diff --git a/kube/clusters/biohazard/config/vars.sops.env b/kube/clusters/biohazard/config/vars.sops.env
index 7b262e9e..3ed971b9 100644
--- a/kube/clusters/biohazard/config/vars.sops.env
+++ b/kube/clusters/biohazard/config/vars.sops.env
@@ -112,6 +112,8 @@ APP_IP_OVENMEDIAENGINE=ENC[AES256_GCM,data:DkdaSMMW5NOTRHA=,iv:rbSo41gsGni4JvrME
 APP_UID_OVENMEDIAENGINE=ENC[AES256_GCM,data:ikSvegw=,iv:uWQZ+ECxaauHa5e77lxvr0CH20Ya7+jui7gZqYCVciA=,tag:YTfpLstA7TvvxvkXwWWi7A==,type:str]
 APP_DNS_OVENPLAYER=ENC[AES256_GCM,data:cO0mxSjLC85vRUbXESkbPqT+31yDOudb,iv:DzVFkRWX5lcO75zKefGl6s2TvybHRAXKL+315m1K80w=,tag:YMUcbyQrxuGSs2lVE9wZAQ==,type:str]
 APP_UID_OVENPLAYER=ENC[AES256_GCM,data:LCBe0Eo=,iv:4xhgOx05qdnFvFH0iFdbaha3Kc4V5WCVh7dx0888N+8=,tag:uBJ2+g0PcgprLRjih2KAyw==,type:str]
+APP_DNS_CYBERCHEF=ENC[AES256_GCM,data:Bp68OfLoJeZS1tE=,iv:bTt5owz7wx+Xr+/6NfuRZmcALg/cahdNmi6Ouuj63qI=,tag:T1YKPu3MjNCt+9yfhZQbaA==,type:str]
+APP_UID_CYBERCHEF=ENC[AES256_GCM,data:Q4C7NNI=,iv:o9zaPN5gux5y2iTgkr6yCWgr5N/RXTYEbX6bOACj/Dg=,tag:ksUC7t6XPHpNy7usrG2NQA==,type:str]
 CONFIG_MINECRAFT_OPS=ENC[AES256_GCM,data:al3glJDrtuqtTM2z4W7n+tPNf6XVfK64Jdb9s5RAE5NUwxyK,iv:kYqlsOabsa2iBZKgqjOpFYJo0DMFuoo3ZWCqb/Xzi5c=,tag:nIqPXvBvxdi8crMj1CYsEw==,type:str]
 CONFIG_MINECRAFT_ICON=ENC[AES256_GCM,data:nNzsyRclLnPZ+8Td/WJg2u8V/QKf/xowrghmTaKRNb9a5BMOxtzmiyAt6Us8OoY=,iv:b7fHZQdOjc4oCCLtLhopNg6G7IS2u9NUdBLCN6CjSKc=,tag:+cPgP1oK/9+EK2tB9Y45zw==,type:str]
 CONFIG_MINECRAFT_NAME=ENC[AES256_GCM,data:1qSqJGmGON9BhJKRJA==,iv:Sdwq0LLLdBQlr3m+0Ey2IE9FcRtVKOtXsswLMMp9A5A=,tag:WpaTzqSO3+N+vnJkGI+pCQ==,type:str]
@@ -126,12 +128,12 @@ CONFIG_ZEROTIER_ENDPOINT=ENC[AES256_GCM,data:tOyIlrzdn8sck7um7OSicq5T0XWAmymaRLn
 CONFIG_AUTHENTIK_REMOTE_HOST=ENC[AES256_GCM,data:Iv7k3CoKsLrQf0PRIfhGMCAjOU3AdweS+LFWMeEQoWc=,iv:TsRwWDUrI3zAgBgFRkZAYUNlZV0Q/gOlGjKFrheM0nE=,tag:38OGfWYEm/h/+FH7IsIH3Q==,type:str]
 CONFIG_HEADSCALE_IPV4=ENC[AES256_GCM,data:EZ7GMHA6u1wWPS5g6Pg=,iv:W1hcseQ4Q6CisTXnDLI7hWTy18fIVKtZ46tudCyhfa4=,tag:2WnnNjuZhwUPG07OKTQt2g==,type:str]
 CONFIG_OVENMEDIAENGINE_NAME=ENC[AES256_GCM,data:58CuH8bcUHWXBZA=,iv:BN7x6aAJPbzIn25sNoycsHRE5pugkubLS2VrM77+g/E=,tag:6JAsRjU0L6wbZtns3rk6KQ==,type:str]
-sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n
-sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
-sops_mac=ENC[AES256_GCM,data:TZqTBrYmSQiIo6GFhGXYKeeh6gTieYisfRtInXXD7nfGPyJCnLICC8Rajt59AoA5R2gSTwJXo+Wi4OC8mVeLS8ckf5EllOZeRhEhbygj5R1HQlqjHn3Vgw8vGy1fcbLxBwShYfVPXS+3trMPqMFv7fvwzzN1JAIRN47tNG5E+Ao=,iv:CATKvcj7Qyc+LfL/vmDuKBOMnkkGgyf1BfQWo4NGuxA=,tag:D6op/eANwVDl72HpzzOgcA==,type:str]
+sops_mac=ENC[AES256_GCM,data:Jcni5apUHEzUt0Xr0O8MyX9mI86StHh4Za0qJhEWQGR1r8Vx+LKW3bkwTS2KGk34/ur+9TtMm7htq3fHQ/oGfNQm0T8grIHQ/O9OcK3OV8ImCq/vtGFQz9biPdDb9GODGCr2cGKRWABYc9Ru3IEcjgCm3HwioFBe6b7qLPhzOpU=,iv:zHiYML9QirIe9vFrlLwBIscBtCBJl6Ljc24vfK8x70M=,tag:a/oyEv/8t4y02pKS+lSkJQ==,type:str]
 sops_version=3.7.3
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z
 sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n
-sops_unencrypted_suffix=_unencrypted
-sops_lastmodified=2023-07-16T22:15:23Z
 sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
+sops_unencrypted_suffix=_unencrypted
+sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
+sops_lastmodified=2023-07-21T18:10:54Z
diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml
index 39665ca3..bb86d90c 100644
--- a/kube/clusters/biohazard/flux/kustomization.yaml
+++ b/kube/clusters/biohazard/flux/kustomization.yaml
@@ -34,6 +34,7 @@ resources:
   - ../../../deploy/apps/kubevirt/
   - ../../../deploy/apps/default/
   - ../../../deploy/apps/whoogle/
+  - ../../../deploy/apps/cyberchef/
   - ../../../deploy/apps/gokapi/
   - ../../../deploy/apps/minecraft/
   - ../../../deploy/apps/sandstorm/
diff --git a/kube/deploy/apps/cyberchef/app/hr.yaml b/kube/deploy/apps/cyberchef/app/hr.yaml
new file mode 100644
index 00000000..c1dc8030
--- /dev/null
+++ b/kube/deploy/apps/cyberchef/app/hr.yaml
@@ -0,0 +1,58 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app cyberchef
+  namespace: *app
+spec:
+  chart:
+    spec:
+      chart: app-template
+      version: 1.5.1
+      sourceRef:
+        name: bjw-s
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    global:
+      fullnameOverride: *app
+    automountServiceAccountToken: false
+    controller:
+      type: deployment
+      replicas: 1
+    image:
+      repository: docker.io/mpepping/cyberchef:v10.5.2
+      tag: v10.5.2@sha256:61f336cc9d716a0bf88193325fdeaec73669dd1de8040ad34f7ac5641e9c279a
+    podLabels:
+      ingress.home.arpa/nginx: "allow"
+    env:
+      TZ: "${CONFIG_TZ}"
+    service:
+      main:
+        ports:
+          http:
+            port: 8000
+    ingress:
+      main:
+        enabled: true
+        primary: true
+        ingressClassName: nginx
+        hosts:
+          - host: &host "${APP_DNS_CYBERCHEF}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+    podSecurityContext:
+      runAsUser: &uid ${APP_UID_CYBERCHEF}
+      runAsGroup: *uid
+      fsGroup: *uid
+      fsGroupChangePolicy: Always
+    resources:
+      requests:
+        cpu: 10m
+        memory: 128Mi
+      limits:
+        memory: 256Mi
\ No newline at end of file
diff --git a/kube/deploy/apps/cyberchef/ks.yaml b/kube/deploy/apps/cyberchef/ks.yaml
new file mode 100644
index 00000000..655c12a1
--- /dev/null
+++ b/kube/deploy/apps/cyberchef/ks.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cyberchef-app
+  namespace: flux-system
+spec:
+  path: ./kube/deploy/apps/cyberchef/app
+  dependsOn:
+    - name: 1-core-ingress-nginx-app
\ No newline at end of file
diff --git a/kube/deploy/apps/cyberchef/kustomization.yaml b/kube/deploy/apps/cyberchef/kustomization.yaml
new file mode 100644
index 00000000..5eeb2657
--- /dev/null
+++ b/kube/deploy/apps/cyberchef/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ns.yaml
+  - ks.yaml
diff --git a/kube/deploy/apps/cyberchef/ns.yaml b/kube/deploy/apps/cyberchef/ns.yaml
new file mode 100644
index 00000000..b5ef4ddd
--- /dev/null
+++ b/kube/deploy/apps/cyberchef/ns.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cyberchef