diff --git a/.forgejo/workflows/build-keycloak.yaml b/.forgejo/workflows/build-keycloak.yaml
index 8cc7323..ea09fe5 100644
--- a/.forgejo/workflows/build-keycloak.yaml
+++ b/.forgejo/workflows/build-keycloak.yaml
@@ -20,3 +20,16 @@ jobs:
           tags: git.janky.solutions/jankysolutions/infra/keycloak:latest
           platforms: linux/amd64
           push: ${{ github.ref == 'refs/heads/main' }}
+  rollout:
+    name: roll out update
+    runs-on: ubuntu-latest
+    container:
+      image: git.janky.solutions/jankysolutions/infra/deployer:latest
+    needs: [build-synapse]
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - name: roll out update
+        run: |
+          set -euo pipefail
+          echo "${{ secrets.KUBERNETES_CLIENT_CONFIG }}" > ~/.kube/config
+          kubectl -n keycloak rollout restart deployment keycloak
diff --git a/.forgejo/workflows/build-traefik-forward-auth.yaml b/.forgejo/workflows/build-traefik-forward-auth.yaml
index 3cf08d1..7b5c7c8 100644
--- a/.forgejo/workflows/build-traefik-forward-auth.yaml
+++ b/.forgejo/workflows/build-traefik-forward-auth.yaml
@@ -20,3 +20,16 @@ jobs:
           tags: git.janky.solutions/jankysolutions/infra/traefik-forward-auth:latest
           platforms: linux/amd64
           push: ${{ github.ref == 'refs/heads/main' }}
+  rollout:
+    name: roll out update
+    runs-on: ubuntu-latest
+    container:
+      image: git.janky.solutions/jankysolutions/infra/deployer:latest
+    needs: [build-synapse]
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - name: roll out update
+        run: |
+          set -euo pipefail
+          echo "${{ secrets.KUBERNETES_CLIENT_CONFIG }}" > ~/.kube/config
+          kubectl -n kube-system rollout restart deployment -l app=traefik-forward-auth
diff --git a/k8s/system/traefik-forward-auth-herzfeld-casa.yaml b/k8s/system/traefik-forward-auth-herzfeld-casa.yaml
index e57c43a..2cde181 100644
--- a/k8s/system/traefik-forward-auth-herzfeld-casa.yaml
+++ b/k8s/system/traefik-forward-auth-herzfeld-casa.yaml
@@ -4,18 +4,21 @@ metadata:
   name: traefik-forward-auth-herzfeld-casa
   namespace: kube-system
   labels:
-    app: traefik-forward-auth-herzfeld-casa
+    app: traefik-forward-auth
+    instance: herzfeld-casa
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: traefik-forward-auth-herzfeld-casa
+      app: traefik-forward-auth
+      instance: herzfeld-casa
   strategy:
     type: Recreate
   template:
     metadata:
       labels:
-        app: traefik-forward-auth-herzfeld-casa
+        app: traefik-forward-auth
+        instance: herzfeld-casa
     spec:
       terminationGracePeriodSeconds: 60
       containers:
@@ -41,7 +44,8 @@ metadata:
   namespace: kube-system
 spec:
   selector:
-    app: traefik-forward-auth-herzfeld-casa
+    app: traefik-forward-auth
+    instance: herzfeld-casa
   ports:
   - name: auth-http
     port: 4181
diff --git a/k8s/system/traefik-forward-auth.yaml b/k8s/system/traefik-forward-auth.yaml
index 326d359..4cf1c79 100644
--- a/k8s/system/traefik-forward-auth.yaml
+++ b/k8s/system/traefik-forward-auth.yaml
@@ -5,17 +5,20 @@ metadata:
   namespace: kube-system
   labels:
     app: traefik-forward-auth
+    instance: default
 spec:
   replicas: 1
   selector:
     matchLabels:
       app: traefik-forward-auth
+      instance: default
   strategy:
     type: Recreate
   template:
     metadata:
       labels:
         app: traefik-forward-auth
+        instance: default
     spec:
       terminationGracePeriodSeconds: 60
       containers:
@@ -42,6 +45,7 @@ metadata:
 spec:
   selector:
     app: traefik-forward-auth
+    instance: default
   ports:
   - name: auth-http
     port: 4181