diff --git a/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml b/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml
index 06c2c3d3..144f4f8c 100644
--- a/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml
+++ b/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml
@@ -51,6 +51,10 @@ spec:
             ingress:
               - hostname: "cftest.${DNS_SHORT}"
                 service: hello_world
+              - hostname: "social.jjgadgets.tech"
+                service: https://ingress-nginx-controller.ingress.svc.cluster.local:443
+                originRequest:
+                  originServerName: "social.jjgadgets.tech"
               - hostname: "*.${DNS_SHORT}"
                 service: https://ingress-nginx-controller.ingress.svc.cluster.local:443
                 originRequest:
diff --git a/kube/3-deploy/1-core/05-ingress/nginx/install.yaml b/kube/3-deploy/1-core/05-ingress/nginx/install.yaml
index 5f8b1376..510c85d3 100644
--- a/kube/3-deploy/1-core/05-ingress/nginx/install.yaml
+++ b/kube/3-deploy/1-core/05-ingress/nginx/install.yaml
@@ -23,7 +23,8 @@ spec:
       service:
         enabled: true
         type: LoadBalancer
-        externalTrafficPolicy: Local
+        # eTP can be Cluster (for HA & failover) instead of Local since Cilium is configured in DSR mode, so proper source IP will still work
+        externalTrafficPolicy: Cluster
         annotations:
           "io.cilium/lb-ipam-ips": "${APP_IP_NGINX}"
         externalIPs:
diff --git a/kube/3-deploy/2-apps/authentik/app/hr.yaml b/kube/3-deploy/2-apps/authentik/app/hr.yaml
index b533c079..0746b4c4 100644
--- a/kube/3-deploy/2-apps/authentik/app/hr.yaml
+++ b/kube/3-deploy/2-apps/authentik/app/hr.yaml
@@ -30,6 +30,9 @@ spec:
       annotations:
         external-dns.alpha.kubernetes.io/target: "${DNS_MAIN_CF}"
         external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+        # WebSockets (used for frontend to backend connection)
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
       hosts:
         - host: &host "${APP_DNS_AUTH}"
           paths:
@@ -55,6 +58,7 @@ spec:
         enabled: false
         send_pii: false
       postgresql:
+        enabled: false
         host: 'pg-authentik-rw'
         port: 5432
         name: ""
diff --git a/kube/3-deploy/2-apps/authentik/app/netpol.yaml b/kube/3-deploy/2-apps/authentik/app/netpol.yaml
index e2b15c04..8444e951 100644
--- a/kube/3-deploy/2-apps/authentik/app/netpol.yaml
+++ b/kube/3-deploy/2-apps/authentik/app/netpol.yaml
@@ -31,9 +31,6 @@ spec:
               protocol: TCP
             - port: "9300"
               protocol: TCP
-          rules:
-            http:
-              - {}
   egress:
     # same namespace
     - toEndpoints:
diff --git a/kube/3-deploy/2-apps/gotosocial/deps/secret-oidc.yaml b/kube/3-deploy/2-apps/gotosocial/deps/secret-oidc.yaml
index a4c762bb..26d929b4 100644
--- a/kube/3-deploy/2-apps/gotosocial/deps/secret-oidc.yaml
+++ b/kube/3-deploy/2-apps/gotosocial/deps/secret-oidc.yaml
@@ -8,6 +8,8 @@ type: Opaque
 stringData:
   GTS_OIDC_ENABLED: "true"
   GTS_OIDC_IDP_NAME: "JJGadgets Auth"
+  # migration from <0.7.0
+  GTS_OIDC_LINK_EXISTING: "true"
   GTS_OIDC_ISSUER: "${SECRET_GTS_OIDC_ISSUER}"
   GTS_OIDC_CLIENT_ID: "${SECRET_GTS_OIDC_CLIENT_ID}"
   GTS_OIDC_CLIENT_SECRET: "${SECRET_GTS_OIDC_CLIENT_SECRET}"
diff --git a/kube/3-deploy/2-apps/ntfy/app/netpol.yaml b/kube/3-deploy/2-apps/ntfy/app/netpol.yaml
index 2bc4dc48..9d82e233 100644
--- a/kube/3-deploy/2-apps/ntfy/app/netpol.yaml
+++ b/kube/3-deploy/2-apps/ntfy/app/netpol.yaml
@@ -21,9 +21,6 @@ spec:
         - ports:
             - port: "8080"
               protocol: TCP
-          rules:
-            http:
-              - {}
     # allow SMTP to Ntfy notification
     - fromEndpoints:
         - matchLabels: