diff --git a/README.md b/README.md
index 7111f79..890625f 100644
--- a/README.md
+++ b/README.md
@@ -66,6 +66,7 @@
 |-------------------|---------|
 | `homepage.rat` | Homepage |
 | `glance.rat` | Glance |
+| `headlamp.dog` | Headlamp |
 
 **Cluster-only (no ingress):** Prowlarr, Bazarr, qBittorrent, Zerobyte.
 
@@ -88,7 +89,7 @@ SOPS + age encryption. All secrets live in `secrets/secrets.enc.yaml`, encrypted
 | `longhorn-system` | Longhorn storage |
 | `media` | Plex, Sonarr, Radarr, Bazarr, Prowlarr, qBittorrent, unpackerr |
 | `paperless` | Paperless-ngx, Redis, PostgreSQL |
-| `apps` | Mealie, Homepage, Glance, Seerr, Zerobyte |
+| `apps` | Mealie, Homepage, Glance, Headlamp, Seerr, Zerobyte |
 
 ## Services
 
@@ -101,6 +102,7 @@ SOPS + age encryption. All secrets live in `secrets/secrets.enc.yaml`, encrypted
 | paperless | paperless | Paperless-ngx, Redis, PostgreSQL | Postgres 15, Redis 7 |
 | mealie | apps | Mealie (v3.14.0) | Gemini API integration for recipes |
 | dashboards | apps | Homepage, Glance | Internal-only via `traefik-internal` |
+| headlamp | apps | Headlamp | K8s dashboard, internal-only via `traefik-internal` |
 | utils | apps | Seerr, Zerobyte | Seerr public, Zerobyte cluster-only |
 
 
@@ -170,6 +172,7 @@ helm upgrade --install paperless charts/paperless -n paperless
 kubectl create namespace apps
 helm upgrade --install mealie charts/mealie -n apps
 helm upgrade --install dashboards charts/dashboards -n apps
+helm upgrade --install headlamp charts/headlamp -n apps
 helm upgrade --install utils charts/utils -n apps
 
 # Traefik config goes in kube-system (managed by k3s)
@@ -214,6 +217,7 @@ homelab/
 │   ├── paperless/           # Paperless-ngx + Postgres + Redis
 │   ├── mealie/              # Mealie recipe manager
 │   ├── dashboards/          # Homepage + Glance (internal only)
+│   ├── headlamp/            # Headlamp K8s dashboard (internal only)
 │   └── utils/               # Seerr + Zerobyte
 └── secrets/
     └── secrets.enc.yaml
diff --git a/charts/headlamp/Chart.yaml b/charts/headlamp/Chart.yaml
new file mode 100644
index 0000000..2c691ed
--- /dev/null
+++ b/charts/headlamp/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: headlamp
+description: Headlamp Kubernetes dashboard
+version: 0.1.0
+type: application
diff --git a/charts/headlamp/templates/headlamp-ingressroute.yaml b/charts/headlamp/templates/headlamp-ingressroute.yaml
new file mode 100644
index 0000000..570d722
--- /dev/null
+++ b/charts/headlamp/templates/headlamp-ingressroute.yaml
@@ -0,0 +1,32 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: headlamp
+  annotations:
+    kubernetes.io/ingress.class: traefik-internal
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`headlamp.{{ .Values.internalDomain }}`)
+      kind: Rule
+      services:
+        - name: headlamp
+          port: 4466
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: headlamp-tls
+  annotations:
+    kubernetes.io/ingress.class: traefik-internal
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`headlamp.{{ .Values.internalDomain }}`)
+      kind: Rule
+      services:
+        - name: headlamp
+          port: 4466
+  tls: {}
diff --git a/charts/headlamp/templates/headlamp.yaml b/charts/headlamp/templates/headlamp.yaml
new file mode 100644
index 0000000..3d9fa07
--- /dev/null
+++ b/charts/headlamp/templates/headlamp.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: headlamp
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: headlamp
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: headlamp
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: headlamp
+  labels:
+    app: headlamp
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: headlamp
+  template:
+    metadata:
+      labels:
+        app: headlamp
+    spec:
+      serviceAccountName: headlamp
+      nodeSelector:
+        homelab/node-role: worker
+      containers:
+        - name: headlamp
+          image: {{ .Values.image }}
+          args:
+            - -in-cluster
+            - -plugins-dir=/headlamp/plugins
+            - -insecure-no-authentication
+          ports:
+            - containerPort: 4466
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: headlamp
+spec:
+  selector:
+    app: headlamp
+  ports:
+    - port: 4466
+      targetPort: 4466
diff --git a/charts/headlamp/values.yaml b/charts/headlamp/values.yaml
new file mode 100644
index 0000000..5fcfbcc
--- /dev/null
+++ b/charts/headlamp/values.yaml
@@ -0,0 +1,2 @@
+image: ghcr.io/headlamp-k8s/headlamp:latest
+internalDomain: dog
diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh
index 23e44d6..171e0db 100755
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@@ -108,7 +108,7 @@ cmd_deploy() {
   local charts_dir
   charts_dir="$(cd "$(dirname "$0")/.." && pwd)/charts"
 
-  local -a chart_order=(traefik-config media paperless mealie dashboards utils)
+  local -a chart_order=(traefik-config media paperless mealie dashboards utils headlamp)
   local -A chart_ns=(
     [traefik-config]=kube-system
     [media]=media
@@ -116,6 +116,7 @@ cmd_deploy() {
     [mealie]=apps
     [dashboards]=apps
     [utils]=apps
+    [headlamp]=apps
   )
 
   for chart in "${chart_order[@]}"; do