diff --git a/.sops.yaml b/.sops.yaml
index 368dabc6..41c4ebc2 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,5 +1,5 @@
 creation_rules:
-  - path_regex: (k8s|kube|kubernetes)\/.*tal.*\.sops\.ya?ml
+  - path_regex: ((.local|pulumi|terraform)\/.*|(k8s|kube|kubernetes)\/.*tal.*)\.sops\.ya?ml
     input_type: yaml
     pgp: >-
       31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
diff --git a/.taskfiles/truenas/Taskfile.dist.yaml b/.taskfiles/truenas/Taskfile.dist.yaml
new file mode 100644
index 00000000..e50585e4
--- /dev/null
+++ b/.taskfiles/truenas/Taskfile.dist.yaml
@@ -0,0 +1,32 @@
+---
+version: "3"
+
+# includes: {}
+  # k8s:
+  #   internal: true
+  #   taskfile: ../k8s
+  # cluster:
+  #   internal: true
+  #   taskfile: ../cluster
+
+# vars:
+#   IP: '{{ or .IP (fail "Missing `IP` environment variable for cluster!") }}'
+
+tasks:
+  k3s-init:
+    desc: After initializing k3s in TrueNAS SCALE GUI, run this task to manage k3s outside TrueNAS.
+    vars:
+      IP: '{{ or .IP (fail "Missing `IP` environment variable for TrueNAS host IP!") }}'
+      PORT: '{{ .PORT | default "22" }}'
+      C: '{{ or .C (fail "Missing `C` environment variable for cluster!") }}'
+    cmds:
+      - |
+        ssh root@{{.IP}} -p {{.PORT}} \
+        'iptables -D INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP;
+        iptables -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "CUSTOM: Expose k3s kube-apiserver access" -j ACCEPT;
+        cat /etc/rancher/k3s/k3s.yaml' | yq '.clusters.0.cluster.server = "https://{{.IP}}:6443" | .clusters.0.name = "{{.C}}" | .users.0.name = "{{.C}}" | .contexts.0.name = "{{.C}}" | .contexts.0.context.cluster = "{{.C}}" | .contexts.0.context.user = "{{.C}}" | .current-context = "{{.C}}"' > ~/.kube/k3s-{{.C}}.yaml
+      - cat ~/.kube/k3s-{{.C}}.yaml; printf "%s " "Press enter to continue"; read ans
+      - cp ~/.kube/config ~/.kube/config.bak || true
+      - |
+        KUBECONFIG="$HOME/.kube/config.bak:$HOME/.kube/k3s-{{.C}}.yaml" kubectl config view --flatten &&
+        KUBECONFIG="$HOME/.kube/config.bak:$HOME/.kube/k3s-{{.C}}.yaml" kubectl config view --flatten > $HOME/.kube/config
diff --git a/Taskfile.dist.yaml b/Taskfile.dist.yaml
index 0f57d9e8..0457fefc 100644
--- a/Taskfile.dist.yaml
+++ b/Taskfile.dist.yaml
@@ -26,6 +26,10 @@ includes:
   rook:
     aliases: [r]
     taskfile: .taskfiles/rook
+  truenas:
+    aliases: [nas]
+    taskfile: .taskfiles/truenas/Taskfile.dist.yaml
+
 
 tasks:
   default:
diff --git a/kube/deploy/core/storage/rook-ceph/cluster/app/netpol.yaml b/kube/deploy/core/storage/rook-ceph/cluster/app/netpol.yaml
new file mode 100644
index 00000000..2dd4e67d
--- /dev/null
+++ b/kube/deploy/core/storage/rook-ceph/cluster/app/netpol.yaml
@@ -0,0 +1,26 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: rook-ceph-cluster
+  namespace: &app rook-ceph
+spec:
+  endpointSelector: {}
+  ingress:
+    # same namespace
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: *app
+  egress:
+    # same namespace
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: *app
+    # hostNet Ceph cluster
+    - toEntities:
+      - host
+      - remote-node
+      toPorts:
+        - ports:
+            - port: "3300"
\ No newline at end of file
diff --git a/kube/templates/test/app/hr.yaml b/kube/templates/test/app/hr.yaml
index 8e7e4035..5dd81c28 100644
--- a/kube/templates/test/app/hr.yaml
+++ b/kube/templates/test/app/hr.yaml
@@ -18,9 +18,9 @@ spec:
       fullnameOverride: *app
     automountServiceAccountToken: false
     controller:
-      type: statefulset
-      # type: deployment
-      # replicas: 1
+      # type: statefulset
+      type: deployment
+      replicas: 1
     image:
       repository: docker.io/${APPNAME}/server
       tag: latest@sha256:c10a2938d3a8c15169a3ed2f6d08d25430d22cef3d5749d57ab3a9052d60354c
diff --git a/kube/templates/test/ks.yaml b/kube/templates/test/ks.yaml
index d3f02000..d5241722 100644
--- a/kube/templates/test/ks.yaml
+++ b/kube/templates/test/ks.yaml
@@ -9,9 +9,4 @@ spec:
   dependsOn:
     - name: 1-core-storage-rook-ceph-cluster
     - name: 1-core-ingress-nginx-app
-    #- name: 1-core-storage-volsync-app
-  healthChecks:
-    - name: ${APPNAME}
-      namespace: ${APPNAME}
-      kind: HelmRelease
-      apiVersion: helm.toolkit.fluxcd.io/v2beta1
+    #- name: 1-core-storage-volsync-app
\ No newline at end of file