/templates/jackett.yaml
+++ b/templates/jackett.yaml
@@ -49,6 +49,7 @@ metadata:
     kubernetes.io/ingress.allow-http: "false"
     ingress.kubernetes.io/auth-type: forward
     ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80
+    traefik.ingress.kubernetes.io/router.middlewares: {{ .Release.Namespace }}-redirect@kubernetescrd
 spec:
   tls:
     - hosts:
diff --git a/templates/jellyfin.yaml b/templates/jellyfin.yaml
index e20e389..da985b3 100644
--- a/templates/jellyfin.yaml
+++ b/templates/jellyfin.yaml
@@ -86,7 +86,12 @@ kind: Ingress
 metadata:
   name: jellyfin-ingress
   annotations:
+    kubernetes.io/ingress.allow-http: "false"
+    traefik.ingress.kubernetes.io/router.middlewares: {{ .Release.Namespace }}-redirect@kubernetescrd
 spec:
+  tls:
+    - hosts:
+      - jellyfin.{{ .Values.homey.internal_url }}
   rules:
    - host: jellyfin.{{ .Values.homey.internal_url }}
      http:
diff --git a/templates/nefarious.yaml b/templates/nefarious.yaml
index cca70de..4f02421 100644
--- a/templates/nefarious.yaml
+++ b/templates/nefarious.yaml
@@ -4,7 +4,14 @@ kind: Secret
 metadata:
   name: nefarious-admin
   annotations:
-    secret-generator.v1.mittwald.de/autogenerate: password
+    "helm.sh/resource-policy": "keep"
+type: Opaque
+data:
+  {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "nefarious-admin") | default dict }}
+  {{- $secretData := (get $secretObj "data") | default dict }}
+  {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
+  password: {{ $pass | quote }}
+
 ---
 apiVersion: apps/v1
 kind: Deployment
diff --git a/templates/nextcloud.yaml b/templates/nextcloud.yaml
index 2030cdd..04fcc7b 100644
--- a/templates/nextcloud.yaml
+++ b/templates/nextcloud.yaml
@@ -112,6 +112,8 @@ spec:
             secretKeyRef:
               name: nextcloud-postgres-pass
               key: password
+        - name: OVERWRITEPROTOCOL
+          value: "https"
       volumes:
       - name: nextcloud-volume
         persistentVolumeClaim:
@@ -134,7 +136,12 @@ kind: Ingress
 metadata:
   name: nextcloud-ingress
   annotations:
+    kubernetes.io/ingress.allow-http: "false"
+    traefik.ingress.kubernetes.io/router.middlewares: {{ .Release.Namespace }}-redirect@kubernetescrd
 spec:
+  tls:
+    - hosts:
+      - nextcloud.{{ .Values.homey.url }}
   rules:
    - host: nextcloud.{{ .Values.homey.url }}
      http: