diff --git a/argocd/manifests/argocd/service-tailscale.yaml b/argocd/manifests/argocd/service-tailscale.yaml
index 23ff8f1..85393af 100644
--- a/argocd/manifests/argocd/service-tailscale.yaml
+++ b/argocd/manifests/argocd/service-tailscale.yaml
@@ -11,6 +11,7 @@ metadata:
   namespace: argocd
   annotations:
     tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-group: "ingress"
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: "ArgoCD"
     gethomepage.dev/group: "Infrastructure"
diff --git a/argocd/manifests/devpi/ingress-tailscale.yaml b/argocd/manifests/devpi/ingress-tailscale.yaml
index 08a13ed..474bf72 100644
--- a/argocd/manifests/devpi/ingress-tailscale.yaml
+++ b/argocd/manifests/devpi/ingress-tailscale.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: devpi
   annotations:
     tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-group: "ingress"
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: "PyPI"
     gethomepage.dev/group: "Infrastructure"
diff --git a/argocd/manifests/docs/ingress-tailscale.yaml b/argocd/manifests/docs/ingress-tailscale.yaml
index b76b6af..2445e63 100644
--- a/argocd/manifests/docs/ingress-tailscale.yaml
+++ b/argocd/manifests/docs/ingress-tailscale.yaml
@@ -6,6 +6,7 @@ metadata:
   namespace: docs
   annotations:
     tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-group: "ingress"
     tailscale.com/tags: "tag:k8s,tag:flyio-target"
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: "Docs"
diff --git a/argocd/manifests/grafana-config/ingress-tailscale.yaml b/argocd/manifests/grafana-config/ingress-tailscale.yaml
index 905991c..929c912 100644
--- a/argocd/manifests/grafana-config/ingress-tailscale.yaml
+++ b/argocd/manifests/grafana-config/ingress-tailscale.yaml
@@ -9,6 +9,7 @@ metadata:
   namespace: monitoring
   annotations:
     tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-group: "ingress"
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: "Grafana"
     gethomepage.dev/group: "Observability"
diff --git a/argocd/manifests/immich/ingress-tailscale.yaml b/argocd/manifests/immich/ingress-tailscale.yaml
index 4b3faba..2a9e86d 100644
--- a/argocd/manifests/immich/ingress-tailscale.yaml
+++ b/argocd/manifests/immich/ingress-tailscale.yaml
@@ -8,6 +8,7 @@ metadata:
   namespace: immich
   annotations:
     tailscale.com/funnel: "false"
+    tailscale.com/proxy-group: "ingress"
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: "Immich"
     gethomepage.dev/group: "Apps"
diff --git a/argocd/manifests/kiwix/ingress-tailscale.yaml b/argocd/manifests/kiwix/ingress-tailscale.yaml
index c3aeb4c..ec7132c 100644
--- a/argocd/manifests/kiwix/ingress-tailscale.yaml
+++ b/argocd/manifests/kiwix/ingress-tailscale.yaml
@@ -6,6 +6,7 @@ metadata:
   namespace: kiwix
   annotations:
     tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-group: "ingress"
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: "Kiwix"
     gethomepage.dev/group: "Apps"
diff --git a/argocd/manifests/loki/ingress-tailscale.yaml b/argocd/manifests/loki/ingress-tailscale.yaml
index c25d919..e221189 100644
--- a/argocd/manifests/loki/ingress-tailscale.yaml
+++ b/argocd/manifests/loki/ingress-tailscale.yaml
@@ -7,6 +7,7 @@ metadata:
   namespace: monitoring
   annotations:
     tailscale.com/funnel: "false"
+    tailscale.com/proxy-group: "ingress"
     tailscale.com/tags: "tag:k8s,tag:flyio-target"
     gethomepage.dev/enabled: "false"
 spec:
diff --git a/argocd/manifests/miniflux/ingress-tailscale.yaml b/argocd/manifests/miniflux/ingress-tailscale.yaml
index 96c9162..01d2951 100644
--- a/argocd/manifests/miniflux/ingress-tailscale.yaml
+++ b/argocd/manifests/miniflux/ingress-tailscale.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: miniflux
   annotations:
     tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-group: "ingress"
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: "Miniflux"
     gethomepage.dev/group: "Apps"
diff --git a/argocd/manifests/navidrome/ingress-tailscale.yaml b/argocd/manifests/navidrome/ingress-tailscale.yaml
index 21ddfef..cf8ec72 100644
--- a/argocd/manifests/navidrome/ingress-tailscale.yaml
+++ b/argocd/manifests/navidrome/ingress-tailscale.yaml
@@ -6,6 +6,7 @@ metadata:
   namespace: navidrome
   annotations:
     tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-group: "ingress"
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: "DJ"
     gethomepage.dev/group: "Apps"
diff --git a/argocd/manifests/prometheus/ingress-tailscale.yaml b/argocd/manifests/prometheus/ingress-tailscale.yaml
index 00aa05c..6d76d22 100644
--- a/argocd/manifests/prometheus/ingress-tailscale.yaml
+++ b/argocd/manifests/prometheus/ingress-tailscale.yaml
@@ -7,6 +7,7 @@ metadata:
   namespace: monitoring
   annotations:
     tailscale.com/funnel: "false"
+    tailscale.com/proxy-group: "ingress"
     tailscale.com/tags: "tag:k8s,tag:flyio-target"
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: "Prometheus"
diff --git a/argocd/manifests/tailscale-operator/kustomization.yaml b/argocd/manifests/tailscale-operator/kustomization.yaml
index 65f3786..dec1bbc 100644
--- a/argocd/manifests/tailscale-operator/kustomization.yaml
+++ b/argocd/manifests/tailscale-operator/kustomization.yaml
@@ -6,6 +6,7 @@ namespace: tailscale
 resources:
   - operator.yaml
   - proxyclass.yaml
+  - proxygroup-ingress.yaml
   - dnsconfig.yaml
   - egress-forge.yaml
   - external-secret.yaml
diff --git a/argocd/manifests/tailscale-operator/proxygroup-ingress.yaml b/argocd/manifests/tailscale-operator/proxygroup-ingress.yaml
new file mode 100644
index 0000000..e1c48b5
--- /dev/null
+++ b/argocd/manifests/tailscale-operator/proxygroup-ingress.yaml
@@ -0,0 +1,10 @@
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyGroup
+metadata:
+  name: ingress
+spec:
+  type: Ingress
+  replicas: 2
+  proxyClass: default
+  tags:
+    - tag:k8s
diff --git a/argocd/manifests/teslamate/ingress-tailscale.yaml b/argocd/manifests/teslamate/ingress-tailscale.yaml
index 2f10f2d..08f2ceb 100644
--- a/argocd/manifests/teslamate/ingress-tailscale.yaml
+++ b/argocd/manifests/teslamate/ingress-tailscale.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: teslamate
   annotations:
     tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-group: "ingress"
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: "TeslaMate"
     gethomepage.dev/group: "Apps"
diff --git a/argocd/manifests/torrent/ingress-tailscale.yaml b/argocd/manifests/torrent/ingress-tailscale.yaml
index 175b0f6..ff801fd 100644
--- a/argocd/manifests/torrent/ingress-tailscale.yaml
+++ b/argocd/manifests/torrent/ingress-tailscale.yaml
@@ -6,6 +6,7 @@ metadata:
   namespace: torrent
   annotations:
     tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-group: "ingress"
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: "Transmission"
     gethomepage.dev/group: "Apps"
diff --git a/docs/changelog.d/restrict-flyio-proxy-acl.infra.md b/docs/changelog.d/restrict-flyio-proxy-acl.infra.md
index 94115b9..c9544ba 100644
--- a/docs/changelog.d/restrict-flyio-proxy-acl.infra.md
+++ b/docs/changelog.d/restrict-flyio-proxy-acl.infra.md
@@ -1 +1 @@
-Restrict fly.io proxy ACLs to dedicated `tag:flyio-target` endpoints instead of broad `tag:k8s` and `tag:homelab` grants. Alloy now pushes logs/metrics directly to Loki and Prometheus via Tailscale Ingress, bypassing Caddy.
+Restrict fly.io proxy ACLs to dedicated `tag:flyio-target` endpoints instead of broad `tag:k8s` and `tag:homelab` grants. Alloy now pushes logs/metrics directly to Loki and Prometheus via Tailscale Ingress, bypassing Caddy. Migrate all Tailscale Ingresses to a shared ProxyGroup to enable per-Ingress tag overrides (`tag:flyio-target` on docs, loki, prometheus).