diff --git a/deployment/deploy-yml.tmpl b/deployment/deploy-yml.tmpl
index 6c978fb..5d2eb23 100644
--- a/deployment/deploy-yml.tmpl
+++ b/deployment/deploy-yml.tmpl
@@ -1,3 +1,149 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: traefik-forward-auth
+data:
+  INSECURE_COOKIE: 'true'
+  COOKIE_DOMAIN: jupyter.hottis.de
+  DOMAINS: jupyter.hottis.de
+  AUTH_HOST: auth.jupyter.hottis.de
+  URL_PATH: /_oauth
+  DEFAULT_PROVIDER: oidc
+  PROVIDERS_OIDC_ISSUER_URL: https://auth2.hottis.de/realms/hottis
+  PROVIDERS_OIDC_CLIENT_ID: jupyter
+  REQUIRED_ROLE: JupyterAccess
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik-forward-auth
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik-forward-auth
+  template:
+    metadata:
+      labels:
+        app: traefik-forward-auth
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/traefik-forward-auth: runtime/default
+    spec:
+      containers:
+        - name: traefik-forward-auth
+          #image: thomseddon/traefik-forward-auth
+          image: wollud1969/traefik-forward-auth:3.0.0
+          imagePullPolicy: Always
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 65534
+            runAsGroup: 65534
+            capabilities:
+              drop:
+                - ALL
+          livenessProbe:
+            failureThreshold: 3
+            tcpSocket:
+              port: 4181
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          resources:
+            limits:
+              memory: '50Mi'
+              cpu: '100m'
+          ports:
+            - containerPort: 4181
+              protocol: TCP
+          env:
+            - name: PROVIDERS_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth
+                  key: PROVIDERS_OIDC_CLIENT_SECRET
+            - name: SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth
+                  key: SECRET
+            - name: LOG_LEVEL
+              value: info
+          envFrom:
+            - configMapRef:
+                name: traefik-forward-auth
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik-forward-auth
+spec:
+  type: ClusterIP
+  selector:
+    app: traefik-forward-auth
+  ports:
+  - name: auth-http
+    port: 4181
+    targetPort: 4181
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: auth-jupyter-hottis-de
+spec:
+  secretName: auth-jupyter-cert
+  duration: 2160h
+  renewBefore: 360h
+  subject:
+    organizations:
+      - hottis-de
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+    - server auth
+  dnsNames:
+    - auth.jupyter.hottis.de
+  issuerRef:
+    name: letsencrypt-production-http
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik-forward-auth
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`auth.jupyter.hottis.de`)
+    kind: Rule
+    services:
+    - name: traefik-forward-auth
+      port: 4181
+  tls:
+    secretName: auth-jupyter-cert
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-forward-auth
+spec:
+  forwardAuth:
+    trustForwardHeader: true
+    address: http://traefik-forward-auth.jupyter.svc.cluster.local:4181
+    authResponseHeaders:
+      - X-Forwarded-User
+
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -37,26 +183,48 @@ spec:
       targetPort: 8888
       port: 80
 ---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: jupyter-hottis-de
+spec:
+  secretName: jupyter-cert
+  duration: 2160h
+  renewBefore: 360h
+  subject:
+    organizations:
+      - hottis-de
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+    - server auth
+  dnsNames:
+    - jupyter.hottis.de
+  issuerRef:
+    name: letsencrypt-production-http
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
 metadata:
   name: jupyter
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-staging-http
+  labels:
+    app: jupyter
 spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`jupyter.hottis.de`)
+    kind: Rule
+    services:
+    - name: jupyter
+      port: 80
+    middlewares:
+      - name: traefik-forward-auth
   tls:
-    - hosts:
-        - jupyter.hottis.de
-      secretName: jupyter-cert
-  rules:
-    - host: jupyter.hottis.de
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: jupyter
-                port:
-                  number: 80
+    secretName: jupyter-cert
 
diff --git a/deployment/secret.yml b/deployment/secret.yml
new file mode 100644
index 0000000..eb841a8
--- /dev/null
+++ b/deployment/secret.yml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: traefik-forward-auth
+type: Opaque
+data:
+  PROVIDERS_OIDC_CLIENT_SECRET: PLACEHOLDER
+  SECRET: PLACEHOLDER
+