diff --git a/apps/guacamole/guacamole.yaml b/apps/guacamole/guacamole.yaml
index da309ec..0593def 100644
--- a/apps/guacamole/guacamole.yaml
+++ b/apps/guacamole/guacamole.yaml
@@ -399,50 +399,13 @@ spec:
       targetPort: 8080
       name: http
 ---
-# Traefik addPrefix middleware
-# External URL guac.iamworkin.lan/ gets prefix /guacamole added
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: guac-add-prefix
-  namespace: guacamole
-spec:
-  addPrefix:
-    prefix: /guacamole
----
-# TLS Certificate via cert-manager
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: guacamole-tls
-  namespace: guacamole
-spec:
-  secretName: guacamole-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - guac.iamworkin.lan
----
-# Traefik IngressRoute
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: guacamole
-  namespace: guacamole
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`guac.iamworkin.lan`)
-      kind: Rule
-      middlewares:
-        - name: guac-add-prefix
-      services:
-        - name: guacamole
-          port: 8080
-  tls:
-    secretName: guacamole-tls
+# Legacy guac.iamworkin.lan IngressRoute + add-prefix middleware +
+# TLS Certificate RETIRED 2026-04-24. Single-host routing via
+# desktop.iamworkin.lan/guacamole (below) has been live-proven and
+# RemoteDesktop.Web no longer emits URLs pointing at the legacy
+# subdomain. ArgoCD prune will delete the live resources on next
+# sync; pfSense DNS override for guac.iamworkin.lan should be
+# removed via FlowerCore.DNS in a follow-up operator step.
 ---
 # Single-host Guacamole routing — matches RemoteDesktop.Web launch URLs
 # that embed Guacamole as a path-prefixed iframe on the primary desktop