diff --git a/deploy/.helmignore b/deploy/.helmignore
index 0e8a0eb..9359339 100644
--- a/deploy/.helmignore
+++ b/deploy/.helmignore
@@ -21,3 +21,5 @@
 .idea/
 *.tmproj
 .vscode/
+# Secrets
+.server.yaml
diff --git a/deploy/templates/gitserver/ssh-service.yaml b/deploy/templates/gitserver/ssh-service.yaml
new file mode 100644
index 0000000..8714cbc
--- /dev/null
+++ b/deploy/templates/gitserver/ssh-service.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "deploy.serviceFullname" (dict "root" . "svcKey" "gitserver") }}-ssh
+  labels:
+    {{- include "deploy.labels" . | nindent 4 }}
+    app.kubernetes.io/component: gitserver
+spec:
+  type: LoadBalancer
+  ports:
+    - port: {{ .Values.services.gitserver.ports.ssh }}
+      targetPort: ssh
+      protocol: TCP
+      name: ssh
+  selector:
+    {{- include "deploy.serviceSelectorLabels" (dict "root" . "svcKey" "gitserver") | nindent 4 }}
diff --git a/deploy/values.yaml b/deploy/values.yaml
index 289f9e2..c5523dd 100644
--- a/deploy/values.yaml
+++ b/deploy/values.yaml
@@ -140,22 +140,30 @@ services:
 # External PVC (managed outside Helm — not deleted on uninstall)
 pvcName: "shared-data"
 
-# Ingress — only for the main app service
+# Ingress — handled by gingress controller
 ingress:
-  enabled: false
-  className: ""
-  annotations: {}
+  enabled: true
+  className: "gingress"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
   hosts:
-    - host: chart-example.local
+    - host: gitdata.ai
       paths:
         - path: /
           pathType: Prefix
           serviceName: app
           servicePort: 3000
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
+    - host: static.gitdata.ai
+      paths:
+        - path: /
+          pathType: Prefix
+          serviceName: static_server
+          servicePort: 8081
+  tls:
+    - secretName: gitdata-ai-tls
+      hosts:
+        - gitdata.ai
+        - static.gitdata.ai
 
 imagePullSecrets: []
 nameOverride: ""