diff --git a/apps/traefik-dashboard/traefik-dashboard.yaml b/apps/traefik-dashboard/traefik-dashboard.yaml
new file mode 100644
index 0000000..93fdcae
--- /dev/null
+++ b/apps/traefik-dashboard/traefik-dashboard.yaml
@@ -0,0 +1,58 @@
+# Traefik Dashboard - BasicAuth protected
+# ArgoCD managed - BlueJay Lab
+---
+# BasicAuth credentials secret (admin:zenith-turret-falcon-umber)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: traefik-dashboard-auth
+  namespace: traefik-system
+type: Opaque
+stringData:
+  users: "admin:$apr1$0URvzxzA$V6rOAD80XRUFeN7NR88VR."
+---
+# BasicAuth middleware
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-dashboard-auth
+  namespace: traefik-system
+spec:
+  basicAuth:
+    secret: traefik-dashboard-auth
+---
+# Dashboard IngressRoute
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: traefik-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`traefik.iamworkin.lan`)
+      services:
+        - name: api@internal
+          kind: TraefikService
+      middlewares:
+        - name: traefik-dashboard-auth
+  tls:
+    secretName: traefik-tls
+---
+# TLS certificate for traefik.iamworkin.lan
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: traefik-tls
+  namespace: traefik-system
+spec:
+  secretName: traefik-tls
+  issuerRef:
+    name: step-ca-issuer
+    kind: ClusterIssuer
+  dnsNames:
+    - traefik.iamworkin.lan
+  duration: 720h
+  renewBefore: 168h