diff --git a/charts/dns/Chart.yaml b/charts/dns/Chart.yaml
deleted file mode 100644
index 79489eb..0000000
--- a/charts/dns/Chart.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-apiVersion: v2
-name: home-server-dns
-description: Deploys the DNS setup
-type: application
-version: 0.1.0
diff --git a/charts/dns/values.yaml b/charts/dns/values.yaml
deleted file mode 100644
index d36eb41..0000000
--- a/charts/dns/values.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-domain: "auth.dev.hxme.net"
-certSecretName: "wildcard-hxme-net"
diff --git a/deployments-old/ai/openweb.yaml b/deployments-old/ai/openweb.yaml
new file mode 100644
index 0000000..e2c52ea
--- /dev/null
+++ b/deployments-old/ai/openweb.yaml
@@ -0,0 +1,76 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ai
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openwebui
+  namespace: ai
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openwebui
+  template:
+    metadata:
+      labels:
+        app: openwebui
+    spec:
+      containers:
+        - name: openwebui
+          image: ghcr.io/open-webui/open-webui:latest
+          ports:
+            - containerPort: 8080
+          env:
+            - name: OLLAMA_BASE_URL
+              value: http://ollama:11434
+          volumeMounts:
+            - name: ai-storage
+              mountPath: /app/backend/data
+      volumes:
+        - name: ai-storage
+          hostPath:
+            path: /dpool/files/ai/
+            type: Directory
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openwebui
+  namespace: ai
+spec:
+  selector:
+    app: openwebui
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openwebui
+  namespace: ai
+  annotations:
+    kubernetes.io/ingress.class: "traefik" 
+    external-dns.alpha.kubernetes.io/hostname: nc.hxme.net
+spec:
+  rules:
+    - host: ai.hxme.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: openwebui
+                port:
+                  number: 80
+  tls:
+    - hosts:
+        - ai.hxme.net
+      secretName: openwebui-tls
+
diff --git a/deployments-old/auth/authentik.yaml b/deployments-old/auth/authentik.yaml
new file mode 100644
index 0000000..ced40ed
--- /dev/null
+++ b/deployments-old/auth/authentik.yaml
@@ -0,0 +1,54 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authentik
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: authentik
+  namespace: flux-system
+spec:
+  url: https://charts.goauthentik.io/
+  interval: 1h
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wildcard-hxme-net
+  namespace: authentik
+  annotations:
+    replicator.v1.mittwald.de/replicate-from: cert-manager/wildcard-hxme-net
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: authentik
+      version: 2024.4.2
+      sourceRef:
+        kind: HelmRepository
+        name: authentik
+        namespace: flux-system
+  install:
+    createNamespace: true
+  upgrade:
+    disableWait: false
+  timeout: 10m
+  valuesFrom:
+    - kind: Secret
+      name: authentik-values
+  values:
+    ingress:
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: auth.hxme.net
+      tls:
+        - secretName: wildcard-hxme-net
+          hosts:
+            - auth.hxme.net
diff --git a/charts/dns/templates/bind-master.yaml b/deployments-old/dns/bind.yaml
similarity index 98%
rename from charts/dns/templates/bind-master.yaml
rename to deployments-old/dns/bind.yaml
index 4d3328c..23eab06 100644
--- a/charts/dns/templates/bind-master.yaml
+++ b/deployments-old/dns/bind.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: bind-master-config
+  namespace: dns
 data:
   named.conf: |
     include "/etc/bind/externaldns-key.conf";
@@ -51,6 +52,7 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: bind-master
+  namespace: dns
 spec:
   selector:
     matchLabels:
@@ -120,8 +122,8 @@ apiVersion: v1
 kind: Service
 metadata:
   name: bind-master
+  namespace: dns
 spec:
-  type: ClusterIP
   selector:
     app: bind-master
   ports:
diff --git a/charts/dns/templates/externaldns.yaml b/deployments-old/dns/externaldns.yaml
similarity index 92%
rename from charts/dns/templates/externaldns.yaml
rename to deployments-old/dns/externaldns.yaml
index 814af6c..ed64c21 100644
--- a/charts/dns/templates/externaldns.yaml
+++ b/deployments-old/dns/externaldns.yaml
@@ -13,6 +13,7 @@ rules:
   - apiGroups: [""]
     resources: ["nodes"]
     verbs: ["list","watch"]
+  # Add DNS provider specific rules here if needed (e.g., for AWS IAM, GCP etc.)
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -25,16 +26,19 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: external-dns
+    namespace: dns
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: external-dns
+  namespace: dns
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: external-dns
+  namespace: dns
 spec:
   replicas: 1
   selector:
@@ -69,4 +73,3 @@ spec:
                   name: dns-secrets
                   key: externaldns-secret
 
-
diff --git a/deployments-old/dns/namespace.yaml b/deployments-old/dns/namespace.yaml
new file mode 100644
index 0000000..52c7228
--- /dev/null
+++ b/deployments-old/dns/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dns
diff --git a/deployments-old/files/nextcloud.yaml b/deployments-old/files/nextcloud.yaml
new file mode 100644
index 0000000..2ef2de0
--- /dev/null
+++ b/deployments-old/files/nextcloud.yaml
@@ -0,0 +1,142 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nextcloud
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nextcloud-pv
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: local-path
+  hostPath:
+    path: /dpool/temp/Nextcloud
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud-pvc
+  namespace: nextcloud
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path 
+  resources:
+    requests:
+      storage: 10Gi
+  volumeName: nextcloud-pv
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nextcloud
+  namespace: nextcloud
+spec:
+  ports:
+    - port: 80
+  selector:
+    app: nextcloud
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nextcloud
+  namespace: nextcloud
+spec:
+  securityContext:
+    runAsUser:  1000
+    runAsGroup: 1000
+    fsGroup:    1000
+  selector:
+    matchLabels:
+      app: nextcloud
+  template:
+    metadata:
+      labels:
+        app: nextcloud
+    spec:
+      containers:
+        - name: nextcloud
+          image: nextcloud:29
+          env:
+            - name: MYSQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: nextcloud-secrets
+                  key: MYSQL_PASSWORD
+            - name: MYSQL_DATABASE
+              value: nextcloud
+            - name: MYSQL_USER
+              value: nextcloud
+            - name: MYSQL_HOST
+              value: mariadb
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: nextcloud-data
+              mountPath: /var/www/html
+          securityContext:
+            runAsUser:  1000
+            runAsGroup: 1000
+            fsGroup:    1000
+      volumes:
+        - name: nextcloud-data
+          persistentVolumeClaim:
+            claimName: nextcloud-pvc
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: MariaDB
+metadata:
+  name: nextcloud-db
+  namespace: nextcloud
+spec:
+  rootPasswordSecretKeyRef:
+    name: nextcloud-secrets
+    key: MYSQL_ROOT_PASSWORD
+  database: nextcloud
+  username: nextcloud
+  passwordSecretKeyRef:
+    name: nextcloud-secrets
+    key: MYSQL_PASSWORD
+  image: mariadb:10.11
+  storage:
+    size: 5Gi
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wildcard-hxme-net
+  namespace: nextcloud
+  annotations:
+    replicator.v1.mittwald.de/replicate-from: cert-manager/wildcard-hxme-net
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nextcloud
+  namespace: nextcloud
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: nc.hxme.net
+spec:
+  tls:
+    - hosts:
+        - nc.hxme.net
+      secretName: wildcard-hxme-net
+  rules:
+    - host: nc.hxme.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: nextcloud
+                port:
+                  number: 80
+
diff --git a/deployments-old/files/syncthing.yaml b/deployments-old/files/syncthing.yaml
new file mode 100644
index 0000000..a7279b2
--- /dev/null
+++ b/deployments-old/files/syncthing.yaml
@@ -0,0 +1,109 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: syncthing
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: syncthing-data
+  namespace: syncthing
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: syncthing-share-pv
+spec:
+  capacity:
+    storage: 1000Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  hostPath:
+    path: /dpool/files
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: syncthing-share
+  namespace: syncthing
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1000Gi
+  volumeName: syncthing-share-pv
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: syncthing
+  namespace: syncthing
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: syncthing
+  template:
+    metadata:
+      labels:
+        app: syncthing
+    spec:
+      containers:
+        - name: syncthing
+          image: syncthing/syncthing:latest
+          ports:
+            - containerPort: 8384 
+            - containerPort: 22000
+            - containerPort: 21027
+              protocol: UDP
+          volumeMounts:
+            - name: syncthing-data
+              mountPath: /var/syncthing
+            - name: syncthing-share
+              mountPath: /shared 
+          securityContext:
+            runAsUser:  1000
+            runAsGroup: 1000
+            fsGroup:    1000
+      volumes:
+        - name: syncthing-data
+          persistentVolumeClaim:
+            claimName: syncthing-data
+        - name: syncthing-share
+          persistentVolumeClaim:
+            claimName: syncthing-share
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: syncthing
+  namespace: syncthing
+spec:
+  selector:
+    app: syncthing
+  ports:
+    - name: web-ui
+      port: 8384
+      targetPort: 8384
+    - name: sync-tcp
+      port: 22000
+      targetPort: 22000
+    - name: sync-udp
+      port: 22000
+      protocol: UDP
+      targetPort: 22000
+    - name: discovery
+      port: 21027
+      protocol: UDP
+      targetPort: 21027
+  type: ClusterIP
+
diff --git a/deployments-old/kustomization.yaml b/deployments-old/kustomization.yaml
new file mode 100644
index 0000000..04b8189
--- /dev/null
+++ b/deployments-old/kustomization.yaml
@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind:       Kustomization
+
+resources:
+  - monitoring/provider.yaml
+  - monitoring/grafana.yaml
+  - monitoring/loki.yaml
+  - monitoring/prometheus.yaml
+  - operators/mariadb.yaml
+  - operators/replicator.yaml
+  - dns/namespace.yaml
+  - dns/bind.yaml
+  - dns/externaldns.yaml
+  - ssl/certmanager.yaml
+  - auth/authentik.yaml
+  - files/nextcloud.yaml
+  - files/syncthing.yaml
diff --git a/deployments-old/monitoring/grafana.yaml b/deployments-old/monitoring/grafana.yaml
new file mode 100644
index 0000000..47ed5e0
--- /dev/null
+++ b/deployments-old/monitoring/grafana.yaml
@@ -0,0 +1,37 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: grafana
+  namespace: monitoring
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: grafana
+      version: 7.3.0
+      sourceRef:
+        kind: HelmRepository
+        name: grafana
+        namespace: flux-system
+  install:
+    createNamespace: true
+  values:
+    admin:
+      existingSecret: grafana-admin-secret
+      userKey: admin-user
+      passwordKey: admin-password
+    service:
+      type: LoadBalancer
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: "grafana.hxme.net"
+    datasources:
+      datasources.yaml:
+        apiVersion: 1
+        datasources:
+          - name: Loki
+            type: loki
+            access: proxy
+            url: http://loki:3100
+            isDefault: true
+
diff --git a/deployments-old/monitoring/loki.yaml b/deployments-old/monitoring/loki.yaml
new file mode 100644
index 0000000..b327a8e
--- /dev/null
+++ b/deployments-old/monitoring/loki.yaml
@@ -0,0 +1,33 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: loki
+  namespace: monitoring
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: loki
+      version: 6.6.4
+      sourceRef:
+        kind: HelmRepository
+        name: grafana
+        namespace: flux-system
+  install:
+    createNamespace: true
+  values:
+    loki:
+      auth_enabled: false
+    singleBinary:
+      replicas: 1
+      service:
+        type: LoadBalancer
+        annotations:
+          external-dns.alpha.kubernetes.io/hostname: "loki.hxme.net"
+    write:
+      replicas: 1
+    read:
+      replicas: 1
+    backend:
+      replicas: 1
diff --git a/deployments-old/monitoring/prometheus.yaml b/deployments-old/monitoring/prometheus.yaml
new file mode 100644
index 0000000..dd4d5a6
--- /dev/null
+++ b/deployments-old/monitoring/prometheus.yaml
@@ -0,0 +1,40 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: prometheus-community
+  namespace: flux-system
+spec:
+  url: https://prometheus-community.github.io/helm-charts
+  interval: 1h
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: prometheus-operator
+  namespace: monitoring
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: kube-prometheus-stack
+      version: 58.1.2
+      sourceRef:
+        kind: HelmRepository
+        name: prometheus-community
+        namespace: flux-system
+  install:
+    createNamespace: true
+  upgrade:
+    disableWait: true
+  timeout: 5m
+  values:
+    prometheus:
+      prometheusSpec:
+        serviceMonitorSelectorNilUsesHelmValues: false
+    # Optional: expose Prometheus/Grafana via NodePort, Ingress, etc.
+    grafana:
+      enabled: false
+    alertmanager:
+      enabled: true
+
diff --git a/deployments-old/monitoring/provider.yaml b/deployments-old/monitoring/provider.yaml
new file mode 100644
index 0000000..3af442a
--- /dev/null
+++ b/deployments-old/monitoring/provider.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: grafana
+  namespace: flux-system
+spec:
+  url: https://grafana.github.io/helm-charts
+  interval: 1h
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wildcard-hxme-net
+  namespace: monitoring
+  annotations:
+    replicator.v1.mittwald.de/replicate-from: cert-manager/wildcard-hxme-net
diff --git a/deployments-old/operators/mariadb.yaml b/deployments-old/operators/mariadb.yaml
new file mode 100644
index 0000000..04febe6
--- /dev/null
+++ b/deployments-old/operators/mariadb.yaml
@@ -0,0 +1,60 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mariadb-system
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: mariadb-operator
+  namespace: flux-system
+spec:
+  url: https://helm.mariadb.com/mariadb-operator
+  interval: 1h
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mariadb-operator-crds
+  namespace: mariadb-system
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: mariadb-operator-crds
+      version: 0.38.1
+      sourceRef:
+        kind: HelmRepository
+        name: mariadb-operator
+        namespace: flux-system
+  install:
+    createNamespace: true
+  upgrade:
+    disableWait: true
+  timeout: 5m
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mariadb-operator
+  namespace: mariadb-system
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: mariadb-operator
+      version: 0.38.1
+      sourceRef:
+        kind: HelmRepository
+        name: mariadb-operator
+        namespace: flux-system
+  install:
+    createNamespace: true
+  dependsOn:
+    - name: mariadb-operator-crds
+      namespace: mariadb-system
+  values:
+    metrics:
+      enabled: true
+
diff --git a/deployments-old/operators/replicator.yaml b/deployments-old/operators/replicator.yaml
new file mode 100644
index 0000000..e8ec276
--- /dev/null
+++ b/deployments-old/operators/replicator.yaml
@@ -0,0 +1,98 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubernetes-replicator
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubernetes-replicator
+rules:
+  - apiGroups: ["", "apps", "extensions"]
+    resources:
+      - secrets
+      - configmaps
+      - roles
+      - rolebindings
+      - cronjobs
+      - deployments
+      - events
+      - ingresses
+      - jobs
+      - pods
+      - pods/attach
+      - pods/exec
+      - pods/log
+      - pods/portforward
+      - services
+      - namespaces
+      - serviceaccounts
+    verbs: ["*"]
+  - apiGroups: ["batch"]
+    resources:
+      - configmaps
+      - cronjobs
+      - deployments
+      - events
+      - ingresses
+      - jobs
+      - pods
+      - pods/attach
+      - pods/exec
+      - pods/log
+      - pods/portforward
+      - services
+    verbs: ["*"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources:
+      - roles
+      - rolebindings
+      - clusterrolebindings
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes-replicator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubernetes-replicator
+subjects:
+  - kind: ServiceAccount
+    name: kubernetes-replicator
+    namespace: kube-system
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: mittwald
+  namespace: flux-system
+spec:
+  url: https://helm.mittwald.de
+  interval: 1h
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kubernetes-replicator
+  namespace: kube-system
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: kubernetes-replicator
+      sourceRef:
+        kind: HelmRepository
+        name: mittwald
+        namespace: flux-system
+  install:
+    createNamespace: false
+  upgrade:
+    disableWait: false
+  values:
+    serviceAccount:
+      create: false
+      name: kubernetes-replicator
diff --git a/deployments-old/remote-access/rustdesk.yaml b/deployments-old/remote-access/rustdesk.yaml
new file mode 100644
index 0000000..47ec81d
--- /dev/null
+++ b/deployments-old/remote-access/rustdesk.yaml
@@ -0,0 +1,77 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: rustdesk
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: rustdesk-charts
+  namespace: flux-system
+spec:
+  url: https://charts.rustdesk.com
+  interval: 1h
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: rustdesk-server
+  namespace: rustdesk
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: rustdesk-server
+      version: 0.5.0
+      sourceRef:
+        kind: HelmRepository
+        name: rustdesk-charts
+        namespace: flux-system
+  install:
+    createNamespace: true
+  values:
+    hbbs:
+      enabled: true
+      service:
+        type: ClusterIP
+        ports:
+          - name: tcp
+            port: 21115
+            targetPort: 21115
+          - name: tcp-hbbs
+            port: 21116
+            targetPort: 21116
+          - name: udp
+            port: 21116
+            targetPort: 21116
+            protocol: UDP
+
+    hbbr:
+      enabled: true
+      service:
+        type: ClusterIP
+        ports:
+          - name: tcp-hbbr
+            port: 21117
+            targetPort: 21117
+
+    ingress:
+      enabled: true
+      className: "traefik" # or nginx or your ingress class
+      annotations: {}
+      hosts:
+        - host: rd.hxme.net
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - hosts:
+            - rd.hxme.net
+          secretName: rustdesk-tls
+
+    # Optional admin password – change this in production
+    env:
+      ENCRYPTED_ONLY: "false"
+      ENABLE_LOG: "true"
+
diff --git a/deployments-old/ssl/certmanager.yaml b/deployments-old/ssl/certmanager.yaml
new file mode 100644
index 0000000..f238e14
--- /dev/null
+++ b/deployments-old/ssl/certmanager.yaml
@@ -0,0 +1,72 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: jetstack
+  namespace: flux-system
+spec:
+  url: https://charts.jetstack.io
+  interval: 1h
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.18.2
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+        namespace: flux-system
+  install:
+    crds: CreateReplace
+    createNamespace: true
+  values:
+    installCRDs: true
+    extraArgs:
+      - --dns01-recursive-nameservers-only
+      - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-rfc2136
+spec:
+  acme:
+    email: admin@hxme.net
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-rfc2136
+    solvers:
+    - dns01:
+        rfc2136:
+          nameserver: hawke.hxst.com.au:53
+          tsigKeyName: "hxme-update-key"
+          tsigAlgorithm: HMACSHA512
+          tsigSecretSecretRef:
+            name: hxme-update-key
+            key:  hxme-update-key
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-hxme-net
+  namespace: cert-manager
+spec:
+  secretName: wildcard-hxme-net
+  secretTemplate:
+    annotations:
+      replicator.v1.mittwald.de/replication-allowed: "true"
+      replicator.v1.mittwald.de/replicate-to: "monitoring,authentik,nextcloud"
+  issuerRef:
+    name: letsencrypt-rfc2136
+    kind: ClusterIssuer
+  commonName: "hxme.net"
+  dnsNames:
+    - "hxme.net"
+    - "*.hxme.net"
diff --git a/deployments-old/synctools/vaultwarden.yaml b/deployments-old/synctools/vaultwarden.yaml
new file mode 100644
index 0000000..93c3475
--- /dev/null
+++ b/deployments-old/synctools/vaultwarden.yaml
@@ -0,0 +1,79 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bitwarden
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: bjw-s-charts
+  namespace: flux-system
+spec:
+  url: https://bjw-s.github.io/helm-charts/
+  interval: 1h
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: vaultwarden
+  namespace: bitwarden
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 2.4.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s-charts
+        namespace: flux-system
+  install:
+    createNamespace: true
+  values:
+    # Basic container config
+    image:
+      repository: vaultwarden/server
+      tag: 1.30.5
+      pullPolicy: IfNotPresent
+
+    env:
+      WEBSOCKET_ENABLED: "true"
+      SIGNUPS_ALLOWED: "false"
+      DOMAIN: "https://vw.hxme.net"
+      ADMIN_TOKEN: "CHANGEME_SUPER_SECRET"
+
+    service:
+      main:
+        ports:
+          http:
+            port: 80
+
+    ingress:
+      main:
+        enabled: true
+        annotations:
+          kubernetes.io/ingress.class: "traefik" # Or nginx or your ingress class
+        hosts:
+          - host: vw.hxme.net
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - vw.hxme.net
+            secretName: bitwarden-tls
+
+    persistence:
+      data:
+        enabled: true
+        existingClaim: bitwarden-data # You must create a PVC or a StorageClass dynamic claim
+
+    resources:
+      requests:
+        cpu: 50m
+        memory: 128Mi
+      limits:
+        cpu: 250m
+        memory: 512Mi
+
diff --git a/charts/dns/templates/bind-slave.yaml b/deployments/dns-ssl/bind.yaml
similarity index 93%
rename from charts/dns/templates/bind-slave.yaml
rename to deployments/dns-ssl/bind.yaml
index 091e96e..b77a3ba 100644
--- a/charts/dns/templates/bind-slave.yaml
+++ b/deployments/dns-ssl/bind.yaml
@@ -2,7 +2,8 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: bind-slave-config
+  name: bind-master-config
+  namespace: home-server
 data:
   named.conf: |
     include "/etc/bind/externaldns-key.conf";
@@ -50,15 +51,16 @@ data:
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: bind-slave
+  name: bind-master
+  namespace: home-server
 spec:
   selector:
     matchLabels:
-      app: bind-slave
+      app: bind-master
   template:
     metadata:
       labels:
-        app: bind-slave
+        app: bind-master
     spec:
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
@@ -77,7 +79,7 @@ spec:
             - mountPath: /usr/share/dns
               name: root-hints
       containers:
-        - name: bind-slave
+        - name: bind-master
           image: internetsystemsconsortium/bind9:9.18
           command: ["named", "-g", "-c", "/etc/bind/named.conf"]
           ports:
@@ -107,7 +109,7 @@ spec:
             secretName: dns-secrets
         - name: config
           configMap:
-            name: bind-slave-config
+            name: bind-master-config
         - name: bind-cache
           emptyDir: {}
         - name: bind-rundir
@@ -120,10 +122,8 @@ apiVersion: v1
 kind: Service
 metadata:
   name: bind-master
-  namespace: default
+  namespace: home-server
 spec:
-  type: LoadBalancer
-  externalTrafficPolicy: Local
   selector:
     app: bind-master
   ports:
diff --git a/deployments/dns-ssl/certmanager.yaml b/deployments/dns-ssl/certmanager.yaml
new file mode 100644
index 0000000..95511fd
--- /dev/null
+++ b/deployments/dns-ssl/certmanager.yaml
@@ -0,0 +1,73 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: jetstack
+  namespace: flux-system
+spec:
+  url: https://charts.jetstack.io
+  interval: 1h
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: home-server
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.18.2
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+        namespace: flux-system
+  install:
+    crds: CreateReplace
+    createNamespace: true
+  values:
+    installCRDs: true
+    extraArgs:
+      - --dns01-recursive-nameservers-only
+      - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-rfc2136
+spec:
+  acme:
+    email: admin@hxme.net
+    server: https://acme-v02.api.letsencrypt.org/directory
+    #server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-rfc2136
+    solvers:
+    - dns01:
+        rfc2136:
+          nameserver: hawke.hxst.com.au:53
+          tsigKeyName: "hxme-update-key"
+          tsigAlgorithm: HMACSHA512
+          tsigSecretSecretRef:
+            name: hxme-update-key
+            key:  hxme-update-key
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-hxme-net
+  namespace: home-server
+spec:
+  secretName: wildcard-hxme-net
+  secretTemplate:
+    annotations:
+      replicator.v1.mittwald.de/replication-allowed: "true"
+      replicator.v1.mittwald.de/replicate-to: "home-media"
+  issuerRef:
+    name: letsencrypt-rfc2136
+    kind: ClusterIssuer
+  commonName: "hxme.net"
+  dnsNames:
+    - "hxme.net"
+    - "*.hxme.net"
diff --git a/deployments/dns-ssl/externaldns.yaml b/deployments/dns-ssl/externaldns.yaml
new file mode 100644
index 0000000..c3a9736
--- /dev/null
+++ b/deployments/dns-ssl/externaldns.yaml
@@ -0,0 +1,78 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-dns
+rules:
+  - apiGroups: [""]
+    resources: ["services","endpoints","pods"]
+    verbs: ["get","watch","list"]
+  - apiGroups: ["extensions","networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get","watch","list"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["list","watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "watch", "list"]
+  # Add DNS provider specific rules here if needed (e.g., for AWS IAM, GCP etc.)
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-dns-viewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-dns
+subjects:
+  - kind: ServiceAccount
+    name: external-dns
+    namespace: home-server
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-dns
+  namespace: home-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns
+  namespace: home-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: external-dns
+  template:
+    metadata:
+      labels:
+        app: external-dns
+    spec:
+      serviceAccountName: external-dns
+      containers:
+      - name: external-dns
+        image: bitnami/external-dns:latest
+        args:
+          - --source=service
+          - --source=ingress
+          - --provider=rfc2136
+          - --rfc2136-host=bind-master.home-server.svc.cluster.local
+          - --rfc2136-port=53
+          - --rfc2136-zone=hxme.net
+          - --rfc2136-tsig-secret=$(RFC2136_TSIG_SECRET)
+          - --rfc2136-tsig-secret-alg=hmac-sha256
+          - --rfc2136-tsig-keyname=externaldns-key
+          - --policy=sync
+          - --registry=txt
+          - --txt-owner-id=my-cluster
+        env:
+            - name: RFC2136_TSIG_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: dns-secrets
+                  key: externaldns-secret
+
diff --git a/deployments/dns-ssl/kustomization.yaml b/deployments/dns-ssl/kustomization.yaml
new file mode 100644
index 0000000..c9c356f
--- /dev/null
+++ b/deployments/dns-ssl/kustomization.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - bind.yaml
+  - externaldns.yaml
+  - certmanager.yaml
diff --git a/deployments/home-server/authentik.yaml b/deployments/home-server/authentik.yaml
new file mode 100644
index 0000000..711680c
--- /dev/null
+++ b/deployments/home-server/authentik.yaml
@@ -0,0 +1,42 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: authentik
+  namespace: flux-system
+spec:
+  url: https://charts.goauthentik.io/
+  interval: 1h
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authentik
+  namespace: home-server
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: authentik
+      version: 2024.4.2
+      sourceRef:
+        kind: HelmRepository
+        name: authentik
+        namespace: flux-system
+  install:
+    createNamespace: true
+  upgrade:
+    disableWait: false
+  timeout: 10m
+  valuesFrom:
+    - kind: Secret
+      name: authentik-values
+  values:
+    server:
+      ingress:
+        annotations:
+          external-dns.alpha.kubernetes.io/hostname: auth.hxme.net
+        tls:
+          - secretName: wildcard-hxme-net
+            hosts:
+              - auth.hxme.net
diff --git a/deployments/home-server/dovecot.yaml b/deployments/home-server/dovecot.yaml
new file mode 100644
index 0000000..facd31c
--- /dev/null
+++ b/deployments/home-server/dovecot.yaml
@@ -0,0 +1,104 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: dovecot-config
+  namespace: home-server
+data:
+  dovecot.conf: |
+    log_path = /dev/stdout
+    info_log_path = /dev/stdout
+    debug_log_path = /dev/stdout
+    syslog_facility = local0
+    protocols = imap
+    listen = *
+    disable_plaintext_auth = yes
+    mail_location = maildir:/data/%u
+    base_dir = /var/run/dovecot/
+    ssl = required
+    ssl_cert = </etc/ssl/hxme/fullchain.pem
+    ssl_key  = </etc/ssl/hxme/privkey.pem
+    auth_mechanisms = plain login
+
+    passdb {
+      driver = ldap
+      args = /config/ldap.conf
+    }
+
+    userdb {
+      driver = static
+      args = uid=1000 gid=1000 home=/data/%u
+    }
+
+    service imap-login {
+      inet_listener imap {
+        port = 0
+      }
+      inet_listener imaps {
+        port = 993
+        ssl = yes
+      }
+    }
+  ldap.conf: |
+    hosts = ldap://auth.hxme.net
+    auth_bind = yes
+    base = dc=ldap,dc=goauthentik,dc=io
+    dn = cn=binduser,ou=service-accounts,dc=ldap,dc=goauthentik,dc=io
+    dnpass = FtaJpthRpKyhEEy69H5qxPymtSeSeuCT9SQCdXmWDeAe7cgTCnk6HXpSzTNS
+    user_attrs = =home=/data/%u
+    user_filter = (&(objectClass=person)(uid=%u))
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dovecot
+  namespace: home-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: dovecot
+  template:
+    metadata:
+      labels:
+        app: dovecot
+    spec:
+      containers:
+        - name: dovecot
+          image: registry.gitlab.com/dxcker/dovecot:latest
+          ports:
+            - containerPort: 993
+              name: imaps
+          volumeMounts:
+            - name: config
+              mountPath: /config/
+            - name: certs
+              mountPath: /etc/ssl/hxme
+              readOnly: true
+      volumes:
+        - name: config
+          configMap:
+            name: dovecot-config
+        - name: ldap
+          configMap:
+            name: dovecot-ldap
+        - name: tls
+          secret:
+            secretName: wildcard-hxme-net
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dovecot
+  namespace: home-server
+spec:
+  selector:
+    app: dovecot
+  ports:
+    - name: imaps
+      port: 993
+      targetPort: 993
+  type: ClusterIP
+
diff --git a/deployments/home-server/kustomization.yaml b/deployments/home-server/kustomization.yaml
new file mode 100644
index 0000000..a9dfcc3
--- /dev/null
+++ b/deployments/home-server/kustomization.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - authentik.yaml
+  - nextcloud.yaml
+  - vaultwarden.yaml
+  - linkwarden.yaml
+  - samba.yaml
+  - dovecot.yaml
diff --git a/deployments/home-server/linkwarden.yaml b/deployments/home-server/linkwarden.yaml
new file mode 100644
index 0000000..38f70a5
--- /dev/null
+++ b/deployments/home-server/linkwarden.yaml
@@ -0,0 +1,95 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: linkwarden-pv
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: local-path
+  hostPath:
+    path: /dpool/services/linkwarden/app
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: linkwarden-pvc
+  namespace: home-server
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 5Gi
+  volumeName: linkwarden-pv
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: linkwarden
+  namespace: home-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: linkwarden
+  template:
+    metadata:
+      labels:
+        app: linkwarden
+    spec:
+      initContainers:
+        - name: copy-linkwarden
+          image: ghcr.io/linkwarden/linkwarden:latest
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              if [ -z "$(ls -A /new_data)" ]; then
+                echo "/new_data is empty, initializing..."
+                cp -r /data/. /new_data/
+              else
+                echo "/new_data already initialized, skipping copy."
+              fi
+          volumeMounts:
+            - name: linkwarden-data
+              mountPath: /new_data
+      containers:
+        - name: linkwarden
+          image: ghcr.io/linkwarden/linkwarden:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 3000
+          env:
+            - name: NODE_ENV
+              value: "production"
+            - name: TZ
+              value: "Australia/Brisbane"
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: linkwarden-postgres-secret
+                  key: DATABASE_URL
+          volumeMounts:
+            - name: linkwarden-data
+              mountPath: /data
+      volumes:
+        - name: linkwarden-data
+          persistentVolumeClaim:
+            claimName: linkwarden-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: linkwarden
+  namespace: home-server
+spec:
+  selector:
+    app: linkwarden
+  ports:
+    - port: 3000
+      targetPort: 3000
+      protocol: TCP
diff --git a/deployments/home-server/nextcloud.yaml b/deployments/home-server/nextcloud.yaml
new file mode 100644
index 0000000..9e99229
--- /dev/null
+++ b/deployments/home-server/nextcloud.yaml
@@ -0,0 +1,132 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nextcloud-pv
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: local-path
+  hostPath:
+    path: /dpool/temp/Nextcloud
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud-pvc
+  namespace: home-server
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path 
+  resources:
+    requests:
+      storage: 10Gi
+  volumeName: nextcloud-pv
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nextcloud
+  namespace: home-server
+spec:
+  ports:
+    - port: 80
+  selector:
+    app: nextcloud
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nextcloud
+  namespace: home-server
+spec:
+  securityContext:
+    runAsUser:  1000
+    runAsGroup: 1000
+    fsGroup:    1000
+  selector:
+    matchLabels:
+      app: nextcloud
+  template:
+    metadata:
+      labels:
+        app: nextcloud
+    spec:
+      containers:
+        - name: nextcloud
+          image: nextcloud:29
+          env:
+            - name: MYSQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: nextcloud-secrets
+                  key: MYSQL_PASSWORD
+            - name: MYSQL_DATABASE
+              value: nextcloud
+            - name: MYSQL_USER
+              value: nextcloud
+            - name: MYSQL_HOST
+              value: nextcloud-db
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: nextcloud-data
+              mountPath: /var/www/html
+          securityContext:
+            runAsUser:  1000
+            runAsGroup: 1000
+            fsGroup:    1000
+      volumes:
+        - name: nextcloud-data
+          persistentVolumeClaim:
+            claimName: nextcloud-pvc
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: MariaDB
+metadata:
+  name: nextcloud-db
+  namespace: home-server
+spec:
+  rootPasswordSecretKeyRef:
+    name: nextcloud-secrets
+    key: MYSQL_ROOT_PASSWORD
+  database: nextcloud
+  username: nextcloud
+  passwordSecretKeyRef:
+    name: nextcloud-secrets
+    key: MYSQL_PASSWORD
+  image: mariadb:10.11
+  storage:
+    size: 5Gi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nextcloud
+  namespace: home-server
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: nc.hxme.net
+    nginx.ingress.kubernetes.io/server-snippet: |
+      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+spec:
+  tls:
+    - hosts:
+        - nc.hxme.net
+      secretName: wildcard-hxme-net
+  rules:
+    - host: nc.hxme.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: nextcloud
+                port:
+                  number: 80
+
+
diff --git a/deployments/home-server/samba.yaml b/deployments/home-server/samba.yaml
new file mode 100644
index 0000000..e409445
--- /dev/null
+++ b/deployments/home-server/samba.yaml
@@ -0,0 +1,94 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: smb-share-pv
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: local-path
+  persistentVolumeReclaimPolicy: Retain
+  hostPath:
+    path: /dpool/
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: smb-share-pvc
+  namespace: home-server
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 10Gi
+  volumeName: smb-share-pv
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: smb-server
+  namespace: home-server
+spec:
+  selector:
+    app: smb-server
+  ports:
+    - name: smb
+      port: 445
+      targetPort: 445
+    - name: netbios
+      port: 139
+      targetPort: 139
+  type: NodePort # Use ClusterIP or LoadBalancer depending on access requirements
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: smb-server
+  namespace: home-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: smb-server
+  template:
+    metadata:
+      labels:
+        app: smb-server
+    spec:
+      containers:
+        - name: samba
+          image: dperson/samba
+          env:
+            - name: SMB_USER
+              valueFrom:
+                secretKeyRef:
+                  name: smb-credentials
+                  key: username
+            - name: SMB_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: smb-credentials
+                  key: password
+          args:
+            - -u
+            - "$(SMB_USER);$(SMB_PASS)"
+            - -s
+            - "share;/mount;yes;no;no;$(SMB_USER)"
+          ports:
+            - containerPort: 139
+            - containerPort: 445
+          securityContext:
+            capabilities:
+              add: ["NET_ADMIN"]
+          volumeMounts:
+            - name: share
+              mountPath: /mount
+      volumes:
+        - name: share
+          persistentVolumeClaim:
+            claimName: smb-share-pvc
+
diff --git a/deployments/home-server/vaultwarden.yaml b/deployments/home-server/vaultwarden.yaml
new file mode 100644
index 0000000..d334cf8
--- /dev/null
+++ b/deployments/home-server/vaultwarden.yaml
@@ -0,0 +1,109 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: vaultwarden-pv
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: local-path
+  hostPath:
+    path: /dpool/services/vaultwarden/data
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vaultwarden-pvc
+  namespace: home-server
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 5Gi
+  volumeName: vaultwarden-pv
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vaultwarden
+  namespace: home-server
+spec:
+  selector:
+    app: vaultwarden
+  ports:
+    - port: 80
+      targetPort: 80
+      protocol: TCP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vaultwarden
+  namespace: home-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: vaultwarden
+  template:
+    metadata:
+      labels:
+        app: vaultwarden
+    spec:
+      containers:
+        - name: vaultwarden
+          image: vaultwarden/server:latest
+          imagePullPolicy: Always
+          env:
+            - name: TZ
+              value: "Australia/Brisbane"
+            - name: WEBSOCKET_ENABLED
+              value: "true"
+            - name: SIGNUPS_ALLOWED
+              value: "false"
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: vaultwarden-postgres-secret
+                  key: DATABASE_URL
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: vaultwarden-data
+              mountPath: /data
+      volumes:
+        - name: vaultwarden-data
+          persistentVolumeClaim:
+            claimName: vaultwarden-pvc
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: vaultwarden
+  namespace: home-server
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: vault.hxme.net
+    nginx.ingress.kubernetes.io/server-snippet: |
+      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+spec:
+  tls:
+    - hosts:
+        - vault.hxme.net
+      secretName: wildcard-hxme-net
+  rules:
+    - host: vault.hxme.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: vaultwarden
+                port:
+                  number: 80
diff --git a/deployments/kustomization.yaml b/deployments/kustomization.yaml
index 1451599..20cabb2 100644
--- a/deployments/kustomization.yaml
+++ b/deployments/kustomization.yaml
@@ -1,8 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
-kind:       Kustomization
-
+kind: Kustomization
 resources:
-  - manifests/00-namespaces.yaml
-  - manifests/10-repository.yaml
-  - manifests/20-dev.yaml
-  - manifests/20-prod.yaml
+- kusts/operators.yaml
+- kusts/dns-ssl.yaml
+- kusts/home-server.yaml
diff --git a/deployments/kusts/dns-ssl.yaml b/deployments/kusts/dns-ssl.yaml
new file mode 100644
index 0000000..df4bdd8
--- /dev/null
+++ b/deployments/kusts/dns-ssl.yaml
@@ -0,0 +1,29 @@
+## I am so fucking mad with Flux right now I can't even begin explaining it.
+# I have to do this because it doesn't respect order in kusts...
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: dns-ssl
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  ref:
+    branch: main
+  url: ssh://git@repobase.net/j/home-server.git
+  secretRef:
+    name: flux-ssh
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: dns-ssl
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  path: ./deployments/dns-ssl
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: dns-ssl
+
diff --git a/deployments/kusts/home-server.yaml b/deployments/kusts/home-server.yaml
new file mode 100644
index 0000000..963f535
--- /dev/null
+++ b/deployments/kusts/home-server.yaml
@@ -0,0 +1,28 @@
+## I am so fucking mad with Flux right now I can't even begin explaining it.
+# I have to do this because it doesn't respect order in kusts...
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: home-server-apps
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  ref:
+    branch: main
+  url: ssh://git@repobase.net/j/home-server.git
+  secretRef:
+    name: flux-ssh
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: home-server-apps
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  path: ./deployments/home-server
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-server-apps
diff --git a/deployments/kusts/operators.yaml b/deployments/kusts/operators.yaml
new file mode 100644
index 0000000..07bef45
--- /dev/null
+++ b/deployments/kusts/operators.yaml
@@ -0,0 +1,29 @@
+## I am so fucking mad with Flux right now I can't even begin explaining it.
+# I have to do this because it doesn't respect order in kusts...
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: operators
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  ref:
+    branch: main
+  url: ssh://git@repobase.net/j/home-server.git
+  secretRef:
+    name: flux-ssh
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: operators
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  path: ./deployments/operators
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: operators
+
diff --git a/deployments/manifests/00-namespaces.yaml b/deployments/manifests/00-namespaces.yaml
deleted file mode 100644
index 73496f4..0000000
--- a/deployments/manifests/00-namespaces.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: home-server
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: home-server-dev
diff --git a/deployments/manifests/10-repository.yaml b/deployments/manifests/10-repository.yaml
deleted file mode 100644
index caab7b9..0000000
--- a/deployments/manifests/10-repository.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: GitRepository
-metadata:
-  name: home-server-prod
-  namespace: flux-system
-spec:
-  interval: 1m
-  url: ssh://git@repobase.net/j/home-server.git
-  secretRef:
-    name: flux-ssh
-  ref:
-    branch: main
-
----
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: GitRepository
-metadata:
-  name: home-server-dev
-  namespace: flux-system
-spec:
-  interval: 1m
-  url: ssh://git@repobase.net/j/home-server.git
-  secretRef:
-    name: flux-ssh
-  ref:
-    branch: dev
diff --git a/deployments/manifests/20-dev.yaml b/deployments/manifests/20-dev.yaml
deleted file mode 100644
index 0e1ebe5..0000000
--- a/deployments/manifests/20-dev.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: home-server-dev
-  namespace: flux-system
-spec:
-  interval: 1m
-  path: ./deployments
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-server-dev
-  targetNamespace: home-server-dev
diff --git a/deployments/manifests/20-prod.yaml b/deployments/manifests/20-prod.yaml
deleted file mode 100644
index 1f5d4bd..0000000
--- a/deployments/manifests/20-prod.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: home-server-prod
-  namespace: flux-system
-spec:
-  interval: 1m
-  path: ./deployments
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-server-prod
-  targetNamespace: home-server
diff --git a/deployments/operators/kustomization.yaml b/deployments/operators/kustomization.yaml
new file mode 100644
index 0000000..4745879
--- /dev/null
+++ b/deployments/operators/kustomization.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - mariadb.yaml
+  - redis.yaml
+  - postgresql.yaml
+  - replicator.yaml
+  - namespace.yaml
diff --git a/deployments/operators/mariadb.yaml b/deployments/operators/mariadb.yaml
new file mode 100644
index 0000000..576d0ce
--- /dev/null
+++ b/deployments/operators/mariadb.yaml
@@ -0,0 +1,57 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mariadb-system
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: mariadb-operator
+  namespace: flux-system
+spec:
+  url: https://helm.mariadb.com/mariadb-operator
+  interval: 1h
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mariadb-operator-crds
+  namespace: mariadb-system
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: mariadb-operator-crds
+      version: 0.38.1
+      sourceRef:
+        kind: HelmRepository
+        name: mariadb-operator
+        namespace: flux-system
+  install:
+    createNamespace: true
+  upgrade:
+    disableWait: true
+  timeout: 5m
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mariadb-operator
+  namespace: mariadb-system
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: mariadb-operator
+      version: 0.38.1
+      sourceRef:
+        kind: HelmRepository
+        name: mariadb-operator
+        namespace: flux-system
+  install:
+    createNamespace: true
+  dependsOn:
+    - name: mariadb-operator-crds
+      namespace: mariadb-system
+
diff --git a/deployments/operators/namespace.yaml b/deployments/operators/namespace.yaml
new file mode 100644
index 0000000..f956aa2
--- /dev/null
+++ b/deployments/operators/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: home-server
diff --git a/deployments/operators/postgresql.yaml b/deployments/operators/postgresql.yaml
new file mode 100644
index 0000000..acd9c06
--- /dev/null
+++ b/deployments/operators/postgresql.yaml
@@ -0,0 +1,148 @@
+
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: postgres
+
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: postgres-pv
+  namespace: postgres
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: local-path
+  hostPath:
+    path: /dpool/services/postgres/data
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgres-pvc
+  namespace: postgres
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 5Gi
+  volumeName: postgres-pv
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: postgres
+  namespace: postgres
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      containers:
+        - name: postgres
+          image: postgres:15
+          ports:
+            - containerPort: 5432
+          envFrom:
+            - secretRef:
+                name: postgres-secret
+          volumeMounts:
+            - name: postgres-data
+              mountPath: /var/lib/postgresql/data
+      volumes:
+        - name: postgres-data
+          persistentVolumeClaim:
+            claimName: postgres-pvc
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres
+  namespace: postgres
+spec:
+  selector:
+    app: postgres
+  ports:
+    - port: 5432
+      targetPort: 5432
+
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: postgres-backup-pv
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: local-path
+  hostPath:
+    path: /dpool/postgres/backup
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgres-backup-pvc
+  namespace: postgres
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 5Gi
+
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: postgres-backup
+  namespace: postgres
+spec:
+  schedule: "0 2 * * *"  # Every day at 2 AM
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          containers:
+            - name: pg-backup
+              image: postgres:15
+              envFrom:
+                - secretRef:
+                    name: postgres-secret
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  mkdir -p /backup
+                  PGPASSWORD=$POSTGRES_PASSWORD pg_dump -U $POSTGRES_USER -h localhost $POSTGRES_DB > /backup/backup-$(date +'%Y-%m-%d').sql
+              volumeMounts:
+                - name: backup-volume
+                  mountPath: /backup
+          volumes:
+            - name: backup-volume
+              persistentVolumeClaim:
+                claimName: postgres-backup-pvc
+
+
+
diff --git a/deployments/operators/redis.yaml b/deployments/operators/redis.yaml
new file mode 100644
index 0000000..b21967c
--- /dev/null
+++ b/deployments/operators/redis.yaml
@@ -0,0 +1,33 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis
+  namespace: home-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          image: redis:7
+          ports:
+            - containerPort: 6379
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  namespace: home-server
+spec:
+  selector:
+    app: redis
+  ports:
+    - port: 6379
+
diff --git a/deployments/operators/replicator.yaml b/deployments/operators/replicator.yaml
new file mode 100644
index 0000000..e8ec276
--- /dev/null
+++ b/deployments/operators/replicator.yaml
@@ -0,0 +1,98 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubernetes-replicator
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubernetes-replicator
+rules:
+  - apiGroups: ["", "apps", "extensions"]
+    resources:
+      - secrets
+      - configmaps
+      - roles
+      - rolebindings
+      - cronjobs
+      - deployments
+      - events
+      - ingresses
+      - jobs
+      - pods
+      - pods/attach
+      - pods/exec
+      - pods/log
+      - pods/portforward
+      - services
+      - namespaces
+      - serviceaccounts
+    verbs: ["*"]
+  - apiGroups: ["batch"]
+    resources:
+      - configmaps
+      - cronjobs
+      - deployments
+      - events
+      - ingresses
+      - jobs
+      - pods
+      - pods/attach
+      - pods/exec
+      - pods/log
+      - pods/portforward
+      - services
+    verbs: ["*"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources:
+      - roles
+      - rolebindings
+      - clusterrolebindings
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes-replicator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubernetes-replicator
+subjects:
+  - kind: ServiceAccount
+    name: kubernetes-replicator
+    namespace: kube-system
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: mittwald
+  namespace: flux-system
+spec:
+  url: https://helm.mittwald.de
+  interval: 1h
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kubernetes-replicator
+  namespace: kube-system
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: kubernetes-replicator
+      sourceRef:
+        kind: HelmRepository
+        name: mittwald
+        namespace: flux-system
+  install:
+    createNamespace: false
+  upgrade:
+    disableWait: false
+  values:
+    serviceAccount:
+      create: false
+      name: kubernetes-replicator