diff --git a/cluster/apps/authentik/helm-release.yaml b/cluster/apps/authentik/helm-release.yaml
index 4ce79da..f860d69 100644
--- a/cluster/apps/authentik/helm-release.yaml
+++ b/cluster/apps/authentik/helm-release.yaml
@@ -55,7 +55,6 @@ spec:
     ingress:
       enabled: true
       annotations:
-        cert-manager.io/cluster-issuer: "letsencrypt-production"
         traefik.ingress.kubernetes.io/router.entrypoints: websecure
       hosts:
         - host: &host "auth.${SECRET_NEW_DOMAIN}"
diff --git a/cluster/apps/database/postgresql/pgadmin4/helm-release.yaml b/cluster/apps/database/postgresql/pgadmin4/helm-release.yaml
index c94ea0c..c283054 100644
--- a/cluster/apps/database/postgresql/pgadmin4/helm-release.yaml
+++ b/cluster/apps/database/postgresql/pgadmin4/helm-release.yaml
@@ -19,10 +19,13 @@ spec:
     ingress:
       enabled: true
       annotations:
-        cert-manager.io/cluster-issuer: "letsencrypt-production"
         traefik.ingress.kubernetes.io/router.entrypoints: websecure
       hosts:
-        - host: pgsql.database.${SECRET_DOMAIN}
+        - host: &host pgsql.database.${SECRET_DOMAIN}
           paths:
             - path: "/"
-              pathType: Prefix
\ No newline at end of file
+              pathType: Prefix
+      tls:
+        - hosts:
+            - *host
+          secretName: wildcard-main-tls
\ No newline at end of file
diff --git a/cluster/apps/tools/gotify/helm-release.yaml b/cluster/apps/tools/gotify/helm-release.yaml
new file mode 100644
index 0000000..d8e83df
--- /dev/null
+++ b/cluster/apps/tools/gotify/helm-release.yaml
@@ -0,0 +1,63 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: gotify
+  namespace: tools
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.3.x
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    image:
+      repository: ghcr.io/gotify/server
+      tag: latest
+
+    env:
+      TZ: America/New_York
+
+    service:
+      main:
+        ports:
+          http:
+            port: 80
+
+    probes:
+      liveness:
+        enabled: false
+
+    ingress:
+      main:
+        enabled: true
+        annotations:
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        hosts:
+          - host: &host "notif.${SECRET_NEW_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+            secretName: wildcard-main-tls
+
+    persistence:
+      config:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/gotify
+        mountPath: /app/data
+
+    resources:
+      requests:
+        cpu: 1m
+        memory: 8Mi
+        
+      limits:
+        memory: 500Mi
\ No newline at end of file
diff --git a/cluster/apps/tools/gotify/kustomization.yaml b/cluster/apps/tools/gotify/kustomization.yaml
new file mode 100644
index 0000000..ea3145d
--- /dev/null
+++ b/cluster/apps/tools/gotify/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./helm-release.yaml
\ No newline at end of file
diff --git a/cluster/apps/tools/hastebin/helm-release.yaml b/cluster/apps/tools/hastebin/helm-release.yaml
index f0a410f..cb7edae 100644
--- a/cluster/apps/tools/hastebin/helm-release.yaml
+++ b/cluster/apps/tools/hastebin/helm-release.yaml
@@ -50,7 +50,6 @@ spec:
       main:
         enabled: true
         annotations:
-          cert-manager.io/cluster-issuer: "letsencrypt-production"
           traefik.ingress.kubernetes.io/router.entrypoints: websecure
         hosts:
           - host: &host "paste.${SECRET_NEW_DOMAIN}"
diff --git a/cluster/apps/tools/kustomization.yaml b/cluster/apps/tools/kustomization.yaml
index aebe201..be0814b 100644
--- a/cluster/apps/tools/kustomization.yaml
+++ b/cluster/apps/tools/kustomization.yaml
@@ -5,4 +5,5 @@ resources:
 - ./network_policy.yaml
 - ./transfersh
 - ./vaultwarden
-- ./hastebin
\ No newline at end of file
+- ./hastebin
+- ./gotify
\ No newline at end of file
diff --git a/cluster/apps/tools/transfersh/helm-release.yaml b/cluster/apps/tools/transfersh/helm-release.yaml
index 739b057..4344444 100644
--- a/cluster/apps/tools/transfersh/helm-release.yaml
+++ b/cluster/apps/tools/transfersh/helm-release.yaml
@@ -46,7 +46,6 @@ spec:
       main:
         enabled: true
         annotations:
-          cert-manager.io/cluster-issuer: "letsencrypt-production"
           traefik.ingress.kubernetes.io/router.entrypoints: websecure
         hosts:
           - host: &host "upload.${SECRET_NEW_DOMAIN}"
diff --git a/cluster/apps/tools/vaultwarden/helm-release.yaml b/cluster/apps/tools/vaultwarden/helm-release.yaml
index 538f6ae..074cf80 100644
--- a/cluster/apps/tools/vaultwarden/helm-release.yaml
+++ b/cluster/apps/tools/vaultwarden/helm-release.yaml
@@ -33,7 +33,6 @@ spec:
       main:
         enabled: true
         annotations:
-          cert-manager.io/cluster-issuer: "letsencrypt-production"
           traefik.ingress.kubernetes.io/router.entrypoints: websecure
         hosts:
           - host: &host "bitwarden.${SECRET_NEW_DOMAIN}"
diff --git a/cluster/core/cert-manager/wildcard-cert.yaml b/cluster/core/cert-manager/wildcard-cert.yaml
index bf1a27d..fc81144 100644
--- a/cluster/core/cert-manager/wildcard-cert.yaml
+++ b/cluster/core/cert-manager/wildcard-cert.yaml
@@ -8,7 +8,7 @@ spec:
 
   secretTemplate:
     annotations:
-      replicator.v1.mittwald.de/replicate-to: "traefik,download,media,tools,management,authentik"
+      replicator.v1.mittwald.de/replicate-to: "traefik,download,media,tools,management,authentik,database"
 
   duration: 2160h # 90d
   renewBefore: 360h # 15d
@@ -19,4 +19,5 @@ spec:
 
   dnsNames:
     - "*.${SECRET_NEW_DOMAIN}"
-    - "*.k3s.${SECRET_NEW_DOMAIN}"
\ No newline at end of file
+    - "*.k3s.${SECRET_NEW_DOMAIN}"
+    - "*.database.${SECRET_NEW_DOMAIN}"
\ No newline at end of file
diff --git a/cluster/core/networking/traefik/helm-release.yaml b/cluster/core/networking/traefik/helm-release.yaml
index 7c393fa..ceb1a7a 100644
--- a/cluster/core/networking/traefik/helm-release.yaml
+++ b/cluster/core/networking/traefik/helm-release.yaml
@@ -85,13 +85,6 @@ spec:
     ingressRoute:
       dashboard:
         enabled: false
-#        annotations:
-#          cert-manager.io/cluster-issuer: "letsencrypt-production"
-#        entryPoints:
-#          - websecure
-#        middlewares:
-#          - traefik-authentik@kubernetescrd
-#        matchRule: Host(`traefik.${SECRET_DOMAIN}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
 
     # Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
     ingressClass:
diff --git a/docs/todo.md b/docs/todo.md
index 0c38278..0cb2814 100644
--- a/docs/todo.md
+++ b/docs/todo.md
@@ -22,4 +22,5 @@ TODO:
   - [ ] Move transfer storage to minio
 - [ ] Reloader
 - [ ] kured
-- [ ] external-dns
\ No newline at end of file
+- [ ] external-dns
+- [x] gotify
\ No newline at end of file