diff --git a/k8s/apps/rustdesk/app.yaml b/k8s/apps/rustdesk/app.yaml
new file mode 100644
index 0000000..d6ccd52
--- /dev/null
+++ b/k8s/apps/rustdesk/app.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: rustdesk
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: rustdesk
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/rustdesk
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+
diff --git a/k8s/apps/rustdesk/external-secrets.yaml b/k8s/apps/rustdesk/external-secrets.yaml
new file mode 100644
index 0000000..b60ed59
--- /dev/null
+++ b/k8s/apps/rustdesk/external-secrets.yaml
@@ -0,0 +1,66 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: postgres-creds
+spec:
+  target:
+    name: postgres-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        psql_user: paperless
+        psql_pass: |-
+          {{ .psql_pass }}
+        oauth_config: |-
+          {
+            "openid_connect": {
+              "APPS": [
+                {
+                  "provider_id": "authentik",
+                  "name": "Authentik",
+                  "client_id": "{{ .oauth_id }}",
+                  "secret": "{{ .oauth_secret }}",
+                  "settings": {
+                    "server_url": "{{ .server_url }}"
+                  }
+                }
+              ],
+              "OAUTH_PKCE_ENABLED": "True"
+            }
+          }
+  data:
+    - secretKey: psql_pass
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[5].value
+    - secretKey: oauth_id
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
+        property: fields[0].value
+    - secretKey: oauth_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
+        property: fields[1].value
+    - secretKey: server_url
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
+        property: fields[2].value
+
diff --git a/k8s/apps/rustdesk/kustomization.yaml b/k8s/apps/rustdesk/kustomization.yaml
new file mode 100644
index 0000000..d222188
--- /dev/null
+++ b/k8s/apps/rustdesk/kustomization.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  #- external-secrets.yaml
+
+helmCharts:
+  - name: rustdesk-server-oss
+    repo: https://schich.tel/helm-charts
+    version: 0.2.2
+    releaseName: rustdesk
+    namespace: rustdesk
+    valuesFile: values.yaml
+    includeCRDs: true
+
diff --git a/k8s/apps/rustdesk/values.yaml b/k8s/apps/rustdesk/values.yaml
new file mode 100644
index 0000000..67ac663
--- /dev/null
+++ b/k8s/apps/rustdesk/values.yaml
@@ -0,0 +1,87 @@
+replicaCount: 1
+
+image:
+  repository: docker.io/rustdesk/rustdesk-server
+  pullPolicy: IfNotPresent
+  tag: 1
+
+nodeSelector:
+  kubernetes.io/hostname: nas.homenet
+
+ingress:
+  enabled: true
+  className: "traefik"
+  annotations:
+    ingressClassName: traefik
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    acme.cert-manager.io/http01-edit-in-place: "true"
+  hosts:
+  - rd.hexor.cy
+  tls:
+    - secretName: rustdesk-tls
+      hosts:
+        - rd.hexor.cy
+
+service:
+  type: ClusterIP
+  externalTrafficPolicy: Cluster
+  loadBalancerIP: null
+  enableWebClientSupport: false
+  hbbr:
+    replayPort:
+      port: 21117
+      targetPort: 21117
+    clientPort:
+      port: 21119
+      targetPort: 21119
+  hbbs:
+    natPort:
+      port: 21115
+      targetPort: 21115
+    registryPort:
+      port: 21116
+      targetPort: 21116
+    heartbeatPort:
+      port: 21116
+      targetPort: 21116
+    webPort:
+      port: 21118
+      targetPort: 21118
+
+resources:
+  hbbrResource: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+  hbbsResource: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+  # Additional volumes on the output Deployment definition.
+volume: {}
+
+# - name: foo
+#   secret:
+#     secretName: mysecret
+#     optional: false
+
+# - name: foo
+#   mountPath: "/etc/foo"
+#   readOnly: true
+