diff --git a/apps/code-server/forward.tf b/apps/code-server/forward.tf
index 6b677b2..afd7d1d 100644
--- a/apps/code-server/forward.tf
+++ b/apps/code-server/forward.tf
@@ -7,11 +7,41 @@ locals {
   forward-outpost-providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
   forward-outpost-pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
   app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
-  app-icon = "dashboard/statics/icons/favicon-96x96.png"
+  app-icon = "_static/src/browser/media/favicon-dark-support.svg"
   main-group = format("%s-users", local.app-name)
   sub-groups = []
   external-url = format("https://%s", local.dns-names[0])
   access-token-validity = "hours=10" // ;minutes=10
+  rules-icons = [ for v in local.dns-names : {
+      "host" = "${v}"
+      "http" = {
+        "paths" = [{
+          "backend"  = {
+            "service" = local.service
+          }
+          "path"     = "/${local.app-icon}"
+          "pathType" = "Prefix"
+        }]
+      }
+    }]
+}
+
+resource "kubectl_manifest" "prj_ingress_icon" {
+  force_conflicts = true
+  yaml_body  = <<-EOF
+    apiVersion: "networking.k8s.io/v1"
+    kind: "Ingress"
+    metadata:
+      name: "${var.instance}-icons"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.common-labels)}
+    spec:
+      ingressClassName: "${var.ingress-class}"
+      rules: ${jsonencode(local.rules-icons)}
+      tls:
+      - hosts: ${jsonencode(local.dns-names)}
+        secretName: "${var.instance}-cert"
+  EOF
 }
 
 data "authentik_flow" "default-authorization-flow" {
diff --git a/apps/code-server/index.yaml b/apps/code-server/index.yaml
index c4d0141..0bad23c 100644
--- a/apps/code-server/index.yaml
+++ b/apps/code-server/index.yaml
@@ -6,6 +6,26 @@ metadata:
   name: code-server
   description: null
 options:
+  issuer:
+    default: letsencrypt-prod
+    examples:
+    - letsencrypt-prod
+    type: string
+  ingress-class:
+    default: traefik
+    examples:
+    - traefik
+    type: string
+  domain:
+    default: your-company
+    examples:
+    - your-company
+    type: string
+  domain-name:
+    default: your_company.com
+    examples:
+    - your_company.com
+    type: string
   images:
     default:
       codeserver:
@@ -45,11 +65,6 @@ options:
             type: number
         type: object
     type: object
-  issuer:
-    default: letsencrypt-prod
-    examples:
-    - letsencrypt-prod
-    type: string
   timezone:
     default: Europe/Paris
     examples:
@@ -70,16 +85,6 @@ options:
         default: false
         type: boolean
     type: object
-  domain:
-    default: your-company
-    examples:
-    - your-company
-    type: string
-  ingress-class:
-    default: traefik
-    examples:
-    - traefik
-    type: string
   storage:
     default:
       accessMode: ReadWriteOnce
@@ -107,21 +112,16 @@ options:
         - block
         type: string
     type: object
-  sub-domain:
-    default: code
-    examples:
-    - code
-    type: string
-  domain-name:
-    default: your_company.com
-    examples:
-    - your_company.com
-    type: string
   no-editor:
     default: false
     examples:
     - false
     type: boolean
+  sub-domain:
+    default: code
+    examples:
+    - code
+    type: string
 dependencies:
 - dist: null
   category: share
diff --git a/apps/traefik-ui/forward.tf b/apps/traefik-ui/forward.tf
index 7f7fa22..ad4a139 100644
--- a/apps/traefik-ui/forward.tf
+++ b/apps/traefik-ui/forward.tf
@@ -11,8 +11,37 @@ locals {
   main-group = format("%s-users", local.app-name)
   sub-groups = []
   access-token-validity = "minutes=10"
+  rules-icons = [ for v in local.dns-names : {
+      "host" = "${v}"
+      "http" = {
+        "paths" = [{
+          "backend"  = {
+            "service" = local.service
+          }
+          "path"     = "/${local.app-icon}"
+          "pathType" = "Prefix"
+        }]
+      }
+    }]
 }
 
+resource "kubectl_manifest" "prj_ingress_icon" {
+  force_conflicts = true
+  yaml_body  = <<-EOF
+    apiVersion: "networking.k8s.io/v1"
+    kind: "Ingress"
+    metadata:
+      name: "${var.instance}-icons"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.common-labels)}
+    spec:
+      ingressClassName: "${var.ingress-class}"
+      rules: ${jsonencode(local.rules-icons)}
+      tls:
+      - hosts: ${jsonencode(local.dns-names)}
+        secretName: "${var.instance}-cert"
+  EOF
+}
 
 data "authentik_flow" "default-authorization-flow" {
   depends_on = [authentik_group.prj_users]
diff --git a/apps/traefik-ui/index.yaml b/apps/traefik-ui/index.yaml
index 48577f8..ce0443e 100644
--- a/apps/traefik-ui/index.yaml
+++ b/apps/traefik-ui/index.yaml
@@ -6,12 +6,12 @@ metadata:
   name: traefik-ui
   description: Access to the Traefik UI
 options:
-  sub-domain:
-    default: traefik
+  issuer:
+    default: letsencrypt-prod
     examples:
-    - traefik
+    - letsencrypt-prod
     type: string
-  ingress-class:
+  sub-domain:
     default: traefik
     examples:
     - traefik
@@ -21,16 +21,16 @@ options:
     examples:
     - your_company.com
     type: string
+  ingress-class:
+    default: traefik
+    examples:
+    - traefik
+    type: string
   domain:
     default: your-company
     examples:
     - your-company
     type: string
-  issuer:
-    default: letsencrypt-prod
-    examples:
-    - letsencrypt-prod
-    type: string
 dependencies:
 - dist: null
   category: share
@@ -42,3 +42,4 @@ providers:
   postgresql: null
   restapi: true
   http: true
+tfaddtype: null