diff --git a/gcloud/tf/main.tf b/gcloud/tf/main.tf
index bd8f6e6..cb38fb6 100644
--- a/gcloud/tf/main.tf
+++ b/gcloud/tf/main.tf
@@ -81,6 +81,63 @@ resource "google_compute_disk" "app_data_disk" {
 }
 
 
+// load balancer ....
+
+
+# resource "google_compute_health_check" "http_health_check" {
+#   name                = "http-health-check"
+#   check_interval_sec  = 5
+#   timeout_sec         = 5
+#   healthy_threshold   = 2
+#   unhealthy_threshold = 2
+
+#   http_health_check {
+#     port = 80
+#   }
+# }
+
+resource "google_compute_http_health_check" "http_health_check" {
+  name                = "http-health-check"
+  request_path        = "/"
+  port                = 80
+  check_interval_sec  = 5
+  timeout_sec         = 5
+  healthy_threshold   = 2
+  unhealthy_threshold = 2
+}
+
+
+# resource "google_compute_target_pool" "k3s_pool" {
+#   name          = "k3s-target-pool"
+#   instances     = [google_compute_instance.k3s.self_link]
+#   health_checks = [google_compute_health_check.http_health_check.self_link]
+# }
+
+resource "google_compute_target_pool" "k3s_pool" {
+  name          = "k3s-target-pool"
+  instances     = [google_compute_instance.k3s.self_link]
+  health_checks = [google_compute_http_health_check.http_health_check.self_link]
+}
+
+resource "google_compute_forwarding_rule" "http_forwarding_rule" {
+  name                  = "http-forwarding-rule"
+  target                = google_compute_target_pool.k3s_pool.self_link
+  port_range            = "80"
+  ip_protocol           = "TCP"
+  load_balancing_scheme = "EXTERNAL"
+}
+
+resource "google_compute_forwarding_rule" "https_forwarding_rule" {
+  name                  = "https-forwarding-rule"
+  target                = google_compute_target_pool.k3s_pool.self_link
+  port_range            = "443"
+  ip_protocol           = "TCP"
+  load_balancing_scheme = "EXTERNAL"
+}
+
+
+
+// ----------------------------------
 
 
 
@@ -96,3 +153,8 @@ output "k3s_vm_public_ip" {
   value       = google_compute_instance.k3s.network_interface[0].access_config[0].nat_ip
   description = "Ephemeral public IP of the k3s VM"
 }
+
+output "load_balancer_ip" {
+  value       = google_compute_forwarding_rule.http_forwarding_rule.ip_address
+  description = "External IP address of the load balancer (HTTP)"
+}
diff --git a/gcloud/tf/scripts/install_traefik.sh b/gcloud/tf/scripts/install_traefik.sh
new file mode 100644
index 0000000..da3d96e
--- /dev/null
+++ b/gcloud/tf/scripts/install_traefik.sh
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+
+# Exit immediately if a command exits with a non-zero status.
+set -e
+
+TMPFILE=$(mktemp /tmp/traefik-values-XXXXXX.yaml)
+
+
+cat > "$TMPFILE" <<EOF
+ingressClass:
+  enabled: true
+  isDefaultClass: true
+ports:
+  web:
+    port: 80
+    hostPort: 80
+  websecure:
+    port: 443
+    hostPort: 443
+  traefik:
+    port: 9000
+api:
+  dashboard: true
+  insecure: true
+ingressRoute:
+  dashboard:
+    enabled: true
+ping: true
+log:
+  level: INFO
+service:
+  enabled: true
+  type: ClusterIP
+  annotations: {}
+  ports:
+    web:
+      port: 80
+      protocol: TCP
+      targetPort: web
+    websecure:
+      port: 443
+      protocol: TCP
+      targetPort: websecure
+EOF
+
+
+if helm status traefik --namespace traefik &> /dev/null; then
+  echo "Traefik is already installed in the 'traefik' namespace. Upgrading..."
+  helm upgrade traefik traefik/traefik --namespace traefik -f "$TMPFILE"
+else
+  echo "Installing Traefik..."
+  helm repo add traefik https://traefik.github.io/charts
+  helm repo update
+  # Using --create-namespace is good practice, though traefik will always exist.
+  helm install traefik traefik/traefik --namespace traefik --create-namespace -f "$TMPFILE"
+fi
+
+
+
+# echo
+# echo "To access the dashboard:"
+# echo "kubectl port-forward -n traefik \$(kubectl get pods -n traefik -l \"app.kubernetes.io/name=traefik\" -o name) 9000:9000"
+# echo "Then visit http://localhost:9000/dashboard/ in your browser"
+