diff --git a/base/ingress/pingora-config.yaml b/base/ingress/pingora-config.yaml
index 845a60b..2e521f5 100644
--- a/base/ingress/pingora-config.yaml
+++ b/base/ingress/pingora-config.yaml
@@ -23,6 +23,59 @@ data:
     [telemetry]
     # Empty = OTEL disabled. Set to http://otel-collector.data.svc:4318 when ready.
     otlp_endpoint = ""
+    metrics_port  = 9090
+
+    # Kubernetes resource names for cert/config watchers.
+    # Override these if your namespace or Secret/ConfigMap names differ.
+    [kubernetes]
+    namespace        = "ingress"
+    tls_secret       = "pingora-tls"
+    config_configmap = "pingora-config"
+
+    # DDoS detection — KNN-based per-IP behavioral classification.
+    [ddos]
+    enabled         = true
+    model_path      = "/models/ddos_model.bin"
+    k               = 5
+    threshold       = 0.6
+    window_secs     = 60
+    window_capacity = 1000
+    min_events      = 10
+
+    # Scanner detection — logistic regression per-request classification.
+    [scanner]
+    enabled            = true
+    model_path         = "/models/scanner_model.bin"
+    threshold          = 0.5
+    poll_interval_secs = 30
+    bot_cache_ttl_secs = 86400
+
+    [[scanner.allowlist]]
+    ua_prefix    = "Googlebot"
+    reason       = "Google crawler"
+    dns_suffixes = ["googlebot.com", "google.com"]
+    cidrs        = ["66.249.64.0/19"]
+
+    [[scanner.allowlist]]
+    ua_prefix    = "Bingbot"
+    reason       = "Microsoft crawler"
+    dns_suffixes = ["search.msn.com"]
+    cidrs        = ["40.77.167.0/24", "157.55.39.0/24"]
+
+    # Rate limiting — leaky bucket per-identity throttling.
+    [rate_limit]
+    enabled                = true
+    eviction_interval_secs = 300
+    stale_after_secs       = 600
+    bypass_cidrs           = ["10.42.0.0/16"]
+
+    [rate_limit.authenticated]
+    burst = 200
+    rate  = 50.0
+
+    [rate_limit.unauthenticated]
+    burst = 50
+    rate  = 10.0
 
     # Host-prefix → backend routing table.
     # The prefix is the subdomain before the first dot, so these routes work
@@ -39,22 +92,8 @@ data:
 
     [[routes]]
     host_prefix = "docs"
-    backend     = "http://docs-frontend.lasuite.svc.cluster.local:80"
-
-      # API and admin go to the backend.
-      [[routes.paths]]
-      prefix  = "/api/"
-      backend = "http://docs-backend.lasuite.svc.cluster.local:80"
-
-      [[routes.paths]]
-      prefix  = "/admin/"
-      backend = "http://docs-backend.lasuite.svc.cluster.local:80"
-
-      # Real-time collaboration WebSocket (y-provider / Hocuspocus).
-      [[routes.paths]]
-      prefix    = "/collaboration/ws/"
-      backend   = "http://docs-y-provider.lasuite.svc.cluster.local:443"
-      websocket = true
+    backend     = "http://collabora.lasuite.svc.cluster.local:9980"
+    websocket   = true
 
     [[routes]]
     host_prefix = "meet"
@@ -83,17 +122,40 @@ data:
 
     [[routes]]
     host_prefix = "drive"
-    backend     = "http://drive.lasuite.svc.cluster.local:8000"
+    backend     = "http://drive-frontend.lasuite.svc.cluster.local:80"
+
+      [[routes.paths]]
+      prefix  = "/api/"
+      backend = "http://drive-backend.lasuite.svc.cluster.local:80"
+
+      [[routes.paths]]
+      prefix  = "/admin/"
+      backend = "http://drive-backend.lasuite.svc.cluster.local:80"
+
+      [[routes.paths]]
+      prefix  = "/static/"
+      backend = "http://drive-backend.lasuite.svc.cluster.local:80"
+
+      [[routes.paths]]
+      prefix  = "/external_api/"
+      backend = "http://drive-backend.lasuite.svc.cluster.local:80"
+      # /media/ falls through to frontend nginx which handles auth_request internally
 
     [[routes]]
     host_prefix = "mail"
-    backend     = "http://messages.lasuite.svc.cluster.local:8000"
+    # Caddy is the unified entry point — proxies /api/, /admin/, /static/, /oidc/ internally.
+    backend     = "http://messages-frontend.lasuite.svc.cluster.local:80"
 
     [[routes]]
     host_prefix = "chat"
-    backend     = "http://conversations.lasuite.svc.cluster.local:8000"
+    backend     = "http://tuwunel.matrix.svc.cluster.local:6167"
     websocket   = true
 
+      # Serve .well-known from tuwunel directly
+      [[routes.paths]]
+      prefix  = "/.well-known/matrix"
+      backend = "http://tuwunel.matrix.svc.cluster.local:6167"
+
     [[routes]]
     host_prefix = "people"
     backend     = "http://people-frontend.lasuite.svc.cluster.local:80"
@@ -153,9 +215,21 @@ data:
 
 
     [[routes]]
-    host_prefix = "grafana"
+    host_prefix = "metrics"
     backend     = "http://kube-prometheus-stack-grafana.monitoring.svc.cluster.local:80"
 
+    [[routes]]
+    host_prefix = "systemmetrics"
+    backend     = "http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090"
+
+    [[routes]]
+    host_prefix = "systemlogs"
+    backend     = "http://loki-gateway.monitoring.svc.cluster.local:80"
+
+    [[routes]]
+    host_prefix = "systemtracing"
+    backend     = "http://tempo.monitoring.svc.cluster.local:3200"
+
     [[routes]]
     host_prefix = "livekit"
     backend     = "http://livekit-server.media.svc.cluster.local:80"
diff --git a/base/ingress/pingora-deployment.yaml b/base/ingress/pingora-deployment.yaml
index 180878d..8c8a1ac 100644
--- a/base/ingress/pingora-deployment.yaml
+++ b/base/ingress/pingora-deployment.yaml
@@ -34,6 +34,9 @@ spec:
             - name: ssh
               containerPort: 22
               protocol: TCP
+            - name: metrics
+              containerPort: 9090
+              protocol: TCP
             - name: turn-udp
               containerPort: 3478
               protocol: UDP
diff --git a/base/ingress/pingora-service.yaml b/base/ingress/pingora-service.yaml
index 79ba597..611aab4 100644
--- a/base/ingress/pingora-service.yaml
+++ b/base/ingress/pingora-service.yaml
@@ -16,6 +16,10 @@ spec:
       port: 443
       targetPort: 443
       protocol: TCP
+    - name: metrics
+      port: 9090
+      targetPort: 9090
+      protocol: TCP
     - name: turn-udp
       port: 3478
       targetPort: 3478