diff --git a/kubernetes/apps/security/kustomization.yaml b/kubernetes/apps/security/kustomization.yaml
index ab519024..c995bdd1 100644
--- a/kubernetes/apps/security/kustomization.yaml
+++ b/kubernetes/apps/security/kustomization.yaml
@@ -7,3 +7,4 @@ resources:
   - ./namespace.yaml
   # Flux-Kustomizations
   - ./external-secrets/ks.yaml
+  - ./vault/ks.yaml
diff --git a/kubernetes/apps/security/vault/app/helmrelease.yaml b/kubernetes/apps/security/vault/app/helmrelease.yaml
new file mode 100644
index 00000000..f086f85b
--- /dev/null
+++ b/kubernetes/apps/security/vault/app/helmrelease.yaml
@@ -0,0 +1,119 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: vault
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: vault
+      version: 0.28.1
+      sourceRef:
+        kind: HelmRepository
+        name: hashicorp
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+      strategy: rollback
+  values:
+    server:
+      image:
+        repository: "hashicorp/vault"
+        tag: "1.17.2"
+      logLevel: "info"
+      logFormat: "json"
+      ingress:
+        enabled: true
+        ingressClassName: internal-nginx
+        hosts:
+          - host: &host "{{ .Release.Name }}.jahanson.tech"
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http
+        tls:
+          - hosts:
+              - *host
+      service:
+        type: "ClusterIP"
+        port: &internalPort 8200
+        targetPort: &port 80
+      # off until it's online for the first time
+      readinessProbe:
+        enabled: true
+        # If you need to use a http path instead of the default exec
+        # path: /v1/sys/health?standbyok=true
+        # Port number on which readinessProbe will be checked.
+        port: *port
+      # These are defaults but explicitly set here for clarity.
+      dataStorage:
+        size: 10Gi
+        mountPath: /vault/data
+        storageClass: ceph-block
+      auditStorage:
+        enabled: true
+        size: 10Gi
+        mountPath: /vault/audit
+        storageClass: ceph-block
+      # We want high availability. If standalone is true it sets the storage backend to file
+      # and the max replicas can only be 1.
+      standalone:
+        enabled: false
+      ha:
+        enabled: true
+        # maxUnavailable will default to (n/2)-1 where n is the number of replicas
+        # so if you have 6 replicas, maxUnavailable will be 2 unless you set it specifically.
+        replicas: 6
+        clusterAddr: "http://vault.security.svc.cluster.local:8201"
+        config: ""
+        raft:
+          enabled: true
+          config: |
+            ui = true
+
+            listener "tcp" {
+              tls_disable = 1
+              address = "[::]:8200"
+              cluster_address = "[::]:8201"
+              # For prometheus!
+              telemetry {
+                unauthenticated_metrics_access = "true"
+              }
+            }
+
+            storage "raft" {
+              path = "/vault/data"
+            }
+
+            service_registration "kubernetes" {}
+      statefulSet:
+        securityContext:
+          pod:
+            runAsUser: 568
+            runAsGroup: 568
+            runAsNonRoot: true
+            fsGroup: 568
+            fsGroupChangePolicy: OnRootMismatch
+            supplementalGroups: [10000]
+          container:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - "ALL"
+    ui:
+      enabled: true
+      publishNotReadyAddresses: true
+      # The service should only contain selectors for active Vault pod
+      activeVaultPodOnly: true
+      serviceType: "LoadBalancer"
+      externalPort: *internalPort
+      targetPort: *port
diff --git a/kubernetes/apps/security/vault/app/kustomization.yaml b/kubernetes/apps/security/vault/app/kustomization.yaml
new file mode 100644
index 00000000..5a7bd4d8
--- /dev/null
+++ b/kubernetes/apps/security/vault/app/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: security
+resources:
+  - ./helmrelease.yaml
diff --git a/kubernetes/apps/security/vault/ks.yaml b/kubernetes/apps/security/vault/ks.yaml
new file mode 100644
index 00000000..b90bd612
--- /dev/null
+++ b/kubernetes/apps/security/vault/ks.yaml
@@ -0,0 +1,17 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: vault
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: "./kubernetes/apps/security/vault/app"
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: theshire
+  wait: false
+  dependsOn:
+    - name: rook-ceph-cluster
diff --git a/kubernetes/flux/repositories/helm/hashicorp.yaml b/kubernetes/flux/repositories/helm/hashicorp.yaml
new file mode 100644
index 00000000..87cf61d4
--- /dev/null
+++ b/kubernetes/flux/repositories/helm/hashicorp.yaml
@@ -0,0 +1,11 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: hashicorp
+  namespace: flux-system
+spec:
+  interval: 30m
+  timeout: 3m
+  url: https://helm.releases.hashicorp.com
diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml
index 9ad30f04..4ae9c285 100644
--- a/kubernetes/flux/repositories/helm/kustomization.yaml
+++ b/kubernetes/flux/repositories/helm/kustomization.yaml
@@ -3,36 +3,37 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- - angelnu.yaml
- - authentik.yaml
- - backube.yaml
- - bjw-s.yaml
- - cilium.yaml
- - coredns.yaml
- - crowdsec.yaml
- - crunchydata.yaml
- - democratic-csi.yaml
- - descheduler.yaml
- - dragonflydb.yaml
- - elastic.yaml
- - emqx.yaml
- - external-secrets.yaml
- - fairwinds.yaml
- - grafana.yaml
- - hetzner.yaml
- - ingress-nginx.yaml
- - intel.yaml
- - jetstack.yaml
- - kubernetes-sigs-external-dns.yaml
- - kubernetes-sigs-metrics-server.yaml
- - kubernetes-sigs-nfd.yaml
- - kyverno.yaml
- - nvidia.yaml
- - openebs.yaml
- - piraeus.yaml
- - postfinance.yaml
- - prometheus-community.yaml
- - rook-ceph.yaml
- - spegel-org.yaml
- - stakater.yaml
- - stevehipwell.yaml
+  - angelnu.yaml
+  - authentik.yaml
+  - backube.yaml
+  - bjw-s.yaml
+  - cilium.yaml
+  - coredns.yaml
+  - crowdsec.yaml
+  - crunchydata.yaml
+  - democratic-csi.yaml
+  - descheduler.yaml
+  - dragonflydb.yaml
+  - elastic.yaml
+  - emqx.yaml
+  - external-secrets.yaml
+  - fairwinds.yaml
+  - grafana.yaml
+  - hashicorp.yaml
+  - hetzner.yaml
+  - ingress-nginx.yaml
+  - intel.yaml
+  - jetstack.yaml
+  - kubernetes-sigs-external-dns.yaml
+  - kubernetes-sigs-metrics-server.yaml
+  - kubernetes-sigs-nfd.yaml
+  - kyverno.yaml
+  - nvidia.yaml
+  - openebs.yaml
+  - piraeus.yaml
+  - postfinance.yaml
+  - prometheus-community.yaml
+  - rook-ceph.yaml
+  - spegel-org.yaml
+  - stakater.yaml
+  - stevehipwell.yaml