diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf
index 72367979..8e893dca 100644
--- a/modules/kubernetes/ingress_factory/main.tf
+++ b/modules/kubernetes/ingress_factory/main.tf
@@ -148,10 +148,19 @@ locals {
   # record (either CF-proxied or direct A/AAAA). Explicit bool overrides.
   effective_external_monitor = var.external_monitor != null ? var.external_monitor : (var.dns_type != "none")
 
+  # Emit the annotation when effective is true (positive signal), or when the
+  # caller explicitly set external_monitor=false (opt-out). When the caller
+  # leaves it null AND dns_type="none", emit nothing — the sync script's
+  # default opt-in (any *.viktorbarzin.me ingress) keeps monitoring services
+  # that are publicly reachable via routes we don't manage here (e.g.
+  # helm-provisioned ingresses, services behind cloudflared tunnel with DNS
+  # set elsewhere).
   external_monitor_annotations = local.effective_external_monitor ? merge(
     { "uptime.viktorbarzin.me/external-monitor" = "true" },
     var.external_monitor_name != null ? { "uptime.viktorbarzin.me/external-monitor-name" = var.external_monitor_name } : {},
-  ) : {}
+    ) : (var.external_monitor == false ?
+    { "uptime.viktorbarzin.me/external-monitor" = "false" } : {}
+  )
 
   ns_to_group = {
     monitoring      = "Infrastructure"
diff --git a/stacks/grampsweb/main.tf b/stacks/grampsweb/main.tf
index 9ea09a95..874d3b81 100644
--- a/stacks/grampsweb/main.tf
+++ b/stacks/grampsweb/main.tf
@@ -354,13 +354,14 @@ resource "kubernetes_service" "grampsweb" {
 }
 
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  namespace       = kubernetes_namespace.grampsweb.metadata[0].name
-  name            = "family"
-  service_name    = "grampsweb"
-  tls_secret_name = var.tls_secret_name
-  max_body_size   = "500m"
-  protected       = true
+  source           = "../../modules/kubernetes/ingress_factory"
+  namespace        = kubernetes_namespace.grampsweb.metadata[0].name
+  name             = "family"
+  service_name     = "grampsweb"
+  tls_secret_name  = var.tls_secret_name
+  max_body_size    = "500m"
+  protected        = true
+  external_monitor = false
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "GrampsWeb"
diff --git a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
index 010c897e..850675d5 100644
--- a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
@@ -189,10 +189,17 @@ locals {
   # External monitor defaults: on when proxied, off otherwise. Explicit bool overrides.
   effective_external_monitor = var.external_monitor != null ? var.external_monitor : (var.dns_type == "proxied")
 
+  # Emit the annotation when effective is true (positive signal), or when the
+  # caller explicitly set external_monitor=false (opt-out). When the caller
+  # leaves it null AND dns_type != "proxied", emit nothing — the sync script's
+  # default opt-in (any *.viktorbarzin.me ingress) keeps monitoring services
+  # that are publicly reachable via routes we don't manage here.
   external_monitor_annotations = local.effective_external_monitor ? merge(
     { "uptime.viktorbarzin.me/external-monitor" = "true" },
     var.external_monitor_name != null ? { "uptime.viktorbarzin.me/external-monitor-name" = var.external_monitor_name } : {},
-  ) : {}
+    ) : (var.external_monitor == false ?
+    { "uptime.viktorbarzin.me/external-monitor" = "false" } : {}
+  )
 }
 
 resource "kubernetes_ingress_v1" "proxied-ingress" {
diff --git a/stacks/reverse-proxy/modules/reverse_proxy/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
index a731cf63..ac869a4c 100644
--- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
@@ -151,25 +151,6 @@ module "truenas" {
   depends_on = [kubernetes_namespace.reverse-proxy]
 }
 
-# https://r730.viktorbarzin.me/
-module "r730" {
-  source           = "./factory"
-  name             = "r730"
-  external_name    = "r730.viktorbarzin.lan"
-  port             = 443
-  tls_secret_name  = var.tls_secret_name
-  backend_protocol = "HTTPS"
-  depends_on       = [kubernetes_namespace.reverse-proxy]
-  extra_annotations = {
-    "gethomepage.dev/enabled"      = "true"
-    "gethomepage.dev/name"         = "R730"
-    "gethomepage.dev/description"  = "Dell PowerEdge server"
-    "gethomepage.dev/icon"         = "dell.png"
-    "gethomepage.dev/group"        = "Infrastructure"
-    "gethomepage.dev/pod-selector" = ""
-  }
-}
-
 # https://proxmox.viktorbarzin.me/
 module "proxmox" {
   source           = "./factory"
@@ -268,6 +249,7 @@ module "mladost3" {
   port              = 8080
   tls_secret_name   = var.tls_secret_name
   depends_on        = [kubernetes_namespace.reverse-proxy]
+  external_monitor  = false
   extra_annotations = { "gethomepage.dev/enabled" = "false" }
 }