diff --git a/kubernetes/Readme.md b/kubernetes/Readme.md
new file mode 100644
index 0000000..54595cd
--- /dev/null
+++ b/kubernetes/Readme.md
@@ -0,0 +1,23 @@
+# sources
+
+
+nix instructions: <https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/networking/cluster/k3s/README.md>
+
+
+
+## tailscale operator
+
+```
+helm repo add tailscale https://pkgs.tailscale.com/helmcharts
+helm repo update
+helm upgrade \
+  --install \
+  tailscale-operator \
+  tailscale/tailscale-operator \
+  --namespace=tailscale \
+  --create-namespace \
+  --set-string oauth.clientId="<OAauth client ID>" \
+  --set-string oauth.clientSecret="<OAuth client secret>" \
+  --wait
+```
+
diff --git a/kubernetes/cloudflare-issuer/Readme.md b/kubernetes/cloudflare-issuer/Readme.md
new file mode 100644
index 0000000..08bd3d1
--- /dev/null
+++ b/kubernetes/cloudflare-issuer/Readme.md
@@ -0,0 +1,22 @@
+## Cloudflare cert manager
+
+<https://cert-manager.io/docs/installation/helm/>
+```bash
+helm repo add jetstack https://charts.jetstack.io --force-update
+helm install \
+  cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --create-namespace \
+  --version v1.16.2 \
+  --set crds.enabled=true
+```
+
+
+<https://medium.com/@kevinlutzer9/managed-ssl-certs-for-a-private-kubernetes-cluster-with-cloudflare-cert-manager-and-lets-encrypt-7987ba19044f>
+
+```bash
+kubectl create secret generic cloudflare-api-key-secret --from-literal=api-key=<TOKEN>
+```
+
+
+then apply `issuer.yml`1
\ No newline at end of file
diff --git a/kubernetes/cloudflare-issuer/issuer.yml b/kubernetes/cloudflare-issuer/issuer.yml
new file mode 100644
index 0000000..2227514
--- /dev/null
+++ b/kubernetes/cloudflare-issuer/issuer.yml
@@ -0,0 +1,18 @@
+# issuer.yml
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: ca-issuer
+spec:
+  acme:
+    email: alexmickelson96@gmail.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: issuer-key
+    solvers:
+    - dns01:
+        cloudflare:
+          email: alexmickelson96@gmail.com
+          apiTokenSecretRef:
+            name: cloudflare-api-key-secret
+            key: api-key
\ No newline at end of file
diff --git a/kubernetes/gitea/db.yml b/kubernetes/gitea/db.yml
index 35825bd..4557699 100644
--- a/kubernetes/gitea/db.yml
+++ b/kubernetes/gitea/db.yml
@@ -2,16 +2,16 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   namespace: projects
-  name: gitea_db
+  name: gitea-db
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: gitea_db
+      app: gitea-db
   template:
     metadata:
       labels:
-        app: gitea_db
+        app: gitea-db
     spec:
       containers:
         - name: postgres
@@ -22,7 +22,7 @@ spec:
             - name: POSTGRES_USER
               value: "gitea"
             - name: POSTGRES_PASSWORD
-              value: "${POSTGRES_PASSWORD}"
+              value: wauiofnasufnweaiufbsdklfjb23456
             - name: POSTGRES_DB
               value: "gitea"
           volumeMounts:
@@ -37,15 +37,15 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: gitea_db
+  name: gitea-db-svc
   namespace: projects
   labels:
-    app: gitea_db
+    app: gitea-db
 spec:
   ports:
     - protocol: TCP
       port: 5432
       targetPort: 5432
   selector:
-    app: gitea_db
+    app: gitea-db
   type: ClusterIP
diff --git a/kubernetes/gitea/web.yml b/kubernetes/gitea/web.yml
index a06be94..b41b928 100644
--- a/kubernetes/gitea/web.yml
+++ b/kubernetes/gitea/web.yml
@@ -1,17 +1,17 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: gitea_web
+  name: gitea-web
   namespace: projects
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: gitea_web
+      app: gitea-web
   template:
     metadata:
       labels:
-        app: gitea_web
+        app: gitea-web
     spec:
       containers:
         - name: gitea
@@ -27,16 +27,13 @@ spec:
             - name: GITEA__database__DB_TYPE
               value: "postgres"
             - name: GITEA__database__HOST
-              value: "postgres:5432"
+              value: "gitea-db-svc:5432"
             - name: GITEA__database__NAME
               value: "gitea"
             - name: GITEA__database__USER
               value: "gitea"
             - name: GITEA__database__PASSWD
-              valueFrom:
-                secretKeyRef:
-                  name: gitea-db-secret
-                  key: postgres-password
+              value: wauiofnasufnweaiufbsdklfjb23456
           volumeMounts:
             - name: gitea-data
               mountPath: /data
@@ -62,7 +59,7 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: gitea_web
+  name: gitea-web-svc
   namespace: projects
 spec:
   type: NodePort
@@ -74,4 +71,25 @@ spec:
       port: 22
       targetPort: 22
   selector:
-    app: gitea_web
+    app: gitea-web
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea
+  namespace: projects
+spec:
+  ingressClassName: tailscale
+  tls:
+  - hosts: 
+    - gitea
+  rules:
+    - http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: gitea-web-svc
+                port:
+                  number: 3000
\ No newline at end of file
diff --git a/kubernetes/k3s-install.md b/kubernetes/k3s-install.md
deleted file mode 100644
index afecac2..0000000
--- a/kubernetes/k3s-install.md
+++ /dev/null
@@ -1,7 +0,0 @@
-# sources
-
-
-nix instructions <https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/networking/cluster/k3s/README.md>
-
-
-
diff --git a/nix/home-manager/desktop.home.nix b/nix/home-manager/desktop.home.nix
index 6fa1ccb..2e341e6 100644
--- a/nix/home-manager/desktop.home.nix
+++ b/nix/home-manager/desktop.home.nix
@@ -9,6 +9,7 @@
     # nerd-fonts.droid-sans-mono
     # fira-code
     (nerdfonts.override { fonts = [ "FiraCode" "DroidSansMono" ]; })
+    kubernetes-helm
   ];
   fonts.fontconfig.enable = true;
   dconf.enable = true;