diff --git a/utils/traefik/ingress/ingress.ts b/utils/traefik/ingress/ingress.ts
index 4e700ef..36f5cd4 100644
--- a/utils/traefik/ingress/ingress.ts
+++ b/utils/traefik/ingress/ingress.ts
@@ -83,6 +83,7 @@ export class IngressRoute extends Construct {
       kind: "Rule",
       services: [
         {
+          namespace,
           name: opts.serviceName,
           port: opts.servicePort,
           scheme: opts.serviceProtocol ?? "http",
@@ -109,6 +110,10 @@ export class IngressRoute extends Construct {
     if (opts.tlsSecretName) {
       spec.tls = {
         secretName: opts.tlsSecretName,
+        options: {
+          name: "tls-options",
+          namespace: "homelab",
+        },
       };
     }
 
diff --git a/utils/traefik/ingress/internalIngress.ts b/utils/traefik/ingress/internalIngress.ts
index b5bdc9c..d3499e5 100644
--- a/utils/traefik/ingress/internalIngress.ts
+++ b/utils/traefik/ingress/internalIngress.ts
@@ -1,78 +1,16 @@
 import { Construct } from "constructs";
 import { IngressRoute, IngressRouteOptions } from "./ingress";
-import { DataTerraformRemoteStateS3 } from "cdktf";
-import { DataKubernetesNamespaceV1 } from "@cdktf/provider-kubernetes/lib/data-kubernetes-namespace-v1";
-import { PrivateCertificate } from "../../cert-manager";
 
-type InternalIngressRouteOptions = Omit<
-  IngressRouteOptions,
-  "entryPoints" | "tlsSecretName" | "middlewares"
->;
-
-export class InternalIngressRoute extends Construct {
-  constructor(scope: Construct, id: string, opts: InternalIngressRouteOptions) {
-    super(scope, id);
-
-    const r2Endpoint = `${process.env.ACCOUNT_ID!}.r2.cloudflarestorage.com`;
-
-    const coreServicesState = new DataTerraformRemoteStateS3(
-      this,
-      "core-services-state",
-      {
-        usePathStyle: true,
-        skipRegionValidation: true,
-        skipCredentialsValidation: true,
-        skipRequestingAccountId: true,
-        skipS3Checksum: true,
-        encrypt: true,
-        bucket: "terraform-state",
-        key: "core-services/terraform.tfstate",
-        endpoints: {
-          s3: `https://${r2Endpoint}`,
-        },
-        region: "auto",
-        accessKey: process.env.ACCESS_KEY,
-        secretKey: process.env.SECRET_KEY,
-      },
-    );
-    const namespaceName = coreServicesState.getString("namespace-output");
-    const namespaceResource = new DataKubernetesNamespaceV1(
-      this,
-      "core-services-namespace",
-      {
-        provider: opts.provider,
-        metadata: {
-          name: namespaceName,
-        },
-      },
-    );
-    const namespace = namespaceResource.metadata.name;
-
-    const { provider, name, host, serviceName, servicePort, serviceProtocol } =
-      opts;
-
-    const tlsSecretName = `${name}-tls`;
-
-    new PrivateCertificate(this, `${name}-cert`, {
-      provider,
-      namespace,
-      name: host,
-      secretName: tlsSecretName,
-      dnsNames: [host],
-    });
-
-    new IngressRoute(this, opts.name, {
-      provider,
-      namespace,
-      host,
-      serviceName,
-      servicePort,
-      serviceProtocol,
-      tlsSecretName,
-      name,
-      path: opts.path ?? "/",
+export class InternalIngressRoute extends IngressRoute {
+  constructor(
+    scope: Construct,
+    id: string,
+    opts: Omit<IngressRouteOptions, "entryPoints" | "middlewares">,
+  ) {
+    super(scope, id, {
+      ...opts,
       entryPoints: ["websecure"],
-      middlewares: [`${namespace}/ip-allow-list`],
+      middlewares: ["homelab/ip-allow-list"],
     });
   }
 }
diff --git a/utils/traefik/ingress/publicIngress.ts b/utils/traefik/ingress/publicIngress.ts
index 244e2dd..f039fa3 100644
--- a/utils/traefik/ingress/publicIngress.ts
+++ b/utils/traefik/ingress/publicIngress.ts
@@ -2,26 +2,25 @@ import { Construct } from "constructs";
 import { IngressRoute, IngressRouteOptions } from "./ingress";
 import { CloudflareCertificate } from "../../cert-manager";
 
-type PublicIngressRouteOptions = Omit<
-  IngressRouteOptions,
-  "entryPoints" | "tlsSecretName" | "middlewares"
->;
+export class PublicIngressRoute extends IngressRoute {
+  constructor(
+    scope: Construct,
+    id: string,
+    opts: Omit<
+      IngressRouteOptions,
+      "entryPoints" | "tlsSecretName" | "middlewares"
+    >,
+  ) {
+    const tlsSecretName = `${opts.name}-tls`;
 
-export class PublicIngressRoute extends Construct {
-  constructor(scope: Construct, id: string, opts: PublicIngressRouteOptions) {
-    super(scope, id);
+    super(scope, id, {
+      ...opts,
+      tlsSecretName,
+      entryPoints: ["websecure"],
+      middlewares: ["homelab/rate-limit"],
+    });
 
-    const {
-      provider,
-      name,
-      namespace,
-      host,
-      serviceName,
-      servicePort,
-      serviceProtocol,
-    } = opts;
-
-    const tlsSecretName = `${name}-tls`;
+    const { provider, name, namespace, host } = opts;
 
     new CloudflareCertificate(this, `${name}-cert`, {
       provider,
@@ -30,19 +29,5 @@ export class PublicIngressRoute extends Construct {
       secretName: tlsSecretName,
       dnsNames: [host],
     });
-
-    new IngressRoute(this, opts.name, {
-      provider,
-      namespace,
-      host,
-      tlsSecretName,
-      serviceName,
-      servicePort,
-      serviceProtocol,
-      name,
-      path: opts.path ?? "/",
-      entryPoints: ["websecure"],
-      middlewares: [`${namespace}/rate-limit`],
-    });
   }
 }