diff --git a/contour/resources/default_gateway.yaml b/contour/resources/default_gateway.yaml
index 8ce84a6..54d865c 100644
--- a/contour/resources/default_gateway.yaml
+++ b/contour/resources/default_gateway.yaml
@@ -9,14 +9,7 @@ metadata:
 spec:
   gatewayClassName: contour
   listeners:
-    - name: ssh
-      protocol: TCP
-      port: 22
-      allowedRoutes:
-        kinds:
-        - kind: TCPRoute
-        namespaces:
-          from: All
+
     - name: snips-ssh
       protocol: TCP
       port: 2222
@@ -25,12 +18,14 @@ spec:
         - kind: TCPRoute
         namespaces:
           from: All
+
     - name: http
       protocol: HTTP
       port: 80
       allowedRoutes:
         namespaces:
           from: All
+
     - name: https
       hostname: "*.icb4dc0.de"
       port: 443
@@ -42,6 +37,7 @@ spec:
         mode: Terminate
         certificateRefs:
           - name: wildcard-icb4dc0-de-tls
+
     - name: forgejo
       hostname: "code.icb4dc0.de"
       port: 443
@@ -56,6 +52,33 @@ spec:
         mode: Terminate
         certificateRefs:
           - name: forgejo-tls
+    - name: ssh
+      protocol: TCP
+      port: 22
+      allowedRoutes:
+        kinds:
+        - kind: TCPRoute
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              kubernetes.io/metadata.name: forgejo
+
+    - name: vikunja
+      hostname: "todo.icb4dc0.de"
+      port: 443
+      protocol: HTTPS
+      allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              kubernetes.io/metadata.name: vikunja
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: vikunja-tls
+
     - name: ente-endpoints
       hostname: "*.ente.icb4dc0.de"
       port: 443
@@ -70,6 +93,7 @@ spec:
         mode: Terminate
         certificateRefs:
           - name: ente-tls
+
     - name: coder-port-forwards
       hostname: "*.ide.icb4dc0.de"
       port: 443
@@ -84,6 +108,7 @@ spec:
         mode: Terminate
         certificateRefs:
           - name: coder-port-forwards-tls
+
     - name: garage-s3-subdomains
       hostname: "*.s3.icb4dc0.de"
       port: 443
@@ -98,6 +123,7 @@ spec:
         mode: Terminate
         certificateRefs:
           - name: garage-s3-subdomains-tls
+
     - name: buildr-fider-community
       hostname: community.buildr.icb4dc0.de
       port: 443
@@ -112,6 +138,7 @@ spec:
         mode: Terminate
         certificateRefs:
           - name: buildr-fider-community-tls
+
     - name: inetmock-fider-community
       hostname: community.inetmock.icb4dc0.de
       port: 443
@@ -126,6 +153,7 @@ spec:
         mode: Terminate
         certificateRefs:
           - name: inetmock-fider-community-tls
+
     - name: fider-login
       hostname: login.fider.icb4dc0.de
       port: 443
diff --git a/forgejo/kustomization.yaml b/forgejo/kustomization.yaml
index d48b7d0..e1c10c5 100644
--- a/forgejo/kustomization.yaml
+++ b/forgejo/kustomization.yaml
@@ -15,7 +15,7 @@ images:
     newTag: "3.4.1"
   - name: dind
     newName: docker
-    newTag: 26.1.2-dind
+    newTag: 26.1.3-dind
 
 resources:
   - resources/secrets/admin-credentials.yaml
diff --git a/garage/kustomization.yaml b/garage/kustomization.yaml
index 2a39b25..5081446 100644
--- a/garage/kustomization.yaml
+++ b/garage/kustomization.yaml
@@ -25,6 +25,7 @@ resources:
   - resources/api_routes.yaml
   - resources/web_routes.yaml
   - resources/pdb.yaml
+  - resources/servicemonitor.yaml
   - backup/
 
 configMapGenerator:
diff --git a/garage/resources/servicemonitor.yaml b/garage/resources/servicemonitor.yaml
new file mode 100644
index 0000000..a1a2cfc
--- /dev/null
+++ b/garage/resources/servicemonitor.yaml
@@ -0,0 +1,20 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: garage
+  labels:
+    prometheus: default
+spec:
+  endpoints:
+    - honorLabels: true
+      path: /metrics
+      port: metrics
+      scheme: http
+      scrapeTimeout: 30s
+  jobLabel: garage
+  namespaceSelector:
+    matchNames:
+      - garage
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: metrics
diff --git a/garage/resources/services.yaml b/garage/resources/services.yaml
index dcca48b..7015fc2 100644
--- a/garage/resources/services.yaml
+++ b/garage/resources/services.yaml
@@ -17,6 +17,8 @@ apiVersion: v1
 kind: Service
 metadata:
   name: garage-metrics
+  labels:
+    app.kubernetes.io/component: metrics
 spec:
   type: ClusterIP
   clusterIP: None
diff --git a/kube-prometheus/config/values.prometheus.yaml b/kube-prometheus/config/values.prometheus.yaml
index a692f84..c4a8534 100644
--- a/kube-prometheus/config/values.prometheus.yaml
+++ b/kube-prometheus/config/values.prometheus.yaml
@@ -111,6 +111,7 @@ grafana:
         auth_url: https://code.icb4dc0.de/login/oauth/authorize
         token_url: https://code.icb4dc0.de/login/oauth/access_token
         api_url: https://code.icb4dc0.de/login/oauth/userinfo
+        skip_org_role_sync: true
   persistence:
     enabled: false
     storageClassName: hcloud-volumes
diff --git a/vikunja/resources/http_routes.yaml b/vikunja/resources/http_routes.yaml
index 5c94238..9a18166 100644
--- a/vikunja/resources/http_routes.yaml
+++ b/vikunja/resources/http_routes.yaml
@@ -24,7 +24,7 @@ metadata:
 spec:
   parentRefs:
   - name: contour
-    sectionName: https
+    sectionName: vikunja
     namespace: projectcontour
   hostnames:
   - todo.icb4dc0.de