diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..ad48a77
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+*.age binary
diff --git a/.gitignore b/.gitignore
index 39350e3..55a274b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,3 +46,7 @@ plan.out
 config.tf.json
 
 **/charts
+result.yaml
+
+talos/*.yaml
+!talos/*.age
\ No newline at end of file
diff --git a/gmem.ca/_headers b/gmem.ca/_headers
new file mode 100644
index 0000000..c2be4f0
--- /dev/null
+++ b/gmem.ca/_headers
@@ -0,0 +1,5 @@
+https://arch.dog/ssh
+  Content-Type: text/plain
+
+https://arch.dog/age
+  Content-Type: text/plain
\ No newline at end of file
diff --git a/gmem.ca/age b/gmem.ca/age
new file mode 100644
index 0000000..c6da752
--- /dev/null
+++ b/gmem.ca/age
@@ -0,0 +1,5 @@
+# My age recipient key. Use this to encrypt files sent to me!
+# https://github.com/FiloSottile/age
+# curl https://arch.dog/age | age -R - example.jpg > example.jpg.age
+#
+age1yubikey1qv89lazzjxeaed4jt3r9nv233as0gz8la60ghpk2dg0s9x0luz7r7w4s9ge
\ No newline at end of file
diff --git a/justfile b/justfile
new file mode 100644
index 0000000..4dc60dd
--- /dev/null
+++ b/justfile
@@ -0,0 +1,35 @@
+alias ap := apply
+alias bh := build-helm
+alias ah := apply-helm
+
+alias ds := deploy-site
+
+build app="":
+	kustomize build kubernetes/{{app}} --enable-helm > result.yaml
+
+apply app="": (build app)
+	kubectl apply -f result.yaml
+
+build-helm name chart values:
+	helm template {{name}} {{chart}} -f {{values}} --namespace {{name}} --dry-run=server --kube-version=1.30 > result.yaml
+
+apply-helm name chart values: (build-helm name chart values)
+	kubectl apply -f result.yaml -n {{name}}
+
+deploy-site branch="main":
+	npx wrangler pages deploy gmem.ca/ --branch {{branch}}
+
+age-identity:
+	age-plugin-yubikey --identity > /tmp/age-identity
+
+encrypt-talos:
+	for file in `ls talos/*.yaml`; do \
+	  echo "encrypting ${file}"; \
+	  age -e -R gmem.ca/age -o "${file}.age" "${file}"; \
+	done
+
+decrypt-talos: age-identity
+	for file in `ls talos/*.age`; do \
+	  echo "decrypting ${file}"; \
+	  age -d -i /tmp/age-identity -o "${file/.age/}" "${file}"; \
+	done
diff --git a/talos/controlplane.yaml.age b/talos/controlplane.yaml.age
new file mode 100644
index 0000000..1111401
Binary files /dev/null and b/talos/controlplane.yaml.age differ
diff --git a/talos/worker-144.yaml.age b/talos/worker-144.yaml.age
new file mode 100644
index 0000000..75b3bf6
Binary files /dev/null and b/talos/worker-144.yaml.age differ
diff --git a/talos/worker-146.yaml.age b/talos/worker-146.yaml.age
new file mode 100644
index 0000000..d9bf077
Binary files /dev/null and b/talos/worker-146.yaml.age differ