diff --git a/ansible-5/roles/prod.k3s/defaults/main.yml b/ansible-5/roles/prod.k3s/defaults/main.yml
index e58ada3..e006d7a 100644
--- a/ansible-5/roles/prod.k3s/defaults/main.yml
+++ b/ansible-5/roles/prod.k3s/defaults/main.yml
@@ -79,7 +79,7 @@ apps:
     namespace: default
     pvc: data-dkregistry-0
     image: registry:3
-    state: absent
+    state: present
 
   nextcloud:
     enabled: true
diff --git a/ansible-5/roles/prod.k3s/files/dkregistry/values.yaml b/ansible-5/roles/prod.k3s/files/dkregistry/values.yaml
index 0fc3c69..9611621 100644
--- a/ansible-5/roles/prod.k3s/files/dkregistry/values.yaml
+++ b/ansible-5/roles/prod.k3s/files/dkregistry/values.yaml
@@ -9,8 +9,10 @@ image:
 ingress:
   enabled: true
 #  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
   tls:
-    - secretName: xai-corp-production-tls
+    - secretName: xai-corp-production-tls-registry
   hosts:
     - dkregistry.xai-corp.net
 #  annotations:
diff --git a/ansible-5/roles/prod.k3s/files/gitea/values.yaml b/ansible-5/roles/prod.k3s/files/gitea/values.yaml
index cb1cb57..5a43a1c 100644
--- a/ansible-5/roles/prod.k3s/files/gitea/values.yaml
+++ b/ansible-5/roles/prod.k3s/files/gitea/values.yaml
@@ -27,7 +27,7 @@ ingress:
         - path: /
           pathType: Prefix
   tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
-    - secretName: xai-corp-production-tls-funkwhale
+    - secretName: xai-corp-production-tls-git
       hosts:
         - git.xai-corp.net