diff --git a/apps/fc-landing/fc-landing.yaml b/apps/fc-landing/fc-landing.yaml
index d606df3..2e4786c 100644
--- a/apps/fc-landing/fc-landing.yaml
+++ b/apps/fc-landing/fc-landing.yaml
@@ -1,248 +1,320 @@
-# FlowerCore Landing Page
-# Blue Jay Lab branded landing page
-# ArgoCD managed - BlueJay Lab
----
-# fc-system namespace is shared; don't overwrite if it exists
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: fc-system
-  labels:
-    app.kubernetes.io/part-of: bluejay-infra
----
-# Landing page HTML
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: fc-landing-html
-  namespace: fc-system
-data:
-  index.html: |
-    <!DOCTYPE html>
-    <html lang="en">
-    <head>
-        <meta charset="utf-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1">
-        <title>FlowerCore - Blue Jay Lab</title>
-        <style>
-            * { margin: 0; padding: 0; box-sizing: border-box; }
-            body {
-                font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
-                background: linear-gradient(135deg, #0a1628 0%, #1a2744 50%, #0d1f3c 100%);
-                color: #e0e8f0;
-                min-height: 100vh;
-                display: flex;
-                flex-direction: column;
-                align-items: center;
-                justify-content: center;
-            }
-            .hero {
-                text-align: center;
-                padding: 3rem;
-                max-width: 800px;
-            }
-            .logo {
-                font-size: 5rem;
-                margin-bottom: 1.5rem;
-                filter: drop-shadow(0 0 20px rgba(74, 158, 255, 0.3));
-            }
-            h1 {
-                font-size: 3rem;
-                background: linear-gradient(135deg, #4a9eff, #7ab3ff);
-                -webkit-background-clip: text;
-                -webkit-text-fill-color: transparent;
-                background-clip: text;
-                margin-bottom: 0.5rem;
-            }
-            .subtitle {
-                font-size: 1.3rem;
-                color: #7ab3ff;
-                font-weight: 300;
-                margin-bottom: 3rem;
-            }
-            .services {
-                display: grid;
-                grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
-                gap: 1rem;
-                width: 100%;
-                max-width: 700px;
-                padding: 0 1rem;
-            }
-            .service {
-                background: rgba(74, 158, 255, 0.08);
-                border: 1px solid rgba(74, 158, 255, 0.2);
-                border-radius: 8px;
-                padding: 1.2rem;
-                text-decoration: none;
-                color: inherit;
-                transition: all 0.2s;
-            }
-            .service:hover {
-                background: rgba(74, 158, 255, 0.15);
-                border-color: rgba(74, 158, 255, 0.5);
-                transform: translateY(-2px);
-            }
-            .service h3 { color: #4a9eff; font-size: 0.95rem; margin-bottom: 0.3rem; }
-            .service p { color: #8aa8c4; font-size: 0.8rem; }
-            .footer {
-                margin-top: 3rem;
-                color: #4a6580;
-                font-size: 0.8rem;
-            }
-        </style>
-    </head>
-    <body>
-        <div class="hero">
-            <div class="logo">&#x1F33B;</div>
-            <h1>FlowerCore</h1>
-            <p class="subtitle">Blue Jay Lab</p>
-        </div>
-        <div class="services">
-            <a class="service" href="https://gitea.iamworkin.lan">
-                <h3>Gitea</h3>
-                <p>Git repositories</p>
-            </a>
-            <a class="service" href="https://argocd.iamworkin.lan">
-                <h3>ArgoCD</h3>
-                <p>GitOps deployments</p>
-            </a>
-            <a class="service" href="https://zabbix.iamworkin.lan">
-                <h3>Zabbix</h3>
-                <p>Monitoring</p>
-            </a>
-            <a class="service" href="https://guac.iamworkin.lan">
-                <h3>Guacamole</h3>
-                <p>Remote desktop</p>
-            </a>
-            <a class="service" href="https://element.iamworkin.lan">
-                <h3>Element</h3>
-                <p>Matrix chat</p>
-            </a>
-            <a class="service" href="https://mail.iamworkin.lan">
-                <h3>Mail</h3>
-                <p>Snappymail webmail</p>
-            </a>
-            <a class="service" href="https://intranet.iamworkin.lan">
-                <h3>Intranet</h3>
-                <p>Lab portal</p>
-            </a>
-            <a class="service" href="https://pki.iamworkin.lan">
-                <h3>PKI</h3>
-                <p>Certificates</p>
-            </a>
-        </div>
-        <p class="footer">FlowerCore &middot; RKE2 on Harvester &middot; ArgoCD managed</p>
-    </body>
-    </html>
----
-# nginx configuration
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: fc-landing-nginx-conf
-  namespace: fc-system
-data:
-  default.conf: |
-    server {
-        listen 80;
-        server_name _;
-        root /usr/share/nginx/html;
-        index index.html;
-
-        location / {
-            try_files $uri $uri/ =404;
-        }
-
-        location /healthz {
-            access_log off;
-            return 200 "ok";
-            add_header Content-Type text/plain;
-        }
-    }
----
-# Landing Page Deployment
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: fc-landing
-  namespace: fc-system
-  labels:
-    app: fc-landing
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: fc-landing
-  template:
-    metadata:
-      labels:
-        app: fc-landing
-    spec:
-      containers:
-        - name: nginx
-          image: nginx:alpine
-          ports:
-            - containerPort: 80
-              name: http
-          volumeMounts:
-            - name: nginx-conf
-              mountPath: /etc/nginx/conf.d/default.conf
-              subPath: default.conf
-            - name: html
-              mountPath: /usr/share/nginx/html
-          resources:
-            requests:
-              memory: 16Mi
-              cpu: 5m
-            limits:
-              memory: 64Mi
-              cpu: 50m
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 80
-            initialDelaySeconds: 5
-            periodSeconds: 10
-          readinessProbe:
-            httpGet:
-              path: /healthz
-              port: 80
-            initialDelaySeconds: 3
-            periodSeconds: 5
-      volumes:
-        - name: nginx-conf
-          configMap:
-            name: fc-landing-nginx-conf
-        - name: html
-          configMap:
-            name: fc-landing-html
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: fc-landing
-  namespace: fc-system
-spec:
-  selector:
-    app: fc-landing
-  ports:
-    - port: 80
-      targetPort: 80
-      name: http
----
-# Traefik IngressRoute (internal only, no public cert needed)
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: fc-landing
-  namespace: fc-system
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`flowercore.iamworkin.lan`)
-      kind: Rule
-      services:
-        - name: fc-landing
-          port: 80
-  tls: {}
+# FlowerCore Landing Page
+# Blue Jay Lab branded landing page - PUBLIC facing
+# ArgoCD managed - BlueJay Lab
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: fc-system
+  labels:
+    app.kubernetes.io/part-of: bluejay-infra
+---
+# Landing page HTML (public-safe - no internal LAN references)
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fc-landing-html
+  namespace: fc-system
+data:
+  index.html: |
+    <!DOCTYPE html>
+    <html lang="en">
+    <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>FlowerCore</title>
+        <style>
+            * { margin: 0; padding: 0; box-sizing: border-box; }
+            body {
+                font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+                background: linear-gradient(135deg, #0a1628 0%, #1a2744 50%, #0d1f3c 100%);
+                color: #e0e8f0;
+                min-height: 100vh;
+                display: flex;
+                flex-direction: column;
+                align-items: center;
+                justify-content: center;
+            }
+            .hero {
+                text-align: center;
+                padding: 3rem;
+                max-width: 800px;
+            }
+            .logo {
+                font-size: 5rem;
+                margin-bottom: 1.5rem;
+                filter: drop-shadow(0 0 20px rgba(74, 158, 255, 0.3));
+            }
+            h1 {
+                font-size: 3rem;
+                background: linear-gradient(135deg, #4a9eff, #7ab3ff);
+                -webkit-background-clip: text;
+                -webkit-text-fill-color: transparent;
+                background-clip: text;
+                margin-bottom: 0.5rem;
+            }
+            .subtitle {
+                font-size: 1.3rem;
+                color: #7ab3ff;
+                font-weight: 300;
+                margin-bottom: 1rem;
+            }
+            .description {
+                font-size: 1rem;
+                color: #8aa8c4;
+                line-height: 1.6;
+                margin-bottom: 3rem;
+                max-width: 600px;
+            }
+            .services {
+                display: grid;
+                grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
+                gap: 1rem;
+                width: 100%;
+                max-width: 700px;
+                padding: 0 1rem;
+            }
+            .service {
+                background: rgba(74, 158, 255, 0.08);
+                border: 1px solid rgba(74, 158, 255, 0.2);
+                border-radius: 8px;
+                padding: 1.2rem;
+                text-decoration: none;
+                color: inherit;
+                transition: all 0.2s;
+            }
+            .service:hover {
+                background: rgba(74, 158, 255, 0.15);
+                border-color: rgba(74, 158, 255, 0.5);
+                transform: translateY(-2px);
+            }
+            .service h3 { color: #4a9eff; font-size: 0.95rem; margin-bottom: 0.3rem; }
+            .service p { color: #8aa8c4; font-size: 0.8rem; }
+            .status-bar {
+                display: flex;
+                gap: 2rem;
+                margin-top: 2rem;
+                padding: 1rem 2rem;
+                background: rgba(74, 158, 255, 0.05);
+                border-radius: 8px;
+                border: 1px solid rgba(74, 158, 255, 0.1);
+            }
+            .status-item { text-align: center; }
+            .status-item .value { color: #4a9eff; font-size: 1.5rem; font-weight: 700; }
+            .status-item .label { color: #6a8ca4; font-size: 0.7rem; text-transform: uppercase; letter-spacing: 1px; }
+            .footer {
+                margin-top: 3rem;
+                color: #4a6580;
+                font-size: 0.8rem;
+            }
+            .footer a { color: #4a6580; text-decoration: none; }
+            .footer a:hover { color: #7ab3ff; }
+        </style>
+    </head>
+    <body>
+        <div class="hero">
+            <div class="logo">&#x1F33B;</div>
+            <h1>FlowerCore</h1>
+            <p class="subtitle">Blue Jay Lab</p>
+            <p class="description">
+                Multi-tenant service management platform built on .NET 10,
+                Kubernetes, and GitOps. Digital signage, telephony IVR,
+                MySQL/PHP hosting, and infrastructure automation.
+            </p>
+        </div>
+        <div class="services">
+            <a class="service" href="https://gitea.flowercore.io">
+                <h3>Source</h3>
+                <p>Gitea repositories</p>
+            </a>
+            <a class="service" href="https://webmail.flowercore.io">
+                <h3>Mail</h3>
+                <p>Webmail access</p>
+            </a>
+            <a class="service" href="https://element.flowercore.io">
+                <h3>Chat</h3>
+                <p>Matrix messaging</p>
+            </a>
+            <a class="service" href="https://github.com/FlowerCoreIO">
+                <h3>GitHub</h3>
+                <p>Open source</p>
+            </a>
+        </div>
+        <div class="status-bar">
+            <div class="status-item">
+                <div class="value">17</div>
+                <div class="label">Services</div>
+            </div>
+            <div class="status-item">
+                <div class="value">13</div>
+                <div class="label">VLANs</div>
+            </div>
+            <div class="status-item">
+                <div class="value">12k+</div>
+                <div class="label">Tests</div>
+            </div>
+        </div>
+        <p class="footer">
+            FlowerCore &middot; Bare-metal RKE2 &middot; ArgoCD managed
+            &middot; <a href="mailto:admin@flowercore.io">Contact</a>
+        </p>
+    </body>
+    </html>
+---
+# nginx configuration
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fc-landing-nginx-conf
+  namespace: fc-system
+data:
+  default.conf: |
+    server {
+        listen 80;
+        server_name _;
+        root /usr/share/nginx/html;
+        index index.html;
+
+        location / {
+            try_files $uri $uri/ =404;
+        }
+
+        location /healthz {
+            access_log off;
+            return 200 "ok";
+            add_header Content-Type text/plain;
+        }
+    }
+---
+# Landing Page Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: fc-landing
+  namespace: fc-system
+  labels:
+    app: fc-landing
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: fc-landing
+  template:
+    metadata:
+      labels:
+        app: fc-landing
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:alpine
+          ports:
+            - containerPort: 80
+              name: http
+          volumeMounts:
+            - name: nginx-conf
+              mountPath: /etc/nginx/conf.d/default.conf
+              subPath: default.conf
+            - name: html
+              mountPath: /usr/share/nginx/html
+          resources:
+            requests:
+              memory: 16Mi
+              cpu: 5m
+            limits:
+              memory: 64Mi
+              cpu: 50m
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 80
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 80
+            initialDelaySeconds: 3
+            periodSeconds: 5
+      volumes:
+        - name: nginx-conf
+          configMap:
+            name: fc-landing-nginx-conf
+        - name: html
+          configMap:
+            name: fc-landing-html
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: fc-landing
+  namespace: fc-system
+spec:
+  selector:
+    app: fc-landing
+  ports:
+    - port: 80
+      targetPort: 80
+      name: http
+---
+# Internal IngressRoute (LAN access)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: fc-landing
+  namespace: fc-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`flowercore.iamworkin.lan`)
+      kind: Rule
+      services:
+        - name: fc-landing
+          port: 80
+  tls: {}
+---
+# Public IngressRoute (flowercore.io with Cloudflare origin cert)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: fc-landing-public
+  namespace: fc-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
+      kind: Rule
+      services:
+        - name: fc-landing
+          port: 80
+  tls:
+    secretName: cf-origin-flowercore-io
+---
+# HTTP to HTTPS redirect for public domain
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: fc-landing-public-http
+  namespace: fc-system
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
+      kind: Rule
+      services:
+        - name: fc-landing
+          port: 80
+      middlewares:
+        - name: redirect-https
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-https
+  namespace: fc-system
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true