diff --git a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
index 63f1116..78e59fc 100644
--- a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
+++ b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
@@ -12,6 +12,7 @@ profiles::haproxy::mappings:
       - 'readarr.main.unkin.net be_readarr'
       - 'prowlarr.main.unkin.net be_prowlarr'
       - 'jellyfin.main.unkin.net be_jellyfin'
+      - 'fafflix.unkin.net be_jellyfin'
   fe_https:
     ensure: present
     mappings:
@@ -23,6 +24,7 @@ profiles::haproxy::mappings:
       - 'readarr.main.unkin.net be_readarr'
       - 'prowlarr.main.unkin.net be_prowlarr'
       - 'jellyfin.main.unkin.net be_jellyfin'
+      - 'fafflix.unkin.net be_jellyfin'
 
 profiles::haproxy::frontends:
   fe_http:
@@ -32,12 +34,14 @@ profiles::haproxy::frontends:
   fe_https:
     options:
       acl:
-        - 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
-        - 'acl_sonarr req.hdr(host) -i https://sonarr.main.unkin.net'
-        - 'acl_radarr req.hdr(host) -i https://radarr.main.unkin.net'
-        - 'acl_lidarr req.hdr(host) -i https://lidarr.main.unkin.net'
-        - 'acl_readarr req.hdr(host) -i https://readarr.main.unkin.net'
-        - 'acl_prowlarr req.hdr(host) -i https://prowlarr.main.unkin.net'
+        - 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
+        - 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
+        - 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
+        - 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
+        - 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
+        - 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
+        - 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
+        - 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
         - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
       use_backend:
         - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@@ -50,6 +54,8 @@ profiles::haproxy::frontends:
         - 'set-header X-Frame-Options DENY if acl_lidarr'
         - 'set-header X-Frame-Options DENY if acl_readarr'
         - 'set-header X-Frame-Options DENY if acl_prowlarr'
+        - 'set-header X-Frame-Options DENY if acl_jellyfin'
+        - 'set-header X-Frame-Options DENY if acl_fafflix'
         - 'set-header X-Content-Type-Options nosniff'
         - 'set-header X-XSS-Protection 1;mode=block'
 
@@ -184,17 +190,20 @@ profiles::haproxy::backends:
 
 profiles::haproxy::certlist::enabled: true
 profiles::haproxy::certlist::certificates:
+  - /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
   - /etc/pki/tls/vault/certificate.pem
 
 # additional altnames
 profiles::pki::vault::alt_names:
   - au-syd1-pve.main.unkin.net
   - au-syd1-pve-api.main.unkin.net
-  - sonarr.main.unkin.net
-  - radarr.main.unkin.net
-  - lidarr.main.unkin.net
-  - readarr.main.unkin.net
-  - prowlarr.main.unkin.net
   - jellyfin.main.unkin.net
 
 # additional cnames