diff --git a/deploy/templates/gitserver/ssh-service.yaml b/deploy/templates/gitserver/ssh-service.yaml
index 8714cbc..1fcfaa7 100644
--- a/deploy/templates/gitserver/ssh-service.yaml
+++ b/deploy/templates/gitserver/ssh-service.yaml
@@ -5,12 +5,17 @@ metadata:
   labels:
     {{- include "deploy.labels" . | nindent 4 }}
     app.kubernetes.io/component: gitserver
+  annotations:
+    {{- with .Values.services.gitserver.sshService.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   type: LoadBalancer
+  externalTrafficPolicy: Local
   ports:
-    - port: {{ .Values.services.gitserver.ports.ssh }}
+    - port: 22
       targetPort: ssh
       protocol: TCP
       name: ssh
   selector:
-    {{- include "deploy.serviceSelectorLabels" (dict "root" . "svcKey" "gitserver") | nindent 4 }}
+    {{- include "deploy.serviceSelectorLabels" (dict "root" . "svcKey" "gitserver") | nindent 4 }}
\ No newline at end of file
diff --git a/deploy/values.yaml b/deploy/values.yaml
index 57567ae..cbe631e 100644
--- a/deploy/values.yaml
+++ b/deploy/values.yaml
@@ -87,6 +87,11 @@ services:
     # SSH port must match the containerPort
     extraEnv:
       APP_SSH_PORT: "2222"
+    # SSH service config (MetalLB + Cilium)
+    # Shared IP: nginx ingress (80/443) + SSH (22) on same VIP
+    # Requires ingress-nginx svc also annotated with allow-shared-ip: "gitdata-shared"
+    sshService:
+      annotations: {}
     resources:
       requests:
         cpu: 100m