diff --git a/.gitignore b/.gitignore
index 4529290..b49b45e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 cert-manager/
 certs/
+backups/
diff --git a/helm/ha.yaml b/helm/ha.yaml
index 86095f5..65dcaff 100644
--- a/helm/ha.yaml
+++ b/helm/ha.yaml
@@ -22,7 +22,7 @@ server:
         }
 
         seal "transit" {
-          address = "https://pivault.dnet"
+          address = "http://3.14.3.104:8200"
           disable_renewal = "false"
           key_name = "autounseal"
           mount_path = "transit/"
diff --git a/helm/pivault.yaml b/helm/pivault.yaml
index d2ffbd2..1d3bad2 100644
--- a/helm/pivault.yaml
+++ b/helm/pivault.yaml
@@ -13,7 +13,7 @@ server:
     config: |
       ui = true
 
-      listener "tcp" {
+      listener "tcp" {z
         tls_disable = 1
         address = "[::]:8200"
         cluster_address = "[::]:8201"
@@ -46,4 +46,4 @@ server:
 
 ui:
   enabled: true
-  serviceType: ClusterIP
+  serviceType: LoadBalancer
diff --git a/policies/ducoterra.hcl b/policies/ducoterra.hcl
index 6175e29..c3d49e2 100644
--- a/policies/ducoterra.hcl
+++ b/policies/ducoterra.hcl
@@ -13,3 +13,11 @@ path "secret/*" {
 path "dnet_inter/*" {
     capabilities = ["create", "read", "update", "delete", "list"]
 }
+
+path "ssh-client-signer/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "ssh-host-signer/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}