diff --git a/apps/fc-desktop/fc-desktop.yaml b/apps/fc-desktop/fc-desktop.yaml
index 786a087..92846e2 100644
--- a/apps/fc-desktop/fc-desktop.yaml
+++ b/apps/fc-desktop/fc-desktop.yaml
@@ -23,23 +23,16 @@ spec:
   entryPoints:
     - websecure
   routes:
-    # Single-host Guacamole routing: Traefik forwards the /guacamole
-    # path-prefix directly to the guacamole Service in the guacamole
-    # namespace. Must precede the catch-all Host() rule so priority
-    # resolves the more-specific match first. RemoteDesktop.Web then
-    # emits launch URLs with host=desktop.iamworkin.lan + /guacamole
-    # prefix, keeping Guacamole reachable through the same public
-    # surface (GuacamolePublicUrl=https://desktop.iamworkin.lan/guacamole).
-    - match: Host(`desktop.iamworkin.lan`) && PathPrefix(`/guacamole`)
-      kind: Rule
-      priority: 20
-      services:
-        - name: guacamole
-          namespace: guacamole
-          port: 8080
+    # Host-level catch-all for desktop.iamworkin.lan. The /guacamole
+    # path-prefix match lives in apps/guacamole/guacamole.yaml as a
+    # separate IngressRoute in the guacamole namespace — the cluster
+    # Traefik disallows cross-namespace service refs, so the PathPrefix
+    # rule can't sit here. Traefik's router matching precedence gives
+    # longer/more-specific rules priority automatically, so as long as
+    # the guacamole IngressRoute exists it takes /guacamole traffic
+    # before this catch-all sees it.
     - match: Host(`desktop.iamworkin.lan`)
       kind: Rule
-      priority: 10
       services:
         - name: remotedesktop-web
           port: 8080
diff --git a/apps/guacamole/guacamole.yaml b/apps/guacamole/guacamole.yaml
index c06e3d7..da309ec 100644
--- a/apps/guacamole/guacamole.yaml
+++ b/apps/guacamole/guacamole.yaml
@@ -444,6 +444,46 @@ spec:
   tls:
     secretName: guacamole-tls
 ---
+# Single-host Guacamole routing — matches RemoteDesktop.Web launch URLs
+# that embed Guacamole as a path-prefixed iframe on the primary desktop
+# host (https://desktop.iamworkin.lan/guacamole/#/client/...). The
+# Traefik IngressRoute lives in the guacamole namespace because the
+# cluster disallows cross-namespace service refs from IngressRoutes.
+# No add-prefix middleware: the browser already sends /guacamole/*
+# which is the servlet path Guacamole's webapp serves at.
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: desktop-guacamole-path-tls
+  namespace: guacamole
+spec:
+  secretName: desktop-guacamole-path-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - desktop.iamworkin.lan
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: guacamole-desktop-path
+  namespace: guacamole
+  labels:
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/component: guacamole-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`desktop.iamworkin.lan`) && PathPrefix(`/guacamole`)
+      kind: Rule
+      services:
+        - name: guacamole
+          port: 8080
+  tls:
+    secretName: desktop-guacamole-path-tls
+---
 # 1Password secret sync — creates guacamole-credentials K8s Secret
 # Fields: username, password, DB-User, DB-Password, DB-Root-Password, DB-Name, URL
 apiVersion: onepassword.com/v1