diff --git a/argocd/manifests/argocd/README.md b/argocd/manifests/argocd/README.md
index 211f450..b6267cd 100644
--- a/argocd/manifests/argocd/README.md
+++ b/argocd/manifests/argocd/README.md
@@ -30,7 +30,8 @@ kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.pas
 | File | Description |
 |------|-------------|
 | `kustomization.yaml` | References upstream install.yaml + local customizations |
-| `service-tailscale.yaml` | Tailscale LoadBalancer for external access |
+| `service-tailscale.yaml` | Tailscale Ingress for external access with Let's Encrypt TLS |
+| `argocd-cmd-params-cm.yaml` | Patch to disable HTTPS redirect (TLS terminates at Ingress) |
 | `README.md` | This file |
 
 ## Post-Setup
diff --git a/argocd/manifests/argocd/argocd-cmd-params-cm.yaml b/argocd/manifests/argocd/argocd-cmd-params-cm.yaml
new file mode 100644
index 0000000..af4c45b
--- /dev/null
+++ b/argocd/manifests/argocd/argocd-cmd-params-cm.yaml
@@ -0,0 +1,8 @@
+# ArgoCD server parameters
+# Disables HTTPS redirect since TLS is terminated at Tailscale Ingress
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cmd-params-cm
+data:
+  server.insecure: "true"
diff --git a/argocd/manifests/argocd/kustomization.yaml b/argocd/manifests/argocd/kustomization.yaml
index 37ed0d8..bcca27b 100644
--- a/argocd/manifests/argocd/kustomization.yaml
+++ b/argocd/manifests/argocd/kustomization.yaml
@@ -6,3 +6,6 @@ namespace: argocd
 resources:
   - https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
   - service-tailscale.yaml
+
+patchesStrategicMerge:
+  - argocd-cmd-params-cm.yaml
diff --git a/argocd/manifests/argocd/service-tailscale.yaml b/argocd/manifests/argocd/service-tailscale.yaml
index bc8e16a..2fc4ce0 100644
--- a/argocd/manifests/argocd/service-tailscale.yaml
+++ b/argocd/manifests/argocd/service-tailscale.yaml
@@ -1,20 +1,23 @@
-# Tailscale LoadBalancer service for ArgoCD
-# Exposes ArgoCD at https://argocd.tail8d86e.ts.net
+# Tailscale Ingress for ArgoCD
+# Exposes ArgoCD at https://argocd.tail8d86e.ts.net with Let's Encrypt TLS
+#
+# Using Ingress instead of LoadBalancer to get automatic TLS certificates.
+# See: https://tailscale.com/kb/1439/kubernetes-operator-cluster-ingress
 ---
-apiVersion: v1
-kind: Service
+apiVersion: networking.k8s.io/v1
+kind: Ingress
 metadata:
   name: argocd-server-tailscale
   namespace: argocd
   annotations:
-    tailscale.com/hostname: "argocd"
     tailscale.com/proxy-class: "default"
 spec:
-  type: LoadBalancer
-  loadBalancerClass: tailscale
-  selector:
-    app.kubernetes.io/name: argocd-server
-  ports:
-    - name: https
-      port: 443
-      targetPort: 8080
+  ingressClassName: tailscale
+  defaultBackend:
+    service:
+      name: argocd-server
+      port:
+        number: 80
+  tls:
+    - hosts:
+        - argocd