diff --git a/servers/legion/k8s/media/ingress.yaml b/servers/legion/k8s/media/ingress.yaml
index 108d072..aea9ec6 100644
--- a/servers/legion/k8s/media/ingress.yaml
+++ b/servers/legion/k8s/media/ingress.yaml
@@ -1,3 +1,131 @@
+# Admin ingresses — LAN only, not added to Cloudflare tunnel
+# Accessible on home network via AdGuard DNS (*.nook.family → 192.168.68.77)
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: radarr
+  namespace: media
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+    - hosts: [radarr.nook.family]
+      secretName: radarr-tls
+  rules:
+    - host: radarr.nook.family
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: radarr
+                port:
+                  number: 7878
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: sonarr
+  namespace: media
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+    - hosts: [sonarr.nook.family]
+      secretName: sonarr-tls
+  rules:
+    - host: sonarr.nook.family
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: sonarr
+                port:
+                  number: 8989
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: prowlarr
+  namespace: media
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+    - hosts: [prowlarr.nook.family]
+      secretName: prowlarr-tls
+  rules:
+    - host: prowlarr.nook.family
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: prowlarr
+                port:
+                  number: 9696
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: qbittorrent
+  namespace: media
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+    - hosts: [qbit.nook.family]
+      secretName: qbit-tls
+  rules:
+    - host: qbit.nook.family
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: qbittorrent
+                port:
+                  number: 8080
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bazarr
+  namespace: media
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+    - hosts: [bazarr.nook.family]
+      secretName: bazarr-tls
+  rules:
+    - host: bazarr.nook.family
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: bazarr
+                port:
+                  number: 6767
+---
 # watch.nook.family → Overseerr (family request portal)
 # NOTE: After deploying, add this route in Cloudflare Zero Trust:
 #   Zero Trust > Networks > Tunnels > neural-platform > Public Hostname