diff --git a/ansible/arcodange/factory/playbooks/01_system.yml b/ansible/arcodange/factory/playbooks/01_system.yml
index 95c4fcf..801288c 100644
--- a/ansible/arcodange/factory/playbooks/01_system.yml
+++ b/ansible/arcodange/factory/playbooks/01_system.yml
@@ -166,8 +166,8 @@
             traefik_helm_values:
               # default is https://github.com/traefik/traefik-helm-chart/blob/v25.0.0/traefik/values.yaml <- for v25 (`kubectl describe deployments.apps traefik -n kube-system | grep helm.sh/chart`)
               # current is https://github.com/traefik/traefik-helm-chart/blob/v30.1.0/traefik/values.yaml
-              deployment:
-                kind: DaemonSet
+              nodeSelector:
+                node-role.kubernetes.io/master: true # make predictible choice of node to direct https traffic to this node and avoid NAT/loss of client IP
               service:
                 spec:
                   externalTrafficPolicy: Local
diff --git a/ansible/arcodange/factory/playbooks/03_cicd.yml b/ansible/arcodange/factory/playbooks/03_cicd.yml
index 9ba417b..21d9776 100644
--- a/ansible/arcodange/factory/playbooks/03_cicd.yml
+++ b/ansible/arcodange/factory/playbooks/03_cicd.yml
@@ -36,6 +36,9 @@
                 - /var/run/docker.sock:/var/run/docker.sock
                 - /etc/timezone:/etc/timezone:ro
                 - /etc/localtime:/etc/localtime:ro
+              extra_hosts: gitea.arcodange.duckdns.org={{ hostvars[groups.gitea[0]].ansible_host }}
+              configs:
+                - config.yaml
           configs:
             config.yaml:
               content: |
diff --git a/ansible/arcodange/factory/playbooks/04_tools.yml b/ansible/arcodange/factory/playbooks/04_tools.yml
new file mode 100644
index 0000000..5ef0ce1
--- /dev/null
+++ b/ansible/arcodange/factory/playbooks/04_tools.yml
@@ -0,0 +1,3 @@
+---
+- name: tools
+  ansible.builtin.import_playbook: ./tools/tools.yml
diff --git a/ansible/arcodange/factory/playbooks/tools/pgbouncer.yml b/ansible/arcodange/factory/playbooks/tools/pgbouncer.yml
new file mode 100644
index 0000000..e5e3266
--- /dev/null
+++ b/ansible/arcodange/factory/playbooks/tools/pgbouncer.yml
@@ -0,0 +1,6 @@
+---
+- name: pgbouncer
+  hosts: raspberries:&local
+
+  tasks:
+  - ansible.builtin.ping:
\ No newline at end of file
diff --git a/ansible/arcodange/factory/playbooks/tools/prometheus.yml b/ansible/arcodange/factory/playbooks/tools/prometheus.yml
new file mode 100644
index 0000000..58da2db
--- /dev/null
+++ b/ansible/arcodange/factory/playbooks/tools/prometheus.yml
@@ -0,0 +1,6 @@
+---
+- name: prometheus
+  hosts: raspberries:&local
+
+  tasks:
+  - ansible.builtin.ping:
\ No newline at end of file
diff --git a/ansible/arcodange/factory/playbooks/tools/tools.yml b/ansible/arcodange/factory/playbooks/tools/tools.yml
new file mode 100644
index 0000000..5b2ac6c
--- /dev/null
+++ b/ansible/arcodange/factory/playbooks/tools/tools.yml
@@ -0,0 +1,6 @@
+---
+- name: pgbouncer
+  ansible.builtin.import_playbook: pgbouncer.yml
+
+- name: prometheus
+  ansible.builtin.import_playbook: prometheus.yml
\ No newline at end of file
diff --git a/argocd/templates/argocd-app.yaml b/argocd/templates/apps.yaml
similarity index 89%
rename from argocd/templates/argocd-app.yaml
rename to argocd/templates/apps.yaml
index ddcce31..97755c1 100644
--- a/argocd/templates/argocd-app.yaml
+++ b/argocd/templates/apps.yaml
@@ -5,6 +5,8 @@ kind: Application
 metadata:
   name: {{ $app_name }}
   namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
   source:
diff --git a/argocd/values.yaml b/argocd/values.yaml
index 7520b93..df5e54d 100644
--- a/argocd/values.yaml
+++ b/argocd/values.yaml
@@ -2,4 +2,5 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 gitea_applications:
-  - url-shortener
\ No newline at end of file
+  - url-shortener
+  - tools
\ No newline at end of file