diff --git a/ingress.yaml b/ingress.yaml
index c80e668..1d6d4a4 100644
--- a/ingress.yaml
+++ b/ingress.yaml
@@ -59,16 +59,6 @@ spec:
               name: open-webui-service
               port:
                 number: 80
-  - host: nas.rogi.casa
-    http:
-      paths:
-        - pathType: Prefix
-          backend:
-            service:
-              name: external-ip
-              port:
-                number: 80
-          path: /
   - host: gym.rogi.casa
     http:
       paths:
@@ -281,3 +271,37 @@ spec:
               name: argocd-server
               port:
                 number: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nas-ingress
+  namespace: default
+  annotations:
+    # Use Traefik as the ingress controller (default in k3s)
+    kubernetes.io/ingress.class: "traefik"
+    # Enable SSL redirect
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    # Optional: enable compression
+    traefik.ingress.kubernetes.io/compress: "true"
+    # Allow large file uploads (5GB) for NAS
+    traefik.ingress.kubernetes.io/max-request-body-bytes: "5368709120"
+    cert-manager.io/issuer: prod-issuer
+    cert-manager.io/issuer-kind: OriginIssuer
+    cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
+spec:
+  tls:
+    - hosts:
+      - "*.rogi.casa"
+      secretName: rogicasa-tls
+  rules:
+  - host: nas.rogi.casa
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: external-ip
+              port:
+                number: 80