diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml
index c37a64e8..48eb01d3 100644
--- a/kube/clusters/biohazard/flux/kustomization.yaml
+++ b/kube/clusters/biohazard/flux/kustomization.yaml
@@ -118,6 +118,7 @@ resources:
   - ../../../deploy/apps/ocis/
   - ../../../deploy/apps/navidrome/
   - ../../../deploy/apps/goatcounter/
+  - ../../../deploy/apps/ollama/
   - ../../../deploy/vm/_kubevirt/
   #- ../../../deploy/vm/_base/
   - ../../../deploy/vm/ad/
diff --git a/kube/deploy/apps/ollama/app/es.yaml b/kube/deploy/apps/ollama/app/es.yaml
new file mode 100644
index 00000000..f6167541
--- /dev/null
+++ b/kube/deploy/apps/ollama/app/es.yaml
@@ -0,0 +1,19 @@
+---
+# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name ollama-secrets
+  namespace: ollama
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: 1p
+  dataFrom:
+    - extract:
+        key: "ollama - ${CLUSTER_NAME}"
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: *name
diff --git a/kube/deploy/apps/ollama/app/hr.yaml b/kube/deploy/apps/ollama/app/hr.yaml
new file mode 100644
index 00000000..0d158c5c
--- /dev/null
+++ b/kube/deploy/apps/ollama/app/hr.yaml
@@ -0,0 +1,103 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: &app ollama
+  namespace: *app
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: "2.6.0"
+      sourceRef:
+        name: bjw-s
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    controllers:
+      main:
+        type: deployment
+        replicas: 1
+        pod:
+          labels:
+            ingress.home.arpa/nginx-internal: allow
+            egress.home.arpa/internet: allow
+        containers:
+          main:
+            image: &img
+              repository: docker.io/ollama/ollama
+              tag: 0.1.32@sha256:c5018bf71b27a38f50da37d86fa0067105eea488cdcc258ace6d222dde632f75
+            env:
+              TZ: "${CONFIG_TZ}"
+              OLLAMA_MODELS: &pvc /data
+            securityContext: &sc
+              readOnlyRootFilesystem: true
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+            resources:
+              requests:
+                cpu: "100m"
+                memory: "4Gi"
+              limits:
+                cpu: "3000m"
+                memory: "8Gi"
+    service:
+      main:
+        ports:
+          http:
+            port: 11434
+    ingress:
+      main:
+        enabled: true
+        primary: true
+        className: nginx-internal
+        hosts:
+          - host: &host "${APP_DNS_OLLAMA}"
+            paths: &paths
+              - path: /
+                pathType: Prefix
+                service:
+                  name: main
+                  port: http
+        tls:
+          - hosts: [*host]
+    persistence:
+      config:
+        enabled: true
+        existingClaim: ollama-data
+        globalMounts:
+          - subPath: data
+            path: *pvc
+      tmp:
+        enabled: true
+        type: emptyDir
+        medium: Memory
+        globalMounts:
+          - subPath: tmp
+            path: /tmp
+    defaultPodOptions:
+      automountServiceAccountToken: false
+      enableServiceLinks: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: &uid ${APP_UID_OLLAMA}
+        runAsGroup: *uid
+        fsGroup: *uid
+        fsGroupChangePolicy: Always
+        seccompProfile: { type: "RuntimeDefault" }
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: *app
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: fuckoff.home.arpa/ollama
+                    operator: DoesNotExist
diff --git a/kube/deploy/apps/ollama/app/pvc.yaml b/kube/deploy/apps/ollama/app/pvc.yaml
new file mode 100644
index 00000000..2605c782
--- /dev/null
+++ b/kube/deploy/apps/ollama/app/pvc.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "ollama-data"
+  labels:
+    snapshot.home.arpa/enabled: "true"
+    kustomize.toolkit.fluxcd.io/prune: "Disabled"
+spec:
+  storageClassName: "file"
+  accessModes: ["ReadWriteMany"]
+  resources:
+    requests:
+      storage: "100Gi"
diff --git a/kube/deploy/apps/ollama/ks.yaml b/kube/deploy/apps/ollama/ks.yaml
new file mode 100644
index 00000000..86d225de
--- /dev/null
+++ b/kube/deploy/apps/ollama/ks.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: ollama-app
+  namespace: flux-system
+  labels: &l
+    app.kubernetes.io/name: "ollama"
+spec:
+  commonMetadata:
+    labels: *l
+  path: ./kube/deploy/apps/ollama/app
+  targetNamespace: "ollama"
+  dependsOn: []
diff --git a/kube/deploy/apps/ollama/kustomization.yaml b/kube/deploy/apps/ollama/kustomization.yaml
new file mode 100644
index 00000000..5eeb2657
--- /dev/null
+++ b/kube/deploy/apps/ollama/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ns.yaml
+  - ks.yaml
diff --git a/kube/deploy/apps/ollama/ns.yaml b/kube/deploy/apps/ollama/ns.yaml
new file mode 100644
index 00000000..ba504acd
--- /dev/null
+++ b/kube/deploy/apps/ollama/ns.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ollama
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    pod-security.kubernetes.io/enforce: &ps restricted
+    pod-security.kubernetes.io/audit: *ps
+    pod-security.kubernetes.io/warn: *ps