diff --git a/network-security/index.ts b/network-security/index.ts
index 787cc68..f6ed544 100644
--- a/network-security/index.ts
+++ b/network-security/index.ts
@@ -7,9 +7,10 @@ import {
   RateLimitMiddleware,
   IpAllowListMiddleware,
   IpAllowListMiddlewareTCP,
+  TLSOptions,
 } from "./traefik";
 import { ValkeyCluster } from "./valkey";
-import { InternalIngressRoute } from "../utils";
+import { InternalIngressRoute, PrivateCertificate } from "../utils";
 
 export class NetworkSecurity extends TerraformStack {
   constructor(scope: Construct, id: string) {
@@ -67,6 +68,11 @@ export class NetworkSecurity extends TerraformStack {
       name: "rate-limit",
     });
 
+    new TLSOptions(this, "tls-options", {
+      provider: kubernetes,
+      namespace,
+    });
+
     new IpAllowListMiddleware(this, "internal-ip-allow-list", {
       provider: kubernetes,
       namespace,
@@ -81,6 +87,15 @@ export class NetworkSecurity extends TerraformStack {
       sourceRanges: ["192.168.18.0/24", "10.42.0.0/16"],
     });
 
+    new PrivateCertificate(this, "longhorn-cert", {
+      provider: kubernetes,
+      namespace: "longhorn-system",
+      name: "longhorn-ui",
+      dnsNames: ["longhorn.dogar.dev"],
+      commonName: "longhorn.dogar.dev",
+      secretName: "longhorn-tls",
+    });
+
     new InternalIngressRoute(this, "longhorn-ui", {
       provider: kubernetes,
       namespace: "longhorn-system",
@@ -88,6 +103,16 @@ export class NetworkSecurity extends TerraformStack {
       host: "longhorn.dogar.dev",
       serviceName: "longhorn-frontend",
       servicePort: 80,
+      tlsSecretName: "longhorn-tls",
+    });
+
+    new PrivateCertificate(this, "grafana-cert", {
+      provider: kubernetes,
+      namespace: "monitoring",
+      name: "grafana-ui",
+      dnsNames: ["grafana.dogar.dev"],
+      commonName: "grafana.dogar.dev",
+      secretName: "grafana-tls",
     });
 
     new InternalIngressRoute(this, "grafana-ui", {
@@ -97,6 +122,7 @@ export class NetworkSecurity extends TerraformStack {
       host: "grafana.dogar.dev",
       serviceName: "prometheus-operator-grafana",
       servicePort: 80,
+      tlsSecretName: "grafana-tls",
     });
   }
 }
diff --git a/network-security/traefik/index.ts b/network-security/traefik/index.ts
index 0c29d72..3e84db1 100644
--- a/network-security/traefik/index.ts
+++ b/network-security/traefik/index.ts
@@ -1,2 +1,3 @@
 export { RateLimitMiddleware } from "./rateLimit";
 export { IpAllowListMiddleware, IpAllowListMiddlewareTCP } from "./ipAllowList";
+export { TLSOptions } from "./tlsOpts";
diff --git a/network-security/traefik/tlsOpts.ts b/network-security/traefik/tlsOpts.ts
new file mode 100644
index 0000000..3dbc6e8
--- /dev/null
+++ b/network-security/traefik/tlsOpts.ts
@@ -0,0 +1,31 @@
+import { Construct } from "constructs";
+import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+
+export class TLSOptions extends Construct {
+  constructor(
+    scope: Construct,
+    id: string,
+    opts: { provider: KubernetesProvider; namespace: string },
+  ) {
+    super(scope, id);
+
+    const { provider, namespace } = opts;
+
+    new Manifest(this, "traefik-tls-options", {
+      provider,
+      manifest: {
+        apiVersion: "traefik.io/v1alpha1",
+        kind: "TLSOption",
+        metadata: {
+          namespace,
+          name: "tls-options",
+        },
+        spec: {
+          minVersion: "VersionTLS13",
+          sniStrict: true,
+        },
+      },
+    });
+  }
+}