diff --git a/k8s/apps/kustomization.yaml b/k8s/apps/kustomization.yaml
index 2b73fc3..a2f3413 100644
--- a/k8s/apps/kustomization.yaml
+++ b/k8s/apps/kustomization.yaml
@@ -7,3 +7,4 @@ resources:
   - ghost
   - authentik
   - ingressroutes
+  # - twingate
diff --git a/k8s/apps/twingate/kustomization.yaml b/k8s/apps/twingate/kustomization.yaml
new file mode 100644
index 0000000..a43f5a2
--- /dev/null
+++ b/k8s/apps/twingate/kustomization.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - repository.yaml
+  - secrets.yaml
+  - release.yaml
+
diff --git a/k8s/apps/twingate/release.yaml b/k8s/apps/twingate/release.yaml
new file mode 100644
index 0000000..b07f46e
--- /dev/null
+++ b/k8s/apps/twingate/release.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: twingate
+  namespace: default
+spec:
+  interval: 10m0s
+  releaseName: twingate-rampant-eagle
+  targetNamespace: default
+  chart:
+    spec:
+      chart: connector
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: twingate
+        namespace: flux-system
+  valuesFrom:
+    - kind: Secret
+      name: twingate-creds
+      valuesKey: access-token
+      targetPath: connector.accessToken
+    - kind: Secret
+      name: twingate-creds
+      valuesKey: refresh-token
+      targetPath: connector.refreshToken
+  values:
+    connector:
+      network: mnke
+      # accessToken:
+      # refreshToken:
diff --git a/k8s/apps/twingate/repository.yaml b/k8s/apps/twingate/repository.yaml
new file mode 100644
index 0000000..00e75a9
--- /dev/null
+++ b/k8s/apps/twingate/repository.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: twingate
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  url: https://twingate.github.io/helm-charts
diff --git a/k8s/apps/twingate/secrets.yaml b/k8s/apps/twingate/secrets.yaml
new file mode 100644
index 0000000..fc4d860
--- /dev/null
+++ b/k8s/apps/twingate/secrets.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: twingate-creds
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: infisical
+
+  target:
+    name: twingate-creds
+
+  data:
+    - secretKey: access-token
+      remoteRef:
+        key: twingate-access-token
+    - secretKey: refresh-token
+      remoteRef:
+        key: twingate-refresh-token