diff --git a/argocd/apps/cert-manager/include/.root-cerficate.yaml.swp b/argocd/apps/cert-manager/include/.root-cerficate.yaml.swp
new file mode 100644
index 0000000..7250aca
Binary files /dev/null and b/argocd/apps/cert-manager/include/.root-cerficate.yaml.swp differ
diff --git a/argocd/apps/sonarqube/.sonarqube.yaml.swp b/argocd/apps/sonarqube/.sonarqube.yaml.swp
new file mode 100644
index 0000000..8e15a12
Binary files /dev/null and b/argocd/apps/sonarqube/.sonarqube.yaml.swp differ
diff --git a/argocd/apps/sonarqube/sonarqube.yaml b/argocd/apps/sonarqube/sonarqube.yaml
new file mode 100644
index 0000000..bf59f01
--- /dev/null
+++ b/argocd/apps/sonarqube/sonarqube.yaml
@@ -0,0 +1,79 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: sonarqube
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: 'https://SonarSource.github.io/helm-chart-sonarqube'
+    path: 'sonarqube'
+    targetRevision: 2025.*.*
+    chart: sonarqube
+    helm:
+      parameters:
+        - name: master.ingress.enabled
+          value: 'true'
+        - name: master.ingress.hostname
+          value: 'sonarqubennovation-hub-niedersachsen.de'
+        - name: master.ingress.tls
+          value: 'true'
+        - name: master.ingress.annotations.kubernetes\.io\/ingress\.class
+          value: traefik
+        - name: master.ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
+          value: 'true'
+          forceString: true
+        - name: master.ingress.annotations.cert-manager\.io\/cluster-issuer
+          value: 'lets-encrypt'
+        - name: master.ingress.annotations.ingress\.secrets
+          value: 'sonarqubennovation-hub-niedersachsen.de-tls'
+        - name: master.ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
+          value: websecure
+        - name: s3.enabled
+          value: 'true'
+        - name: s3.logLevel
+          value: '4'            
+        - name: s3.auth.enabled
+          value: 'true'
+        - name: s3.auth.adminAccessKeyId
+          value: 'wjpKrmaqXra99rX3D61H'
+        - name: s3.auth.adminSecretAccessKey
+          value: 'fTPi0u0FR6Lv9Y9IKydWv6WM0EA5XrsK008HCt9u'
+        - name: s3.ingress.enabled
+          value: 'true'
+        - name: s3.ingress.hostname
+          value: 'sws3.innovation-hub-niedersachsen.de'  
+        - name: s3.ingress.tls
+          value: 'true'  
+        - name: s3.ingress.annotations.kubernetes\.io\/ingress\.class  
+          value: traefik
+        - name: s3.ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
+          value: 'true'
+          forceString: true
+        - name: s3.ingress.annotations.cert-manager\.io\/cluster-issuer
+          value: 'lets-encrypt'  
+        - name: s3.ingress.annotations.ingress\.secrets
+          value: 'sws3.innovation-hub-niedersachsen.de-tls'  
+        - name: s3.ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
+          value: websecure  
+        - name: s3.ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.middlewares
+          value: 'sonarqube-stripprefix@kubernetescrd'
+        - name: mariadb.auth.rootPassword
+          value: 'InnoHubSEAWEEDFS_2024!'
+        - name: mariadb.auth.username
+          value: 'bn_sonarqube'
+        - name: mariadb.auth.password
+          value: 'bn_sonarqubeUSER'    
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: sonarqube
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels: 
+        pod-security.kubernetes.io/enforce: "privileged"
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/config/argocd/argocd-cmd-params-cm.yaml b/config/argocd/argocd-cmd-params-cm.yaml
new file mode 100644
index 0000000..9016764
--- /dev/null
+++ b/config/argocd/argocd-cmd-params-cm.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cmd-params-cm
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-cmd-params-cm
+    app.kubernetes.io/part-of: argocd
+data:
+  server.insecure: "true"
diff --git a/config/argocd/ingress-route.yaml b/config/argocd/ingress-route.yaml
new file mode 100644
index 0000000..f605da0
--- /dev/null
+++ b/config/argocd/ingress-route.yaml
@@ -0,0 +1,24 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: argocd-server
+  namespace: argocd
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`argocd.innovation-hub-niedersachsen.de`)
+      priority: 10
+      services:
+        - name: argocd-server
+          port: 80
+#    - kind: Rule
+#      match: Host(`argocd.innovation-hub-niedersachsen.de`) && Headers(`Content-Type`, `application/grpc`)
+#      priority: 11
+#      services:
+#        - name: argocd-server
+#          port: 80
+#          scheme: h2c
+  tls:
+    secretName: argocd-tls
diff --git a/config/cert-manager/cloudflare-api-token-secret.yaml b/config/cert-manager/cloudflare-api-token-secret.yaml
new file mode 100644
index 0000000..95a3dd2
--- /dev/null
+++ b/config/cert-manager/cloudflare-api-token-secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token-secret
+type: Opaque
+stringData:
+  api-token: 8U6YVJlQe3UCkw6P2Xx0Qvmpy975EwK14FV8IMdp
diff --git a/config/dashboard/cluster-role.yaml b/config/dashboard/cluster-role.yaml
new file mode 100644
index 0000000..7de9b5c
--- /dev/null
+++ b/config/dashboard/cluster-role.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: admin-user
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: admin-user
+  namespace: kubernetes-dashboard
+
diff --git a/config/dashboard/dashboard-traefik.yaml b/config/dashboard/dashboard-traefik.yaml
new file mode 100644
index 0000000..95f2e27
--- /dev/null
+++ b/config/dashboard/dashboard-traefik.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: dashboard-transport
+  namespace: kubernetes-dashboard
+spec:
+  serverName: dashboard-kong-proxy
+  insecureSkipVerify: true
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: dashboard
+  namespace: kubernetes-dashboard
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`dashboard.innohub.local`)
+      kind: Rule
+      services:
+        - name: dashboard-kong-proxy
+          port: 443
+          scheme: https
+          serversTransport: dashboard-transport
+          namespace: kubernetes-dashboard
+  tls:
+    secretName: dashboard.innohub.local
+    domains:
+      - main: dashboard.innohub.local
diff --git a/config/dashboard/service-account.yaml b/config/dashboard/service-account.yaml
new file mode 100644
index 0000000..54cabb7
--- /dev/null
+++ b/config/dashboard/service-account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin-user
+  namespace: kubernetes-dashboard
diff --git a/config/mattermost/https-redirect.yaml b/config/mattermost/https-redirect.yaml
new file mode 100644
index 0000000..5d6f404
--- /dev/null
+++ b/config/mattermost/https-redirect.yaml
@@ -0,0 +1,8 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: http-redirect
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
diff --git a/config/open-webui/disable-token.yaml b/config/open-webui/disable-token.yaml
new file mode 100644
index 0000000..f70d791
--- /dev/null
+++ b/config/open-webui/disable-token.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    kubernetes.io/automountServiceAccountToken: "false"
+  name: open-webui
+  namespace: open-webui
diff --git a/config/traefik/traefik-dashboard.yaml b/config/traefik/traefik-dashboard.yaml
new file mode 100644
index 0000000..bc4819c
--- /dev/null
+++ b/config/traefik/traefik-dashboard.yaml
@@ -0,0 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: kube-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`traefik.innohub.local`)
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService
diff --git a/config/wordpress/www-redirectScheme.yaml b/config/wordpress/www-redirectScheme.yaml
new file mode 100644
index 0000000..db4fee5
--- /dev/null
+++ b/config/wordpress/www-redirectScheme.yaml
@@ -0,0 +1,13 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-www
+  namespace: wordpress
+spec:
+  redirectRegex:
+    regex: "^https?://innovation-hub-niedersachsen.de/(.*)"
+    replacement: "https://www.innovation-hub-niedersachsen.de/$1"
+    permanent: true
+  redirectRegex:
+    regex: "^http?://innovation-hub-niedersachsen.de/(.*)"
+    replacement: "https://www.innovation-hub-niedersachsen.de/$1"