diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml
index 1ec198df..f759a2fb 100644
--- a/kube/clusters/biohazard/flux/kustomization.yaml
+++ b/kube/clusters/biohazard/flux/kustomization.yaml
@@ -103,6 +103,7 @@ resources:
   - ../../../deploy/apps/yagpdb/
   - ../../../deploy/apps/redbot/
   - ../../../deploy/apps/code-server/
+  - ../../../deploy/apps/homebox/
   - ../../../deploy/vm/_kubevirt/
   #- ../../../deploy/vm/_base/
   - ../../../deploy/vm/ad/
diff --git a/kube/deploy/apps/homebox/app/hr.yaml b/kube/deploy/apps/homebox/app/hr.yaml
new file mode 100644
index 00000000..4cde0b32
--- /dev/null
+++ b/kube/deploy/apps/homebox/app/hr.yaml
@@ -0,0 +1,106 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app homebox
+  namespace: *app
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: "2.5.0"
+      sourceRef:
+        name: bjw-s
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    controllers:
+      main:
+        type: deployment
+        replicas: 1
+        pod:
+          labels:
+            ingress.home.arpa/nginx-internal: "allow"
+        containers:
+          main:
+            image: &img
+              repository: "ghcr.io/hay-kot/homebox"
+              tag: "v0.10.3-rootless@sha256:cc6e3b7fa40e3259cb8cac8e5d3e594eb63a68abd16c51029d59460f7fed1212"
+            env:
+              TZ: "${CONFIG_TZ}"
+              HBOX_MODE: "production"
+              HBOX_WEB_PORT: &http "7745"
+              HBOX_WEB_MAX_UPLOAD_SIZE: "100" # in MB
+              HBOX_OPTIONS_ALLOW_REGISTRATION: "${CONFIG_HOMEBOX_ALLOW_REGISTRATION}"
+            securityContext: &sc
+              readOnlyRootFilesystem: true
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+            resources:
+              requests:
+                cpu: "10m"
+                memory: "128Mi"
+              limits:
+                cpu: "3000m"
+                memory: "6000Mi"
+    service:
+      main:
+        ports:
+          http:
+            port: *http
+    ingress:
+      main:
+        enabled: true
+        primary: true
+        className: "nginx-internal"
+        hosts:
+          - host: &host "${APP_DNS_HOMEBOX}"
+            paths: &paths
+              - path: /
+                pathType: Prefix
+                service:
+                  name: main
+                  port: http
+        tls:
+          - hosts: [*host]
+    persistence:
+      config:
+        enabled: true
+        existingClaim: "homebox-data"
+        globalMounts:
+          - subPath: "data"
+            path: "/data"
+      tmp:
+        enabled: true
+        type: emptyDir
+        medium: Memory
+        globalMounts:
+          - subPath: "tmp"
+            path: "/tmp"
+            readOnly: false
+    defaultPodOptions:
+      automountServiceAccountToken: false
+      enableServiceLinks: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: &uid ${APP_UID_HOMEBOX}
+        runAsGroup: *uid
+        fsGroup: *uid
+        fsGroupChangePolicy: "Always"
+        seccompProfile: { type: "RuntimeDefault" }
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: "DoNotSchedule"
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: *app
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: "fuckoff.home.arpa/homebox"
+                    operator: "DoesNotExist"
diff --git a/kube/deploy/apps/homebox/ks.yaml b/kube/deploy/apps/homebox/ks.yaml
new file mode 100644
index 00000000..054f7cb1
--- /dev/null
+++ b/kube/deploy/apps/homebox/ks.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: homebox-app
+  namespace: flux-system
+  labels: &l
+    app.kubernetes.io/name: "homebox"
+spec:
+  commonMetadata:
+    labels: *l
+  path: ./kube/deploy/apps/homebox/app
+  targetNamespace: "homebox"
+  dependsOn:
+    - name: homebox-pvc
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: homebox-pvc
+  namespace: flux-system
+  labels: &l
+    app.kubernetes.io/name: "homebox"
+spec:
+  commonMetadata:
+    labels: *l
+  path: ./kube/deploy/core/storage/volsync/template
+  targetNamespace: "homebox"
+  dependsOn:
+    - name: 1-core-storage-volsync-app
+    - name: 1-core-storage-rook-ceph-cluster
+  postBuild:
+    substitute:
+      PVC: "homebox-data"
+      SIZE: "10Gi"
+      SC: &sc "file"
+      SNAP: *sc
+      ACCESSMODE: "ReadWriteMany"
+      RUID: !!str &uid |
+        ${APP_UID_HOMEBOX}
+      RGID: !!str |
+        ${APP_UID_HOMEBOX}
+      RFSG: !!str |
+        ${APP_UID_HOMEBOX}
diff --git a/kube/deploy/apps/homebox/kustomization.yaml b/kube/deploy/apps/homebox/kustomization.yaml
new file mode 100644
index 00000000..5eeb2657
--- /dev/null
+++ b/kube/deploy/apps/homebox/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ns.yaml
+  - ks.yaml
diff --git a/kube/deploy/apps/homebox/ns.yaml b/kube/deploy/apps/homebox/ns.yaml
new file mode 100644
index 00000000..8b9b03b1
--- /dev/null
+++ b/kube/deploy/apps/homebox/ns.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: homebox
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    pod-security.kubernetes.io/enforce: &ps restricted
+    pod-security.kubernetes.io/audit: *ps
+    pod-security.kubernetes.io/warn: *ps