diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..07baae1
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,5 @@
+creation_rules:
+- encrypted_regex: "^(data|stringData)$"
+  pgp: >-
+    2CC2B3631D5C3393901335DB68F95C5D753EE1E5,
+    8DF31C9F48A24F525FFB1815FC96C52B59328E95
diff --git a/cluster/apps/kustomization.yaml b/cluster/apps/kustomization.yaml
new file mode 100644
index 0000000..fe640dd
--- /dev/null
+++ b/cluster/apps/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+generators:
+- traefik
diff --git a/cluster/apps/traefik/helm-release.yaml b/cluster/apps/traefik/helm-release.yaml
new file mode 100644
index 0000000..dae52be
--- /dev/null
+++ b/cluster/apps/traefik/helm-release.yaml
@@ -0,0 +1,81 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: traefik-helm
+  namespace: traefik
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: traefik
+      version: '2.9.9'
+      sourceRef:
+        kind: HelmRepository
+        name: traefik-helm-repo
+        namespace: flux-system
+      interval: 1m
+  values:
+    additionalArguments:
+    - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
+    - --certificatesresolvers.cloudflare.acme.email=seanomik@gmail.com
+    - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
+    - --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
+
+    - --api.insecure
+    - --providers.kubernetesingress
+
+    logs:
+      general:
+        level: DEBUG
+
+    ports:
+      web:
+        expose: true
+        exposedPort: 8080
+      # (optional) Permanent Redirect to HTTPS
+      # redirectTo: websecure
+      websecure:
+        tls:
+          exposed: true
+          exposedPort: 8443
+
+          enabled: true
+          certResolver: cloudflare
+
+
+    env:
+    - name: CF_DNS_API_TOKEN
+      valueFrom:
+        secretKeyRef:
+          key: apiToken
+          name: cloudflare-credentials
+
+    # Disable Dashboard
+    ingressRoute:
+      dashboard:
+        enabled: false
+
+    # Persistent Storage
+    persistence:
+      enabled: true
+      name: ssl-certs
+      size: 1Gi
+      path: /ssl-certs
+
+    #deployment:
+    #  initContainers: 
+    # The "volume-permissions" init container is required if you run into permission issues.
+    # Related issue: https://github.com/containous/traefik/issues/6972
+    #  - name: volume-permissions
+    #    image: busybox:1.31.1
+    #    command: ["sh", "-c", "chmod -Rv 600 /ssl-certs"]
+    #    volumeMounts:
+    #    - name: ssl-certs
+    #      mountPath: /ssl-certs
+
+    # Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
+    ingressClass:
+      enabled: true
+      isDefaultClass: true
+
+    namespaceOverride: traefik
diff --git a/cluster/apps/traefik/helm-repository.yaml b/cluster/apps/traefik/helm-repository.yaml
new file mode 100644
index 0000000..446f2fd
--- /dev/null
+++ b/cluster/apps/traefik/helm-repository.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: traefik-helm-repo
+  namespace: flux-system
+spec:
+  interval: 1m
+  url: https://traefik.github.io/charts
diff --git a/cluster/apps/traefik/ksops.yaml b/cluster/apps/traefik/ksops.yaml
new file mode 100644
index 0000000..090010e
--- /dev/null
+++ b/cluster/apps/traefik/ksops.yaml
@@ -0,0 +1,10 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: traefik-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+- ./traefik-secrets.enc.yaml
diff --git a/cluster/apps/traefik/kustomization.yaml b/cluster/apps/traefik/kustomization.yaml
new file mode 100644
index 0000000..21da474
--- /dev/null
+++ b/cluster/apps/traefik/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+generators:
+- ksops.yaml
+resources:
+- helm-repository.yaml
+- helm-release.yaml
diff --git a/cluster/apps/traefik/traefik-secrets.enc.yaml b/cluster/apps/traefik/traefik-secrets.enc.yaml
new file mode 100644
index 0000000..aabc1e8
--- /dev/null
+++ b/cluster/apps/traefik/traefik-secrets.enc.yaml
@@ -0,0 +1,62 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cloudflare-credentials
+    namespace: traefik
+type: Opaque
+stringData:
+    apiToken: ENC[AES256_GCM,data:2ofq1q6ZJ08RfWtb7KAkiLbTGuY0XX+YNOprSLPVf42MmcHk1AwIaw==,iv:TzSqE3UP8KeASgQeJmQJPOo0Gq4Qx5t7oPqXYr451sg=,tag:eumfMTxotVGmVdY5FmUhjQ==,type:str]
+    email: ENC[AES256_GCM,data:3SLMvJWYY/rCESO24AujCtdc,iv:bMvI+p8lL7UrkxdB+qCXhn+I3t99Kxx2uIoKv8WGJOE=,tag:c+3aqPigO1hUNEnTQih+7A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-04-02T17:15:20Z"
+    mac: ENC[AES256_GCM,data:aJlH+CJloGHMBlbWns9cCmNIUGSJPG43QnJdxEFDArUwRSQRtpM8IiCrIK/RrsP3GHzvZkbNIMSoFeXDq/KfW2ZbGIrDuvGjSwpKSd/tV40NulSOZILZViTV5FNrIO4q05spv0QoGsPcF9CSvRGpQ98w5RbPxQm6U6aYl6cM+7c=,iv:yhu+Zh9ksE2A0MlqDTknNcywpJhxjgTAD7a7VkRqslA=,tag:XGTJaPkAZyQeKG+xsUg0/Q==,type:str]
+    pgp:
+        - created_at: "2023-04-02T17:33:57Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzKleRwoSoixAQ//SGQIuAWmFUmI1DR1MpbDwjOg+s+YvbEbIcLv4iMTn6rM
+            vtNIpo5I183JJUxRcCKerpW9fIhMSqov7OlvS2c3cLNp2PapHWKR0av0r3Zk0D95
+            mcMjlpp6j8l9kXFnbGJBX8UkaCJ6jgm79xHhZjODa3A6WB1kQJ3kcXN0sQuZ61qH
+            UD2QKwPUnTR9cWURdBt4L1aX4+abEwKfLE+XygBTq/2sXOchEU6sKZ88ieGAt2te
+            8PQ3zWTTUBC2o+AVMnZ3CNCQrdvKKQ4vSEW6+jFsJLgloMThDcf83owvWNDfZwVS
+            O62k0Wsb9N7ZXScPp8A0VoPa4Qb6WVMJ7BpizUZcSmzC/qNz+CDk7u769xjHyBHC
+            8kS0JpCWDpozeqcXZjhMpC2MsgfU/FjB0dxy9vyhf910ZlM/TkXnrduJu8p20NQe
+            Mf1le0/kNoJiUzk0PZcG3l1osafvEChj7owGi1Tnjs1Z/Tz/7GpyDPUWwuxJi37A
+            ssMKFpuedckQlV6oTTvthX0YGGGF0lCoyLAUBqi81IX7b7GHxn/n8hP30oOGrljL
+            k77vpX/GDrK+3TtZdjAoQz079Go+AqyxKcgOfF0UJ6z88iYdBnPugHxCXXvMNHhF
+            HQxzlpFdqJ7P6XXDIFGm5G1oJCVzQyb5fSlh07NphNC6TTDUahkpYJz7qJoWwqPU
+            aAEJAhCXIy1CD5IdGnE16agicIw1VFhT1F7C4/zH7zBITyYXNTrZ4/5S0SdaT6Fi
+            XDVC7Eza3UTOIV6l4mJq5xOrGkV0mNi6hwPBJt334MDidNH3AaivUQgpCJX0hSTC
+            raho1DevzjCp
+            =vlaG
+            -----END PGP MESSAGE-----
+          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
+        - created_at: "2023-04-02T17:33:57Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4WLYkVpP8xtAQ/7BW9zYpflHgi9WOyjyWjybWzsWbLDlHOXPSNMqcpKcsz1
+            uCp+ReZdsAbnPHRagpnpg5Wj2J9GfY1t8vgfQB4YwGfd0cfjTjumcCd7Lhd0iJjF
+            oJROOh2CD4B9MPxS0lbjFSUkMnS+8/M4mNdc1TzIRZNYJN0zgcFg51N7hg83d4K7
+            a2Jev4tCiaXkBLCPFUdTJfsL3BbR9sGt3+ip6qPJKf1fMQqQ8i/yHvzqVZWEtsI0
+            aD92ypqI32Jd+BFKKER1bxOA1QbsklkqLRLRIJtX0wA6SSH4Q0fRtUfvem4xSIei
+            m+8iQSSu1TSt65lRVXLmDUseKJcELv+DyKvDPnCZquLW3swYtWSGmv4ULAN8+bB2
+            W4+ZEi9XNouPTvYCG9rnS2PSsUigZ7lSwgL2y/Qe6h4UZgNibQ/nxGaESGik3dt6
+            igj9aJIbgF++QFQfHBfLxe3T+cbFyjw6WitrZPmksK3cKea3gx/33HBWu3VGL51x
+            nMkrjA9K4vu+7jec51HnuevXBhMMvRFrLZowogJy2usOBm2axfAIRJRJA9F/FSnT
+            ZNmq+PR3OuQZ6ytllSHnXDID+uCyAprVtqDKn3Nvw2WDK8Y8z8ssk24Nw1OmLZWo
+            6cCE1SJ1DBzsFOXjIhwkPD00gzYzyKYEbZLWAVF6aWPmvbdKIWorkdqiRcwcT/3U
+            aAEJAhBteUna4cfGfCufYAwi1SsNQ02KUb4kLDIr/OkzVkNUXOHxXJcvz/ACKwDI
+            gzPM91ZC5tslyR7K4171iEy2CbQWwZvoFqnKiCtXn4d0WunpArdc4XyfqWYoMUbA
+            Y58UlX+qac0F
+            =exhB
+            -----END PGP MESSAGE-----
+          fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
diff --git a/cluster/apps/traefik/traefik-values.yaml b/cluster/apps/traefik/traefik-values.yaml
new file mode 100644
index 0000000..2a0662a
--- /dev/null
+++ b/cluster/apps/traefik/traefik-values.yaml
@@ -0,0 +1,64 @@
+additionalArguments:
+- --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
+- --certificatesresolvers.cloudflare.acme.email=seanomik@gmail.com
+- --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
+- --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
+
+- --api.insecure
+- --providers.kubernetesingress
+
+logs:
+  general:
+    level: DEBUG
+
+ports:
+  web:
+    expose: true
+    exposedPort: 8080
+  # (optional) Permanent Redirect to HTTPS
+  # redirectTo: websecure
+  websecure:
+    tls:
+      exposed: true
+      exposedPort: 8443
+
+      enabled: true
+      certResolver: cloudflare
+
+
+env:
+- name: CF_DNS_API_TOKEN
+  valueFrom:
+    secretKeyRef:
+      key: apiToken
+      name: cloudflare-credentials
+
+# Disable Dashboard
+ingressRoute:
+  dashboard:
+    enabled: false
+
+# Persistent Storage
+persistence:
+  enabled: true
+  name: ssl-certs
+  size: 1Gi
+  path: /ssl-certs
+
+#deployment:
+#  initContainers: 
+# The "volume-permissions" init container is required if you run into permission issues.
+# Related issue: https://github.com/containous/traefik/issues/6972
+#  - name: volume-permissions
+#    image: busybox:1.31.1
+#    command: ["sh", "-c", "chmod -Rv 600 /ssl-certs"]
+#    volumeMounts:
+#    - name: ssl-certs
+#      mountPath: /ssl-certs
+
+# Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
+ingressClass:
+  enabled: true
+  isDefaultClass: true
+
+namespaceOverride: traefik