diff --git a/kustomizations/ingress-nginx/controller/ingressclass.yaml b/kustomizations/ingress-nginx/controller/ingressclass.yaml
new file mode 100644
index 0000000..2a68f08
--- /dev/null
+++ b/kustomizations/ingress-nginx/controller/ingressclass.yaml
@@ -0,0 +1,6 @@
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
diff --git a/kustomizations/ingress-nginx/controller/kustomization.yaml b/kustomizations/ingress-nginx/controller/kustomization.yaml
new file mode 100644
index 0000000..82121a0
--- /dev/null
+++ b/kustomizations/ingress-nginx/controller/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  app.kubernetes.io/component: controller
+resources:
+  - ingressclass.yaml
+  - rbac.yaml
+  - resources.yaml
+  - webhook.yaml
+images:
+  - name: registry.k8s.io/ingress-nginx/controller
+    newTag: v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407
diff --git a/kustomizations/ingress-nginx/controller/rbac.yaml b/kustomizations/ingress-nginx/controller/rbac.yaml
new file mode 100644
index 0000000..fd025c9
--- /dev/null
+++ b/kustomizations/ingress-nginx/controller/rbac.yaml
@@ -0,0 +1,177 @@
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  name: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - leases
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - list
+  - watch
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  # NOTE: Can be overwritten by Kustomization
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  # NOTE: Can be overwritten by Kustomization
+  namespace: default
diff --git a/kustomizations/ingress-nginx/controller/resources.yaml b/kustomizations/ingress-nginx/controller/resources.yaml
new file mode 100644
index 0000000..0f47d03
--- /dev/null
+++ b/kustomizations/ingress-nginx/controller/resources.yaml
@@ -0,0 +1,126 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ingress-nginx-controller
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  template:
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
+        - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/tls.crt
+        - --validating-webhook-key=/usr/local/certificates/tls.key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: registry.k8s.io/ingress-nginx/controller
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 22
+          name: ssh
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    # NOTE: This is DigitalOcean specific and should be changed if using
+    # another cloud provider
+    # See: configmap.yaml
+    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
+  name: ingress-nginx-controller
+spec:
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  - appProtocol: ssh
+    name: ssh
+    port: 22
+    protocol: TCP
+    targetPort: ssh
+  type: LoadBalancer
diff --git a/kustomizations/ingress-nginx/controller/webhook.yaml b/kustomizations/ingress-nginx/controller/webhook.yaml
new file mode 100644
index 0000000..393d820
--- /dev/null
+++ b/kustomizations/ingress-nginx/controller/webhook.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingress-nginx-controller-admission
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  type: ClusterIP
diff --git a/kustomizations/ingress-nginx/kustomization.yaml b/kustomizations/ingress-nginx/kustomization.yaml
new file mode 100644
index 0000000..fb865f6
--- /dev/null
+++ b/kustomizations/ingress-nginx/kustomization.yaml
@@ -0,0 +1,38 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: ingress-nginx
+commonLabels:
+  app.kubernetes.io/name: ingress-nginx
+resources:
+- controller/
+- webhook/
+- namespace.yaml
+- tcp-services-cm.yaml
+configMapGenerator:
+- name: ingress-nginx-controller
+  options:
+    disableNameSuffixHash: true
+replacements:
+- source:
+    kind: Certificate
+    fieldPath: metadata.namespace
+  targets:
+  - select:
+      kind: ValidatingWebhookConfiguration
+    fieldPaths:
+      - metadata.annotations.[cert-manager.io/inject-ca-from]
+    options:
+      delimiter: /
+- source:
+    kind: Service
+    fieldPath: metadata.namespace
+    name: ingress-nginx-controller-admission
+  targets:
+  - select:
+      kind: Certificate
+      name: ingress-nginx-admission
+    fieldPaths:
+      - spec.dnsNames.1
+    options:
+      delimiter: .
+      index: 1
diff --git a/kustomizations/ingress-nginx/namespace.yaml b/kustomizations/ingress-nginx/namespace.yaml
new file mode 100644
index 0000000..6878f0b
--- /dev/null
+++ b/kustomizations/ingress-nginx/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
diff --git a/kustomizations/ingress-nginx/tcp-services-cm.yaml b/kustomizations/ingress-nginx/tcp-services-cm.yaml
new file mode 100644
index 0000000..606af14
--- /dev/null
+++ b/kustomizations/ingress-nginx/tcp-services-cm.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tcp-services
+data:
+  # TODO:
+  # "22": "forgejo/forgejo:2222"
diff --git a/kustomizations/ingress-nginx/webhook/kustomization.yaml b/kustomizations/ingress-nginx/webhook/kustomization.yaml
new file mode 100644
index 0000000..edec0f4
--- /dev/null
+++ b/kustomizations/ingress-nginx/webhook/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+configurations:
+  - kustomizeconfig.yaml
+commonLabels:
+  app.kubernetes.io/component: admission-webhook
+resources:
+  - resources.yaml
diff --git a/kustomizations/ingress-nginx/webhook/kustomizeconfig.yaml b/kustomizations/ingress-nginx/webhook/kustomizeconfig.yaml
new file mode 100644
index 0000000..4817f8e
--- /dev/null
+++ b/kustomizations/ingress-nginx/webhook/kustomizeconfig.yaml
@@ -0,0 +1,7 @@
+nameReference:
+  - kind: Issuer
+    group: cert-manager.io
+    fieldSpecs:
+      - kind: Certificate
+        group: cert-manager.io
+        path: spec/issuerRef/name
diff --git a/kustomizations/ingress-nginx/webhook/resources.yaml b/kustomizations/ingress-nginx/webhook/resources.yaml
new file mode 100644
index 0000000..b5c73a7
--- /dev/null
+++ b/kustomizations/ingress-nginx/webhook/resources.yaml
@@ -0,0 +1,49 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ingress-nginx-admission
+spec:
+  dnsNames:
+    - ingress-nginx-controller-admission
+    - ingress-nginx-controller-admission.default.svc
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: ingress-nginx-admission
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: ingress-nginx-admission
+  annotations:
+    cert-manager.io/inject-ca-from: default/ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: default
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
+  timeoutSeconds: 29