diff --git a/kubernetes/rpi5-cluster/.sops.yaml b/kubernetes/rpi5-cluster/.sops.yaml
index 02c17a3..7ef7fab 100644
--- a/kubernetes/rpi5-cluster/.sops.yaml
+++ b/kubernetes/rpi5-cluster/.sops.yaml
@@ -1,4 +1,4 @@
 creation_rules:
-  - path_regex: .*.yaml
+  - path_regex: .*.ya?ml
     encrypted_regex: ^(data|stringData)$
-    pgp: 6CEA91DDB1964869C94DCEC7AF6E3BB1B44F669B
+    age: age1d47q8mlty404pxx378q49hr93aqexca4mkeqtdm00w4gjd09xd0qhxcdcz
diff --git a/kubernetes/rpi5-cluster/apps/cert-manager/kustomization.yaml b/kubernetes/rpi5-cluster/apps/cert-manager/kustomization.yaml
new file mode 100644
index 0000000..24501be
--- /dev/null
+++ b/kubernetes/rpi5-cluster/apps/cert-manager/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../templates/apps/cert-manager/ks.yaml
diff --git a/kubernetes/rpi5-cluster/infrastructure/repositories/kustomization.yaml b/kubernetes/rpi5-cluster/infrastructure/kustomization.yaml
similarity index 62%
rename from kubernetes/rpi5-cluster/infrastructure/repositories/kustomization.yaml
rename to kubernetes/rpi5-cluster/infrastructure/kustomization.yaml
index d194337..54e5811 100644
--- a/kubernetes/rpi5-cluster/infrastructure/repositories/kustomization.yaml
+++ b/kubernetes/rpi5-cluster/infrastructure/kustomization.yaml
@@ -1,4 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ks.yaml
+  - repositories/ks.yaml
+  - secrets/ks.yaml
diff --git a/kubernetes/rpi5-cluster/infrastructure/repositories/home-cluster-ops-secrets.yaml b/kubernetes/rpi5-cluster/infrastructure/repositories/home-cluster-ops-secrets.yaml
index e5ae737..2bc806d 100644
--- a/kubernetes/rpi5-cluster/infrastructure/repositories/home-cluster-ops-secrets.yaml
+++ b/kubernetes/rpi5-cluster/infrastructure/repositories/home-cluster-ops-secrets.yaml
@@ -8,11 +8,6 @@ spec:
   ref:
     branch: main
   secretRef:
-    name: home-cluster-ops-secret
-  url: ssh://git@github.com/gabe565/home-ops-private.git
-  ignore: |
-    # exclude all
-    /*
-    # include flux directories
-    !/kubernetes/tennant
-    !/kubernetes/templates
\ No newline at end of file
+    name: flux-system
+  timeout: 60s
+  url: https://github.com/3dwardch3ng/home-cluster-ops-secrets.git
\ No newline at end of file
diff --git a/kubernetes/rpi5-cluster/infrastructure/secrets/ks.yaml b/kubernetes/rpi5-cluster/infrastructure/secrets/ks.yaml
new file mode 100644
index 0000000..23f4ae0
--- /dev/null
+++ b/kubernetes/rpi5-cluster/infrastructure/secrets/ks.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: home-cluster-ops-secrets
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster-ops-secrets
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
\ No newline at end of file
diff --git a/kubernetes/rpi5-cluster/apps/cert-manager/namespace.yaml b/kubernetes/rpi5-cluster/templates/apps/cert-manager/apps/namespace.yaml
similarity index 100%
rename from kubernetes/rpi5-cluster/apps/cert-manager/namespace.yaml
rename to kubernetes/rpi5-cluster/templates/apps/cert-manager/apps/namespace.yaml
diff --git a/kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-dns01.yaml b/kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-dns01.yaml
index 976e4f2..b608e0c 100644
--- a/kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-dns01.yaml
+++ b/kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-dns01.yaml
@@ -1,5 +1,5 @@
 apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
+kind: Issuer
 metadata:
     name: letsencrypt-dns01
     namespace: cert-manager
@@ -13,5 +13,5 @@ spec:
             - dns01:
                 cloudflare:
                     apiTokenSecretRef:
-                        name: cloudflare-api-token
-                        key: api-token
+                        name: cert-manager-secrets
+                        key: cert-manager-dns01
diff --git a/kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-http01.yaml b/kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-http01.yaml
index 657c3a5..b4e4fae 100644
--- a/kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-http01.yaml
+++ b/kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-http01.yaml
@@ -1,5 +1,5 @@
 apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
+kind: Issuer
 metadata:
     name: letsencrypt-http01
     namespace: cert-manager
diff --git a/kubernetes/rpi5-cluster/apps/cert-manager/ks.yaml b/kubernetes/rpi5-cluster/templates/apps/cert-manager/ks.yaml
similarity index 95%
rename from kubernetes/rpi5-cluster/apps/cert-manager/ks.yaml
rename to kubernetes/rpi5-cluster/templates/apps/cert-manager/ks.yaml
index e647a3a..841ee46 100644
--- a/kubernetes/rpi5-cluster/apps/cert-manager/ks.yaml
+++ b/kubernetes/rpi5-cluster/templates/apps/cert-manager/ks.yaml
@@ -32,4 +32,4 @@ spec:
   postBuild:
     substituteFrom:
       - kind: Secret
-        name: issuer-vars
+        name: cert-manager-secrets