diff --git a/garage/.gitattributes b/garage/.gitattributes
new file mode 100644
index 0000000..0016a56
--- /dev/null
+++ b/garage/.gitattributes
@@ -0,0 +1 @@
+secret.*.yaml filter=age diff=age merge=age -text
diff --git a/garage/config/garage.toml b/garage/config/garage.toml
new file mode 100644
index 0000000..5361d2b
--- /dev/null
+++ b/garage/config/garage.toml
@@ -0,0 +1,28 @@
+metadata_dir = "/srv/garage/meta"
+data_dir = "/srv/garage/data"
+
+db_engine = "lmdb"
+block_size = "1M"
+replication_factor = 2
+compression_level = 1
+
+rpc_bind_addr = "[::]:3901"
+bootstrap_peers = []
+
+[kubernetes_discovery]
+namespace = "garage"
+service_name = "garage"
+skip_crd = false
+
+[s3_api]
+s3_region = "hel1"
+api_bind_addr = "[::]:3900"
+root_domain = ".s3.icb4dc0.de"
+
+[s3_web]
+bind_addr = "[::]:3902"
+root_domain = ".icb4dc0.de"
+index = "index.html"
+
+[admin]
+api_bind_addr = "[::]:3903"
\ No newline at end of file
diff --git a/garage/kustomization.yaml b/garage/kustomization.yaml
new file mode 100644
index 0000000..6bfa714
--- /dev/null
+++ b/garage/kustomization.yaml
@@ -0,0 +1,29 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: garage
+
+images:
+  - name: garage
+    newName: dxflrs/garage
+    newTag: v1.0.0
+
+labels:
+- includeSelectors: true
+  pairs:
+    app.kubernetes.io/name: garage
+    app.kubernetes.io/instance: icb4dc0de
+    app.kubernetes.io/managed-by: kustomize
+
+resources:
+  - resources/namespace.yaml
+  - resources/rbac/serviceaccount.yaml
+  - resources/rbac/clusterrole.yaml
+  - resources/secret.rpc.yaml
+  - resources/workload.yaml
+  - resources/services.yaml
+
+configMapGenerator:
+- name: garage-config
+  files:
+  - config/garage.toml
\ No newline at end of file
diff --git a/garage/resources/namespace.yaml b/garage/resources/namespace.yaml
new file mode 100644
index 0000000..8625643
--- /dev/null
+++ b/garage/resources/namespace.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: garage
+  labels:
+    prometheus: default
\ No newline at end of file
diff --git a/garage/resources/rbac/clusterrole.yaml b/garage/resources/rbac/clusterrole.yaml
new file mode 100644
index 0000000..54bfb7b
--- /dev/null
+++ b/garage/resources/rbac/clusterrole.yaml
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: garage-manage-crds
+rules:
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get", "list", "watch", "create", "patch"]
+- apiGroups: ["deuxfleurs.fr"]
+  resources: ["garagenodes"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: garage-allow-crds
+subjects:
+- kind: ServiceAccount
+  name: garage
+roleRef:
+  kind: ClusterRole
+  name: garage-manage-crds
+  apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/garage/resources/rbac/serviceaccount.yaml b/garage/resources/rbac/serviceaccount.yaml
new file mode 100644
index 0000000..a3f3103
--- /dev/null
+++ b/garage/resources/rbac/serviceaccount.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: garage
\ No newline at end of file
diff --git a/garage/resources/secret.rpc.yaml b/garage/resources/secret.rpc.yaml
new file mode 100644
index 0000000..cde691a
--- /dev/null
+++ b/garage/resources/secret.rpc.yaml
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 +v0WONmpnyS82wmlmZBQ/FgyLM4QMv/TIFMKpNTPnU8
+RXWB8IRMcJq1DxVnq9XNE6GhTvjDGfXnLNwd9l+v35M
+-> X25519 lz82FQUw4eQo1Zaw3HdHUWp32aHl0g7VSo1Jjj4XVy0
+plUefQK9CeHNtUJbrQWL045CVrBo2GpTiH8TPpSc/KQ
+--- cTjjtuwy7VDxgObDIOzNKz/8iLf3sz3vLsiaiYHQFpE
+*eI¥X`ÕµâÛk`{µ<6˜ƒ…yÎ”bc'ðÇXo»zoì/†4O„h3¬\7¸æÐ~ÎEŸ·Ï–<á[ÛÁ©Ù™Â91E1Jµà^UÕ–Í[ã…0„Œ0fŸ‚€iÕlÑ2Ç„oTewN¡™;á´êã€=QËZŠÜö„KrÌ7=è˜Yó¡vÑ»>¦í‚Æž¿¯‡à)p;µ©HóÿN ñ’$
+é†®X{äÃt^‚1BœªÁD(3ý´[°ª’¹7ü
+‰Aeq×±@uá¥'Ï’õ‚¶C$ÿ?*à+‘QŸúð¡¸ŽcÝ“'…G@)ÓJKìÈ¥ß)Å¿”3(Œ¨ˆ2dŽWC
\ No newline at end of file
diff --git a/garage/resources/services.yaml b/garage/resources/services.yaml
new file mode 100644
index 0000000..dcca48b
--- /dev/null
+++ b/garage/resources/services.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: garage
+spec:
+  ports:
+    - port: 3900
+      targetPort: 3900
+      protocol: TCP
+      name: s3-api
+    - port: 3902
+      targetPort: 3902
+      protocol: TCP
+      name: s3-web
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: garage-metrics
+spec:
+  type: ClusterIP
+  clusterIP: None
+  ports:
+    - port: 3903
+      targetPort: 3903
+      protocol: TCP
+      name: metrics
\ No newline at end of file
diff --git a/garage/resources/workload.yaml b/garage/resources/workload.yaml
new file mode 100644
index 0000000..79beec3
--- /dev/null
+++ b/garage/resources/workload.yaml
@@ -0,0 +1,93 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: garage
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: garage
+  serviceName: garage
+  replicas: 3
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: garage
+    spec:
+      serviceAccountName: garage
+      containers:
+      - name: garage
+        image: garage
+        env:
+          - name: GARAGE_ADMIN_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: garage-secrets
+                key: admin-token
+          - name: GARAGE_RPC_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: garage-secrets
+                key: rpc-secret
+        ports:
+        - containerPort: 3900
+          name: s3-api
+        - containerPort: 3902
+          name: s3-web
+        - containerPort: 3903
+          name: metrics
+        volumeMounts:
+        - name: garage-data
+          mountPath: /srv/garage
+        - name: garage-config
+          mountPath: /etc/garage.toml
+          subPath: garage.toml
+          readOnly: true
+        securityContext:
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
+      nodeSelector:
+        k8s.icb4dc0.de/storage-node: "true"
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              preference:
+                matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values:
+                      - arm64
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app.kubernetes.io/name
+                  operator: In
+                  values:
+                  - fider
+              topologyKey: topology.kubernetes.io/zone
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
+      volumes:
+        - name: garage-config
+          configMap:
+            name: garage-config
+            items:
+              - key: garage.toml
+                path: garage.toml
+  volumeClaimTemplates:
+  - metadata:
+      name: garage-data
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      storageClassName: hcloud-volumes
+      resources:
+        requests:
+          storage: 20Gi