diff --git a/kube/1-clusters/Biohazard/2-config/3-secrets.yaml b/kube/1-clusters/Biohazard/2-config/3-secrets.yaml
index 7e70d633..ce96d050 100644
--- a/kube/1-clusters/Biohazard/2-config/3-secrets.yaml
+++ b/kube/1-clusters/Biohazard/2-config/3-secrets.yaml
@@ -22,8 +22,8 @@ sops:
             UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT
             k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-04-21T00:19:20Z"
-    mac: ENC[AES256_GCM,data:ou1EgST3yzaxe8vLLarKeeNgqeyXKivQMlLCzzcQVzYDAXca0RskpEPMfon6UPH3yiOo3P4r3lLjscsdvwAYkW1OpKokTEE7ZSyNDSuZmH+OU1DVaBG8SDO8y80mu8cWJrdjwbUC74+XfLSgGwgwwJzUHPKM2juzTYzxFzZdhVE=,iv:nOnLAFeJGnA1qS1MMOVM+1yU8tvo6xd2YsZBvRthWOU=,tag:2RyULufB+s/23CrVKZrSPw==,type:str]
+    lastmodified: "2023-04-24T23:17:14Z"
+    mac: ENC[AES256_GCM,data:KpAhbri6kN/jJJi83ZszUgMBMfowUB7cplsOpE8WnwZQV59I0o3frQefQACTF8GD0hnXxiHx4mXDd7gYoa4aRvSkyci7JNifrPRi5ueQtLxD/hShHgFqguMhl8adWmnReX8IO7h2qGpVRYbduFcjULnkuSMrduUEF2AQongIAxY=,iv:3Zk7t4NJO/sKCm8GLGutF3SmrtVgRs+Z8h2ecUl4Qdo=,tag:BpWk6LW3JJVpmup0m+bHyg==,type:str]
     pgp:
         - created_at: "2023-02-26T18:12:43Z"
           enc: |
@@ -61,8 +61,8 @@ sops:
             UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT
             k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-04-21T00:19:20Z"
-    mac: ENC[AES256_GCM,data:ou1EgST3yzaxe8vLLarKeeNgqeyXKivQMlLCzzcQVzYDAXca0RskpEPMfon6UPH3yiOo3P4r3lLjscsdvwAYkW1OpKokTEE7ZSyNDSuZmH+OU1DVaBG8SDO8y80mu8cWJrdjwbUC74+XfLSgGwgwwJzUHPKM2juzTYzxFzZdhVE=,iv:nOnLAFeJGnA1qS1MMOVM+1yU8tvo6xd2YsZBvRthWOU=,tag:2RyULufB+s/23CrVKZrSPw==,type:str]
+    lastmodified: "2023-04-24T23:17:14Z"
+    mac: ENC[AES256_GCM,data:KpAhbri6kN/jJJi83ZszUgMBMfowUB7cplsOpE8WnwZQV59I0o3frQefQACTF8GD0hnXxiHx4mXDd7gYoa4aRvSkyci7JNifrPRi5ueQtLxD/hShHgFqguMhl8adWmnReX8IO7h2qGpVRYbduFcjULnkuSMrduUEF2AQongIAxY=,iv:3Zk7t4NJO/sKCm8GLGutF3SmrtVgRs+Z8h2ecUl4Qdo=,tag:BpWk6LW3JJVpmup0m+bHyg==,type:str]
     pgp:
         - created_at: "2023-02-26T18:12:43Z"
           enc: |
@@ -88,6 +88,8 @@ stringData:
     SECRET_SANDSTORM_ADMIN_PASSWORD: ENC[AES256_GCM,data:iYMzuIT3l8Na9R+ivzw/,iv:aSz/PDfnf5NjprFP0F/8MSCHbSNvW1jPKGO3OXM63wE=,tag:TXpMceEeEQMDpSpSwkihTA==,type:str]
     CLOUDFLARE_EMAIL: ENC[AES256_GCM,data:/1LlGIvbc3FbsOQ6AJV5/BWoHGmijg==,iv:xmSF9Pbx4cc5iAe1kkmcEzggKOdzoQLTp1d5DkIfyTM=,tag:4LyeHbV+nThNfhwAf1fyxg==,type:str]
     CLOUDFLARE_API_KEY: ENC[AES256_GCM,data:IjhX7PRvlOrAZHhld4eUTnk0U6e+26ddBvDAzskqal68OKDhnYNGcQ==,iv:Jh+AZONqsY3nlpdG+mgwQNkHFTB38DOPCUhMZVHNIqI=,tag:PWRooXwDuDWZ8/oRfxKslA==,type:str]
+    SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:yPjiPwCwax7XEipMsVxMAYqc9zAX1mmXgvGsBjuxGc0/mj5R,iv:66hgExptGr8MFGErctzTx1apJbVaXqF4HD/SSSifc0k=,tag:l36AHL7VDK1MC6rbxa0LFA==,type:str]
+    SECRET_CLOUDFLARE_TUNNEL_CREDS: ENC[AES256_GCM,data:2CKmTAuYGngYVQ7bwwbPOYqSfGc8hFWWrHdnSeq6iIM0Kp/TALhcLSpuSICp8K75kEBapLzC2K6qhJeDPqGBaMORVSYOTSnlvohv14G7AS7Z4R2ehv2xVFoB5wswRJjmh5lrHmNxFfeY4IXINcb8KK/Lmv80P4BEzyxO0cL1KlKZ7gGCcaxQQzkdHMUszdrWUhJ992wGyJnJhAsV50g0Umc=,iv:hpmfzax4tMf+9NLFHfRJSFumN6TdfjTtmqd2tI+pN7o=,tag:bAQeLqQj1cj/389Rp7cnqg==,type:str]
     SECRET_AUTHENTIK_REMOTE_TOKEN: ENC[AES256_GCM,data:JJ/1cOCyXy87098S5TEEjh07t2oKRQ3iKdV5gFZYE5ijR50SYu0GuBT5282MLtDA8lfi0m1hdkJ1pWAB,iv:CdQCBYDRW/sosDoDu10LD2Hrsc6MPQ/upl+A2R0MuRY=,tag:+0e0w06ze085EMzuuErDzA==,type:str]
     SECRET_AUTHENTIK_OIDC_URL_AUTHZ: ENC[AES256_GCM,data:RqG5PYN05DAMaAYRY/iIjX5cxhfDxXuIfAMxW3Q/BIYQJeyPNWQpstDs0cCh8nn6YKItWw==,iv:UpbF3TfOV7hn2cvo0eGOnctZ9Imta/g4MW+qp0gqpa4=,tag:2ICHiYgi6RH3IW4f9MBNcg==,type:str]
     SECRET_AUTHENTIK_OIDC_URL_TOKEN: ENC[AES256_GCM,data:OWNANfS4KqphsIC0/o+Ax+7qn6E4B5J/a2JTdkGJdjr0N8bXznC5pq2NSHR7y9bR,iv:dKxvZSau2RnEMsyByGC9a47Ajzvs6cfSZpk3xOG4s6c=,tag:GEKvIA9rfoqgQPFL1H1qgA==,type:str]
@@ -117,8 +119,8 @@ sops:
             UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT
             k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-04-21T00:19:20Z"
-    mac: ENC[AES256_GCM,data:ou1EgST3yzaxe8vLLarKeeNgqeyXKivQMlLCzzcQVzYDAXca0RskpEPMfon6UPH3yiOo3P4r3lLjscsdvwAYkW1OpKokTEE7ZSyNDSuZmH+OU1DVaBG8SDO8y80mu8cWJrdjwbUC74+XfLSgGwgwwJzUHPKM2juzTYzxFzZdhVE=,iv:nOnLAFeJGnA1qS1MMOVM+1yU8tvo6xd2YsZBvRthWOU=,tag:2RyULufB+s/23CrVKZrSPw==,type:str]
+    lastmodified: "2023-04-24T23:17:14Z"
+    mac: ENC[AES256_GCM,data:KpAhbri6kN/jJJi83ZszUgMBMfowUB7cplsOpE8WnwZQV59I0o3frQefQACTF8GD0hnXxiHx4mXDd7gYoa4aRvSkyci7JNifrPRi5ueQtLxD/hShHgFqguMhl8adWmnReX8IO7h2qGpVRYbduFcjULnkuSMrduUEF2AQongIAxY=,iv:3Zk7t4NJO/sKCm8GLGutF3SmrtVgRs+Z8h2ecUl4Qdo=,tag:BpWk6LW3JJVpmup0m+bHyg==,type:str]
     pgp:
         - created_at: "2023-02-26T18:12:43Z"
           enc: |
diff --git a/kube/1-clusters/Biohazard/2-config/kustomization.yaml b/kube/1-clusters/Biohazard/2-config/kustomization.yaml
index f59bd2fd..d53472e8 100644
--- a/kube/1-clusters/Biohazard/2-config/kustomization.yaml
+++ b/kube/1-clusters/Biohazard/2-config/kustomization.yaml
@@ -8,6 +8,7 @@ resources:
   - 4-vars.yaml
   - 5-deploy.yaml
   - ceph-rgw-ext-users.yaml
+  - ../../../3-deploy/1-core/05-ingress/cloudflare/
   - ../../../3-deploy/1-core/06-monitoring/1-deps/
   - ../../../3-deploy/1-core/06-monitoring/node-exporter/
   - ../../../3-deploy/2-apps/default/
diff --git a/kube/3-deploy/1-core/05-ingress/cloudflare/deps/namespace.yaml b/kube/3-deploy/1-core/05-ingress/cloudflare/deps/namespace.yaml
new file mode 100644
index 00000000..bd529999
--- /dev/null
+++ b/kube/3-deploy/1-core/05-ingress/cloudflare/deps/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cloudflare
diff --git a/kube/3-deploy/1-core/05-ingress/cloudflare/ks.yaml b/kube/3-deploy/1-core/05-ingress/cloudflare/ks.yaml
new file mode 100644
index 00000000..ee3a54bd
--- /dev/null
+++ b/kube/3-deploy/1-core/05-ingress/cloudflare/ks.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cloudflare-deps
+  namespace: flux-system
+spec:
+  path: ./kube/3-deploy/2-apps/cloudflare/deps
+  dependsOn: []
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cloudflare-tunnel
+  namespace: flux-system
+spec:
+  path: ./kube/3-deploy/2-apps/cloudflare/tunnel
+  dependsOn:
+    - name: cloudflare-deps
+  healthChecks:
+    - name: cloudflared
+      namespace: cloudflare
+      kind: HelmRelease
+      apiVersion: helm.toolkit.fluxcd.io/v2beta1
diff --git a/kube/3-deploy/1-core/05-ingress/cloudflare/kustomization.yaml b/kube/3-deploy/1-core/05-ingress/cloudflare/kustomization.yaml
new file mode 100644
index 00000000..70a77029
--- /dev/null
+++ b/kube/3-deploy/1-core/05-ingress/cloudflare/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ks.yaml
diff --git a/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml b/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml
new file mode 100644
index 00000000..565d4730
--- /dev/null
+++ b/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml
@@ -0,0 +1,60 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cloudflared
+  namespace: cloudflare
+spec:
+  chart:
+    spec:
+      chart: app-template
+      version: 1.4.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  values:
+    controller:
+      type: daemonset
+    image:
+      repository: cloudflare/cloudflared
+      tag: 2023.4.2
+    args: ['tunnel', '--config', '/etc/cloudflared/config.yaml', 'run']
+    service:
+      main:
+        enabled: false
+    persistence:
+      config:
+        enabled: true
+        type: configMap
+        name: cloudflared-config
+        mountPath: /etc/cloudflared/config.yaml
+        subPath: config.yaml
+        readOnly: true
+      credentials:
+        enabled: true
+        type: secret
+        name: cloudflared-credentials
+        mountPath: /etc/cloudflared/credentials.json
+        subPath: credentials.json
+        readOnly: true
+    configMaps:
+      config:
+        enabled: true
+        data:
+          config.yaml: |
+            tunnel: "${SECRET_CLOUDFLARE_TUNNEL_ID}"
+            credentials-file: /etc/cloudflared/credentials.json
+            no-autoupdate: true
+            ingress:
+              - hostname: "cftest.${DNS_SHORT}"
+                service: hello_world
+              - hostname: "home.${DNS_SHORT}"
+                service: https://ingress-nginx-controller.ingress.svc.cluster.local:443
+                originRequest:
+                  originServerName: "https://ingress.${DNS_SHORT}"
+              - hostname: "home-cluster.${DNS_MAIN}"
+                service: https://ingress-nginx-controller.ingress.svc.cluster.local:443
+                originRequest:
+                  originServerName: "https://ingress.${DNS_MAIN}"
+              - service: http_status:200
diff --git a/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/secret.yaml b/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/secret.yaml
new file mode 100644
index 00000000..5f802310
--- /dev/null
+++ b/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/secret.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflared-credentials
+  namespace: cloudflare
+stringData:
+  credentials.json: |-
+    ${SECRET_CLOUDFLARE_TUNNEL_CREDS}