diff --git a/non_argo_values/gitea_values.yaml b/non_argo_values/gitea_values.yaml
index bdc537d..711b0b3 100644
--- a/non_argo_values/gitea_values.yaml
+++ b/non_argo_values/gitea_values.yaml
@@ -21,8 +21,8 @@ ingress:
   className: traefik
   pathType: Prefix
   annotations:
-    # Restrict to LAN access (matching your existing pattern)
-    traefik.ingress.kubernetes.io/whitelist.sourcerange: "192.168.0.0/16,10.0.0.0/8,172.16.0.0/12"
+    # Restrict to LAN access via Traefik v3 Middleware (resources/gitea-middleware.yaml)
+    traefik.ingress.kubernetes.io/router.middlewares: "gitea-lan-only@kubernetescrd"
     cert-manager.io/cluster-issuer: "letsencrypt-production"
   hosts:
     - host: gitea.gilgamezh.me
diff --git a/resources/gitea-middleware.yaml b/resources/gitea-middleware.yaml
new file mode 100644
index 0000000..dd3b2ad
--- /dev/null
+++ b/resources/gitea-middleware.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: lan-only
+  namespace: gitea
+spec:
+  ipAllowList:
+    sourceRange:
+      - 192.168.0.0/16
+      - 10.0.0.0/8
+      - 172.16.0.0/12
diff --git a/resources/ingress.yaml b/resources/ingress.yaml
index 9ca44f7..7fe60cf 100644
--- a/resources/ingress.yaml
+++ b/resources/ingress.yaml
@@ -4,12 +4,12 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
   labels:
     app: kube-plex
   name: kube-plex
   namespace: default
 spec:
+  ingressClassName: traefik
   rules:
     - host: tp2.gilgamezh.me
       http:
@@ -31,12 +31,12 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
   labels:
     app: radarr
   name: radarr
   namespace: default
 spec:
+  ingressClassName: traefik
   rules:
     - host: radarr.gilgamezh.me
       http:
@@ -58,12 +58,12 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
   labels:
     app: sonarr
   name: sonarr
   namespace: default
 spec:
+  ingressClassName: traefik
   rules:
     - host: sonarr.gilgamezh.me
       http:
@@ -85,12 +85,12 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: traefik
   labels:
     app: lidarr
   name: lidarr
   namespace: default
 spec:
+  ingressClassName: traefik
   rules:
     - host: lidarr.gilgamezh.me
       http: