diff --git a/homer/ingress.yaml b/homer/ingress.yaml
index 6c0c876..5c83340 100644
--- a/homer/ingress.yaml
+++ b/homer/ingress.yaml
@@ -28,8 +28,6 @@ spec:
   tls:
   - hosts:
       - homer.apps.undercloud.dev
-      - portal.undercloud.dev
-      - portal.apps.undercloud.dev
     secretName: homer-tls
   rules:
   - host: homer.apps.undercloud.dev
@@ -42,6 +40,34 @@ spec:
             name: homer
             port:
               number: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: portal
+  namespace: homer
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/hsts: "true"
+    nginx.ingress.kubernetes.io/hsts-max-age: "31536000"
+    nginx.ingress.kubernetes.io/hsts-include-subdomains: "true"
+    nginx.ingress.kubernetes.io/hsts-preload: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      add_header X-Content-Type-Options "nosniff" always;
+      add_header X-Frame-Options "SAMEORIGIN" always;
+      add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+      add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+      add_header Cache-Control "public, max-age=600" always;
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "120"
+spec:
+  tls:
+  - hosts:
+      - portal.undercloud.dev
+    secretName: portal-tls
+  rules:
   - host: portal.undercloud.dev
     http:
       paths: