diff --git a/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml b/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml
index 27f0a1f..55cc6d2 100644
--- a/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml
+++ b/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml
@@ -10,6 +10,7 @@ profiles::haproxy::dns::vrrp_cnames:
   - git.unkin.net
   - fafflix.unkin.net
   - grafana.unkin.net
+  - dashboard.ceph.unkin.net
 
 profiles::haproxy::mappings:
   fe_http:
@@ -27,6 +28,7 @@ profiles::haproxy::mappings:
       - 'fafflix.unkin.net be_jellyfin'
       - 'git.unkin.net be_gitea'
       - 'grafana.unkin.net be_grafana'
+      - 'dashboard.ceph.unkin.net be_ceph_dashboard'
   fe_https:
     ensure: present
     mappings:
@@ -42,6 +44,7 @@ profiles::haproxy::mappings:
       - 'fafflix.unkin.net be_jellyfin'
       - 'git.unkin.net be_gitea'
       - 'grafana.unkin.net be_grafana'
+      - 'dashboard.ceph.unkin.net be_ceph_dashboard'
 
 profiles::haproxy::frontends:
   fe_http:
@@ -62,6 +65,7 @@ profiles::haproxy::frontends:
         - 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
         - 'acl_gitea req.hdr(host) -i git.unkin.net'
         - 'acl_grafana req.hdr(host) -i grafana.unkin.net'
+        - 'acl_ceph_dashboard req.hdr(host) -i dashboard.ceph.unkin.net'
         - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
       use_backend:
         - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@@ -79,6 +83,7 @@ profiles::haproxy::frontends:
         - 'set-header X-Frame-Options DENY if acl_fafflix'
         - 'set-header X-Frame-Options DENY if acl_gitea'
         - 'set-header X-Frame-Options DENY if acl_grafana'
+        - 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
         - 'set-header X-Content-Type-Options nosniff'
         - 'set-header X-XSS-Protection 1;mode=block'
 
@@ -262,6 +267,26 @@ profiles::haproxy::backends:
       redirect: 'scheme https if !{ ssl_fc }'
       stick-table: 'type ip size 200k expire 30m'
       stick: 'on src'
+  be_ceph_dashboard:
+    description: Backend for Ceph Dashboard from Mgr instances
+    collect_exported: false # handled in custom function
+    options:
+      balance: roundrobin
+      option:
+        - httpchk GET /
+        - forwardfor
+        - http-keep-alive
+        - prefer-last-server
+      cookie: SRVNAME insert indirect nocache
+      http-reuse: always
+      http-check:
+        - expect status 200
+      http-request:
+        - set-header X-Forwarded-Port %[dst_port]
+        - add-header X-Forwarded-Proto https if { dst_port 9443 }
+      redirect: 'scheme https if !{ ssl_fc }'
+      stick-table: 'type ip size 200k expire 30m'
+      stick: 'on src'
 
 profiles::haproxy::certlist::enabled: true
 profiles::haproxy::certlist::certificates:
@@ -276,6 +301,7 @@ profiles::haproxy::certlist::certificates:
   - /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
   - /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
   - /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem
   - /etc/pki/tls/vault/certificate.pem
 
 # additional altnames
@@ -303,3 +329,4 @@ certbot::client::domains:
   - fafflix.unkin.net
   - git.unkin.net
   - grafana.unkin.net
+  - dashboard.ceph.unkin.net
diff --git a/hieradata/roles/infra/incus/node.yaml b/hieradata/roles/infra/incus/node.yaml
index 3c6c078..d83f5cc 100644
--- a/hieradata/roles/infra/incus/node.yaml
+++ b/hieradata/roles/infra/incus/node.yaml
@@ -6,6 +6,7 @@ hiera_include:
   - zfs
   - profiles::ceph::node
   - profiles::ceph::client
+  - profiles::ceph::dashboard
   - profiles::storage::cephfsvols
   - exporters::frr_exporter
 
@@ -121,6 +122,9 @@ profiles::yum::global::repos:
 # dns
 profiles::dns::base::primary_interface: loopback0
 
+# dashboard/haproxy
+profiles::ceph::dashboard::ipaddress: "%{hiera('networking_loopback0_ip')}"
+
 # networking
 systemd::manage_networkd: true
 systemd::manage_all_network_files: true
diff --git a/hieradata/roles/infra/pki/certbot.yaml b/hieradata/roles/infra/pki/certbot.yaml
index 5f95c02..9891134 100644
--- a/hieradata/roles/infra/pki/certbot.yaml
+++ b/hieradata/roles/infra/pki/certbot.yaml
@@ -15,3 +15,4 @@ certbot::domains:
   - fafflix.unkin.net
   - git.unkin.net
   - grafana.unkin.net
+  - dashboard.ceph.unkin.net
diff --git a/site/profiles/manifests/ceph/dashboard.pp b/site/profiles/manifests/ceph/dashboard.pp
new file mode 100644
index 0000000..55a4c4d
--- /dev/null
+++ b/site/profiles/manifests/ceph/dashboard.pp
@@ -0,0 +1,20 @@
+class profiles::ceph::dashboard (
+  Stdlib::IP::Address $ipaddress = $facts['networking']['ip'],
+){
+
+  # export haproxy balancemember
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_9443":
+    service   => 'be_ceph_dashboard',
+    ipaddress => $ipaddress,
+    ports     => [9443],
+    options   => [
+      "cookie ${facts['networking']['hostname']}",
+      'ssl',
+      'verify none',
+      'check',
+      'inter 2s',
+      'rise 3',
+      'fall 2',
+    ]
+  }
+}
diff --git a/site/profiles/manifests/haproxy/balancemember.pp b/site/profiles/manifests/haproxy/balancemember.pp
index a477a91..86893f1 100644
--- a/site/profiles/manifests/haproxy/balancemember.pp
+++ b/site/profiles/manifests/haproxy/balancemember.pp
@@ -3,6 +3,7 @@ define profiles::haproxy::balancemember (
   String              $service,
   Array[Stdlib::Port] $ports,
   Array               $options = ['check'],
+  Stdlib::IP::Address $ipaddress = $facts['networking']['ip'],
 ) {
 
   $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
@@ -12,7 +13,7 @@ define profiles::haproxy::balancemember (
     listening_service => $service,
     ports             => $ports,
     server_names      => $facts['networking']['hostname'],
-    ipaddresses       => $facts['networking']['ip'],
+    ipaddresses       => $ipaddress,
     options           => $options,
     tag               => $balancemember_tag,
   }