diff --git a/headlamp/headlamp.yaml b/headlamp/headlamp.yaml
index 5af6096..2668629 100644
--- a/headlamp/headlamp.yaml
+++ b/headlamp/headlamp.yaml
@@ -91,15 +91,33 @@ spec:
     - port: 80
       targetPort: 4466
 ---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: https-redirect
+  namespace: kube-system
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: headlamp
   namespace: kube-system
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    # Force HTTP->HTTPS at Traefik (proxy-level, no app redirect loop).
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
 spec:
   ingressClassName: traefik
+  tls:
+    - hosts:
+        - headlamp.roysland.net
+      secretName: headlamp-tls
   rules:
-    - host: headlamp.local
+    - host: headlamp.roysland.net
       http:
         paths:
           - path: /