diff --git a/kube/3-deploy/2-apps/elk/app/hr.yaml b/kube/3-deploy/2-apps/elk/app/hr.yaml
new file mode 100644
index 00000000..a615c635
--- /dev/null
+++ b/kube/3-deploy/2-apps/elk/app/hr.yaml
@@ -0,0 +1,64 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app elk
+  namespace: default
+spec:
+  chart:
+    spec:
+      chart: app-template
+      version: 1.5.1
+      sourceRef:
+        name: bjw-s
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    global:
+      fullnameOverride: *app
+    automountServiceAccountToken: false
+    controller:
+      type: deployment
+      replicas: 1
+    image:
+      repository: ghcr.io/elk-zone/elk
+      tag: v0.9.7@sha256:923ee71ef83026c8c0a5cb82b9c6460455e92d7a27a2af1204f8711150889d70
+    podLabels:
+      ingress.home.arpa/nginx: "allow"
+    env:
+      TZ: "${CONFIG_TZ}"
+    service:
+      main:
+        ports:
+          http:
+            port: 5314
+    ingress:
+      main:
+        enabled: true
+        primary: true
+        ingressClassName: nginx
+        hosts:
+          - host: &host "elk.${DNS_SHORT}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+    podSecurityContext:
+      runAsUser: &uid 911
+      runAsGroup: *uid
+      fsGroup: *uid
+      fsGroupChangePolicy: Always
+    persistence:
+      config:
+        enabled: true
+        type: pvc
+        existingClaim: elk-config
+        mountPath: /elk/data
+    resources:
+      requests:
+        cpu: 10m
+        memory: 128Mi
+      limits:
+        memory: 512Mi
diff --git a/kube/3-deploy/2-apps/elk/app/pvc.yaml b/kube/3-deploy/2-apps/elk/app/pvc.yaml
new file mode 100644
index 00000000..16f5b79f
--- /dev/null
+++ b/kube/3-deploy/2-apps/elk/app/pvc.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: elk-config
+  namespace: default
+  labels:
+    app.kubernetes.io/name: &app elk
+    app.kubernetes.io/instance: *app
+    snapshot.home.arpa/enabled: "true"
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: file
diff --git a/kube/3-deploy/2-apps/elk/app/volsync.yaml b/kube/3-deploy/2-apps/elk/app/volsync.yaml
new file mode 100644
index 00000000..93352424
--- /dev/null
+++ b/kube/3-deploy/2-apps/elk/app/volsync.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: elk-restic
+  namespace: default
+type: Opaque
+stringData:
+  RESTIC_REPOSITORY: ${SECRET_VOLSYNC_R2_REPO}/elk
+  RESTIC_PASSWORD: ${SECRET_VOLSYNC_PASSWORD}
+  AWS_ACCESS_KEY_ID: ${SECRET_VOLSYNC_R2_ID}
+  AWS_SECRET_ACCESS_KEY: ${SECRET_VOLSYNC_R2_KEY}
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: elk-restic
+  namespace: default
+spec:
+  sourcePVC: elk-config
+  trigger:
+    schedule: "0 6 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 14
+    repository: elk-restic
+    cacheCapacity: 1Gi
+    volumeSnapshotClassName: file
+    storageClassName: file
+    moverSecurityContext:
+      runAsUser: &uid 911
+      runAsGroup: *uid
+      fsGroup: *uid
+    retain:
+      daily: 14
+      within: 7d
diff --git a/kube/3-deploy/2-apps/elk/ks.yaml b/kube/3-deploy/2-apps/elk/ks.yaml
new file mode 100644
index 00000000..c307bc3e
--- /dev/null
+++ b/kube/3-deploy/2-apps/elk/ks.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: elk-app
+  namespace: flux-system
+  labels:
+    wait.flux.home.arpa/disabled: "true"
+spec:
+  path: ./kube/3-deploy/2-apps/elk/app
+  dependsOn:
+    - name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph
+    - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx
+    - name: ${CLUSTER_NAME_LOWER}-2-apps-volsync
diff --git a/kube/3-deploy/2-apps/elk/kustomization.yaml b/kube/3-deploy/2-apps/elk/kustomization.yaml
new file mode 100644
index 00000000..70a77029
--- /dev/null
+++ b/kube/3-deploy/2-apps/elk/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ks.yaml
diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml
index 5dd95202..95c142cd 100644
--- a/kube/clusters/biohazard/flux/kustomization.yaml
+++ b/kube/clusters/biohazard/flux/kustomization.yaml
@@ -9,6 +9,7 @@ resources:
   # - flux-repo.yaml
   - ../../../3-deploy/2-apps/atuin/
   - ../../../3-deploy/2-apps/miniflux/
+  - ../../../3-deploy/2-apps/elk/
   # - ceph-rgw-ext-users.yaml
   # - ../../../3-deploy/1-core/05-ingress/cloudflare/
   # - ../../../3-deploy/1-core/05-ingress/external-proxy-x/