diff --git a/dmz/cert-manager/templates/issuer.yaml b/dmz/cert-manager/templates/issuer.yaml
index 9c204fb..0f8775b 100644
--- a/dmz/cert-manager/templates/issuer.yaml
+++ b/dmz/cert-manager/templates/issuer.yaml
@@ -1,6 +1,6 @@
-#apiVersion: v1
-#kind: ServiceAccount
-#metadata:
-#  name: issuer
-#secrets:
-#  - name:  issuer-token-lmzpj
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: issuer
+secrets:
+  - name:  issuer-token-lmzpj
diff --git a/dmz/internalproxy/templates/root-vault.yaml b/dmz/internalproxy/templates/root-vault.yaml
new file mode 100644
index 0000000..af97b25
--- /dev/null
+++ b/dmz/internalproxy/templates/root-vault.yaml
@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: root-vault
+spec:
+  ports:
+    - name: app
+      port: 8201
+      protocol: TCP
+      targetPort: 8201
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: root-vault
+subsets:
+  - addresses:
+      - ip: 192.168.20.200
+    ports:
+      - name: app
+        port: 8201
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: root-vault-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`root-vault.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: root-vault
+          port: 8201
+          scheme: https
+  tls:
+    secretName: root-vault-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: root-vault-tls
+spec:
+  secretName: root-vault-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "root-vault.internal.durp.info"
+  dnsNames:
+    - "root-vault.internal.durp.info"