diff --git a/k8s/clusters/dolo/infrastructure.yaml b/k8s/clusters/dolo/infrastructure.yaml
index 0a56a18..4994fa8 100644
--- a/k8s/clusters/dolo/infrastructure.yaml
+++ b/k8s/clusters/dolo/infrastructure.yaml
@@ -30,6 +30,6 @@ spec:
     name: flux-system
   path: ./k8s/infrastructure
   wait: true
-  prune: false
+  prune: true
   dependsOn:
     - name: crds
diff --git a/k8s/infrastructure/configs/flux/kustomization.yaml b/k8s/infrastructure/configs/flux/kustomization.yaml
index e86b3ad..ef827d9 100644
--- a/k8s/infrastructure/configs/flux/kustomization.yaml
+++ b/k8s/infrastructure/configs/flux/kustomization.yaml
@@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - discord-alert.yaml
-  - webhook-ingress.yaml
+  - webhook.yaml
diff --git a/k8s/infrastructure/configs/flux/webhook-ingress.yaml b/k8s/infrastructure/configs/flux/webhook-ingress.yaml
deleted file mode 100644
index d975f5b..0000000
--- a/k8s/infrastructure/configs/flux/webhook-ingress.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: webhook-receiver
-  namespace: flux-system
-  annotations:
-    cert-manager.io/cluster-issuer: le-cf-issuer
-    kubernetes.io/ingress.class: traefik
-spec:
-  rules:
-    - host: flux-webhook.dolo.mnke.org
-      http:
-        paths:
-        - pathType: Prefix
-          path: /
-          backend:
-            service:
-              name: webhook-receiver
-              port:
-                number: 80
-  tls:
-    - hosts:
-        - flux-webhook.dolo.mnke.org
-      secretName: wildcard-mnke-org-tls
diff --git a/k8s/infrastructure/configs/flux/webhook.yaml b/k8s/infrastructure/configs/flux/webhook.yaml
new file mode 100644
index 0000000..9cbe666
--- /dev/null
+++ b/k8s/infrastructure/configs/flux/webhook.yaml
@@ -0,0 +1,73 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: homelab
+  namespace: flux-system
+spec:
+  interval: 60m
+  url: https://git.mnke.org/tony/homelab.git
+  ref:
+    branch: master
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitea-webhook-token
+  namespace: flux-system
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: infisical
+
+  target:
+    name: gitea-webhook-token
+
+  data:
+    - secretKey: token
+      remoteRef:
+        key: gitea-webhook-token
+
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+  name: homelab
+  namespace: flux-system
+spec:
+  type: github # https://fluxcd.io/flux/components/notification/receivers/#type
+  events:
+    - "ping"
+    - "push"
+  secretRef:
+    name: gitea-webhook-token
+  resources:
+    - kind: GitRepository
+      name: homelab
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: webhook-receiver
+  namespace: flux-system
+  annotations:
+    cert-manager.io/cluster-issuer: le-cf-issuer
+    kubernetes.io/ingress.class: traefik
+spec:
+  rules:
+    - host: flux-webhook.dolo.mnke.org
+      http:
+        paths:
+        - pathType: Prefix
+          path: /
+          backend:
+            service:
+              name: webhook-receiver
+              port:
+                number: 80
+  tls:
+    - hosts:
+        - flux-webhook.dolo.mnke.org
+      secretName: wildcard-mnke-org-tls
diff --git a/k8s/infrastructure/controllers/traefik/release.yaml b/k8s/infrastructure/controllers/traefik/release.yaml
index cd2c401..021ecd3 100644
--- a/k8s/infrastructure/controllers/traefik/release.yaml
+++ b/k8s/infrastructure/controllers/traefik/release.yaml
@@ -95,6 +95,9 @@ spec:
     service:
       enabled: true
       type: LoadBalancer
+      # This is needed to get the real IP address, otherwise Kubernetes SNAT
+      # will mask it
+      externalTrafficPolicy: Local
       annotations: {}
       labels: {}
       spec:
@@ -102,6 +105,21 @@ spec:
       loadBalancerSourceRanges: []
       externalIPs: []
 
+    topologySpreadConstraints:
+      # Force scheduler to put traefik pods on nodes where no other traefik pods
+      # are scheduled.
+      # This tries to counteract the effects of having a Local
+      # externalTrafficPolicy, where Kubernetes only load balances on the node
+      # level rather than the pod level. This means we should try to avoid
+      # scheduling traefik pods on the same node to have more balanced
+      # load balancing
+     - labelSelector:
+         matchLabels:
+           app.kubernetes.io/name: '{{ template "traefik.name" . }}'
+       maxSkew: 1
+       topologyKey: kubernetes.io/hostname
+       whenUnsatisfiable: DoNotSchedule
+
     # tlsStore:
       # default:
         # defaultCertificate: