diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..8eccc5b
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,8 @@
+creation_rules:
+    - path_regex: secret.yaml$
+      encrypted_regex: ^(data|stringData)$
+      # tower
+      # k8s
+      age: >-
+        age1ntfcrf5fz43da6k9h4um06u8mejjsqg005jm6rwmt9wff949s58qqwx8tv,
+        age1gnxrrychharz0cyapjhu3nnzzzhc38slwfpq5h5rsq7pphuk4q6shhx3ll
diff --git a/.vscode/settings.json b/.vscode/settings.json
index 85e7838..95c3df9 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,5 +1,8 @@
 {
     "yaml.schemas": {
         "https://json.schemastore.org/kustomization.json": "file:///workspace/gitops/infra/traefik.yaml"
+    },
+    "sops": {
+        "creationEnabled": true
     }
 }
\ No newline at end of file
diff --git a/apps/gluetun/kustomization.yaml b/apps/gluetun/kustomization.yaml
new file mode 100644
index 0000000..fbded95
--- /dev/null
+++ b/apps/gluetun/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- secret.yaml
\ No newline at end of file
diff --git a/apps/gluetun/secret.yaml b/apps/gluetun/secret.yaml
new file mode 100644
index 0000000..1f4380c
--- /dev/null
+++ b/apps/gluetun/secret.yaml
@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gluetun-env
+stringData:
+    TZ: ENC[AES256_GCM,data:LJEpoJ4aVy5Qf8w7zg==,iv:IOxz/scZUCqEhasCje3X64MCddTzrtcnOp/6wg0SHEU=,tag:PTfTjdbClLj6fnXWJFedDw==,type:str]
+    VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:ttMPiwizhg==,iv:TmptqgLRaugwq3NiGxOvM9NdnkflNLQsYoRp8fIXq0c=,tag:fXeinqe8eUn/a+MNbiKrzw==,type:str]
+    VPN_TYPE: ENC[AES256_GCM,data:1GAuiUTCew==,iv:yZFHMMXt4Z4PR5tUJ0e7k8bJbjTFPY46X2AW6LB68xE=,tag:gtveZD34ZzXXHSekDPi93Q==,type:str]
+    SERVER_COUNTRIES: ENC[AES256_GCM,data:D6O0wIPGYMBzL28=,iv:p4RoFg0iSGrLRzkw5cbOj9F0Ty+soASiwgDbwHsn2rU=,tag:PeMGdEoYSJjKv5jkiaQn3w==,type:str]
+    FIREWALL_INPUT_PORTS: ENC[AES256_GCM,data:IDFDixwvkY4YG1A=,iv:FyDaKtjza6zC1g5soqhvi5MmjGV5Ap3tFBht3zx6emM=,tag:HyNwf1wRhBoRq1CaRAtH+Q==,type:str]
+    OPENVPN_CIPHERS: ENC[AES256_GCM,data:V/VGTVVTlCsz1dg=,iv:eK6noWENyRrR5lUd8XwuAOgKz3MX1kqY3VKwvBQy0h4=,tag:JOH3Eym5k6DiBoUgpvePoA==,type:str]
+    OPENVPN_USER: ENC[AES256_GCM,data:RnZRnVakr1tPraU7PF3J1Q==,iv:1cXVtF4VfYq8Y41HVndFraxoZtwM/r4EHsowfRucBko=,tag:UgkcS89V7QKOF7ZS5Qqi+g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ntfcrf5fz43da6k9h4um06u8mejjsqg005jm6rwmt9wff949s58qqwx8tv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpc3pXZzMraGJONnVHRGta
+            Y0J6aDB0R0NMWmpMSFcyTTk5bkJaU3NPUldJCjgydmdOZGdoaUVCb2F2amVndnFZ
+            VUgxeW1IRlRUdWRydkg4TzdSTkY5b2sKLS0tIEdCcGFBMkJ2MldMMUlsaUpoeEhF
+            RUhxNlF4NTRROXVMWExuNi9hRmJBMWcKkSzzsaY7I46F15Y11c+9J4EcoT7lqG83
+            dSdTUHsbvNBsYYGYFUkHpRr7XEgnWWecV3lpzoVYLnmvJXCwFCK8Ug==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1gnxrrychharz0cyapjhu3nnzzzhc38slwfpq5h5rsq7pphuk4q6shhx3ll
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVEtQbTF1eVhmM0xsd2tU
+            b1R5ME1PRVkrbCtTRHdFM1BWSEcrMEhEUTE4Ck5aWkQvZThOMVJpN2x2Z053WTcz
+            bDVnQTFhYjV0QWZJbC9KaG9IVlY0T1UKLS0tIDkxaXJVWlQrK2VqODBHY3RDTzBR
+            QUFpRStodHhkTmxjNEpXQ2UxSjArN0EKnzsoVUTuiJIzTlhKNCSZpPHiRRs+KSAF
+            cyZPHvxn+xebB0jkMF6awXhruPdKHwNeijGKTzVm2RtKgjX+2YMaUg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-13T19:04:15Z"
+    mac: ENC[AES256_GCM,data:gXXZVu6iVZ6wqlKe4WDpQABHoxirZ1suZnaiQ+ru4sOPEQSGr2k6qyTA4uXcxSbtiw9g3JX9N34ZB2I3jNPbS+I2sfOvEr1VWe639k9OUDcWNOMEWNjK+PIiF9x81SJab9og4Z/2mdFuRXDAG9CHX6Q/sLEbsP3vpZgXeL7Xs38=,iv:yJeJPq2InZN+ewWd4yvSPTjNNo9MSgzbbxBUHL2ZCjs=,tag:2qCHVAvsucnr8yA0dkMXkA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.0
diff --git a/apps/sonarr/deployment.yaml b/apps/sonarr/deployment.yaml
index 7295d2d..e2dbb57 100644
--- a/apps/sonarr/deployment.yaml
+++ b/apps/sonarr/deployment.yaml
@@ -20,12 +20,27 @@ spec:
         app: sonarr
     spec:
       containers:
+        - image: ghcr.io/qdm12/gluetun:latest
+          name: gluetun
+          imagePullPolicy: Always
+          securityContext:
+            capabilities:
+              add: ["NET_ADMIN"]
+          ports:
+            - containerPort: 8989
+          envFrom:
+          - secretRef:
+              name: gluetun-env
+          resources:
+            limits:
+              cpu: 250m
+              memory: 500Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
         - name: sonarr
           image: lscr.io/linuxserver/sonarr:4.0.8
           imagePullPolicy: IfNotPresent
-          ports:
-          - name: http
-            containerPort: 8989
           livenessProbe:
             httpGet:
               path: /ping
diff --git a/clusters/kairos/apps/fluxrepo.yaml b/clusters/kairos/apps/fluxrepo.yaml
index b50aeb0..aea4a6d 100644
--- a/clusters/kairos/apps/fluxrepo.yaml
+++ b/clusters/kairos/apps/fluxrepo.yaml
@@ -11,3 +11,7 @@ spec:
     kind: GitRepository
     name: flux-system
     namespace: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
diff --git a/clusters/kairos/flux-system/gotk-sync.yaml b/clusters/kairos/flux-system/gotk-sync.yaml
index 26e5a09..9d78a49 100644
--- a/clusters/kairos/flux-system/gotk-sync.yaml
+++ b/clusters/kairos/flux-system/gotk-sync.yaml
@@ -25,3 +25,7 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
diff --git a/clusters/kairos/local-path-provisioner/helmrepo.yaml b/clusters/kairos/local-path-provisioner/helmrepo.yaml
index 8056309..443bdbb 100644
--- a/clusters/kairos/local-path-provisioner/helmrepo.yaml
+++ b/clusters/kairos/local-path-provisioner/helmrepo.yaml
@@ -7,7 +7,7 @@ spec:
   interval: 15m
   url: https://github.com/rancher/local-path-provisioner.git
   ref:
-    tag: v0.0.28
+    tag: v0.0.29
   ignore: |-
     # exclude all
     /*
diff --git a/readme.md b/readme.md
index b26f9a0..bc9894c 100644
--- a/readme.md
+++ b/readme.md
@@ -28,6 +28,34 @@ Host 192.168.1.101
 SSH into the server, and grab the kubeconfig with `sudo cat /etc/rancher/k3s/k3s.yaml`.
 Drop the user and cluster into your config and create a context to have that user and cluster
 
+## age & sops
+
+I use sops with age to encrypt keys etc in git.  
+Before pushing encrypted keys up, we'll need to re-encrypt them with a new key.  
+From a shell with sops and age installed, and an already known key under `$HOME/.config/sops/age/keys.txt` (or `%AppData%\sops\age\keys.txt`), create a new key in this repo `age-keygen -o keys.txt`.
+
+Add that new public key to the `.sops.yaml`, and push the secret key to the cluster with:
+
+```sh
+cat keys.txt |
+kubectl create secret generic sops-age \
+--namespace=flux-system \
+--from-file=keys.txt=/dev/stdin
+```
+
+Update the encryption with `sops updatekeys`, then delete keys.txt.
+
+### Using sops
+
+#### Encrypting
+
+After creating a new secret, run `sops encrypt --in-place ./path/to/secret.yaml`.
+
+#### Editing
+
+You can install the `@signageos/vscode-sops` extension in vscode to automatically decrypt, edit and re-encrypt a secret.  
+Or use `sops edit file.yaml`
+
 ## Flux CD
 
 Install flux and everything in this repo with the following: