diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 07c25e1..e5e2608 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -72,6 +72,14 @@ jobs:
             printf '    secretName: %s-tls\n' "$name" >> /tmp/ingress.yaml
           done
 
+          # 裸域 + www 的 TLS（cert-manager 自动签 letsencrypt）
+          if [ -d airlabs-art ]; then
+            printf '  - hosts:\n' >> /tmp/ingress.yaml
+            printf '    - airlabs.art\n' >> /tmp/ingress.yaml
+            printf '    - www.airlabs.art\n' >> /tmp/ingress.yaml
+            printf '    secretName: airlabs-root-tls\n' >> /tmp/ingress.yaml
+          fi
+
           printf '  rules:\n' >> /tmp/ingress.yaml
           for name in $PROJECTS; do
             printf '  - host: %s.airlabs.art\n' "$name" >> /tmp/ingress.yaml
@@ -86,7 +94,7 @@ jobs:
             printf '              number: 80\n' >> /tmp/ingress.yaml
           done
 
-          # 特判：裸域 + www 走 HTTP only，映射到 airlabs-art/ 目录
+          # 裸域 + www 规则（HTTPS 由 Traefik 全局 redirect 强制、证书由 cert-manager 自动签）
           if [ -d airlabs-art ]; then
             for host in airlabs.art www.airlabs.art; do
               printf '  - host: %s\n' "$host" >> /tmp/ingress.yaml