diff --git a/terraform/vultr/k8s.tf b/terraform/vultr/cluster.tf
similarity index 57%
rename from terraform/vultr/k8s.tf
rename to terraform/vultr/cluster.tf
index ebfbb7b..c05d73b 100644
--- a/terraform/vultr/k8s.tf
+++ b/terraform/vultr/cluster.tf
@@ -19,18 +19,18 @@ resource "local_sensitive_file" "kubeconfig" {
   file_permission = "0600"
 }
 
-resource "vultr_block_storage" "ssd0" {
-  label = "cluster00-ssd0"
-  size_gb = 10
-  region = "ewr"
-  block_type = "high_perf"
-  attached_to_instance = vultr_kubernetes.k8s.node_pools[0].nodes[0].id
-  live = true
-  depends_on = [
-    vultr_kubernetes.k8s
-  ]
-}
+# resource "vultr_block_storage" "ssd0" {
+#   label = "cluster00-ssd0"
+#   size_gb = 10
+#   region = "ewr"
+#   block_type = "high_perf"
+#   attached_to_instance = vultr_kubernetes.k8s.node_pools[0].nodes[0].id
+#   live = true
+#   depends_on = [
+#     vultr_kubernetes.k8s
+#   ]
+# }
 
-output "ssd0_mount" {
-  value = vultr_block_storage.ssd0.mount_id
-}
+# output "ssd0_mount" {
+#   value = vultr_block_storage.ssd0.mount_id
+# }
diff --git a/terraform/vultr/config_maps.tf b/terraform/vultr/config_maps.tf
new file mode 100644
index 0000000..24b861b
--- /dev/null
+++ b/terraform/vultr/config_maps.tf
@@ -0,0 +1,10 @@
+resource "kubernetes_config_map" "keyoxide-env" {
+  metadata {
+    name = "keyoxide-env"
+    namespace = "default"
+  }
+
+  data = {
+    DOMAIN = "key.balsillie.net"
+  }
+}
\ No newline at end of file
diff --git a/terraform/vultr/deployments.tf b/terraform/vultr/deployments.tf
new file mode 100644
index 0000000..51d7ccc
--- /dev/null
+++ b/terraform/vultr/deployments.tf
@@ -0,0 +1,53 @@
+resource "kubernetes_deployment" "keyoxide" {
+  depends_on = [
+    kubernetes_config_map.keyoxide-env
+  ]
+  metadata {
+    name = "keyoxide"
+    namespace = "default"
+  }
+
+  spec {
+    replicas = 1
+
+    selector {
+      match_labels = {
+        app = "keyoxide"
+      }
+    }
+
+    template {
+      metadata {
+        labels = {
+          app = "keyoxide"
+        }
+      }
+
+      spec {
+        container {
+          name  = "keyoxide"
+          image = "codeberg.org/keyoxide/keyoxide-web"
+          image_pull_policy = "Always"
+
+          resources {
+            requests = {
+              cpu    = "100m"
+              memory = "50Mi"
+            }
+            limits = {
+              cpu    = "500m"
+              memory = "128Mi"
+            }
+          }
+
+          env_from {
+            config_map_ref {
+              name = "keyoxide-env"
+            }
+          } 
+
+        }
+      }
+    }
+  }
+}
diff --git a/terraform/vultr/main.tf b/terraform/vultr/main.tf
index 27913e0..37279c8 100644
--- a/terraform/vultr/main.tf
+++ b/terraform/vultr/main.tf
@@ -9,6 +9,10 @@ terraform {
       source = "vultr/vultr"
       version = ">= 2.19.0"
     }
+    kubernetes = {
+      source = "hashicorp/kubernetes"
+      version = ">= 2.29.0"
+    }
   }
   backend "local" {
     path = "/home/michael/Nextcloud/Backups/tfstate/vultr.tfstate"
@@ -29,3 +33,11 @@ provider "vultr" {
   rate_limit = 100
   retry_limit = 3
 }
+
+provider "kubernetes" {
+#   # host                    = vultr_kubernetes.k8s.endpoint
+#   # client_certificate      = vultr_kubernetes.k8s.client_certificate
+#   # client_key              = vultr_kubernetes.k8s.client_key
+#   # cluster_ca_certificate  = vultr_kubernetes.k8s.cluster_ca_certificate
+  config_path    = pathexpand("~/.kube/vultr")
+}
diff --git a/terraform/vultr/pvcs.tf b/terraform/vultr/pvcs.tf
new file mode 100644
index 0000000..d997b99
--- /dev/null
+++ b/terraform/vultr/pvcs.tf
@@ -0,0 +1,15 @@
+resource "kubernetes_persistent_volume_claim" "ssd" {
+  metadata {
+    name = "ssd"
+    namespace = "default"
+  }
+  spec {
+    access_modes = ["ReadWriteOnce"]
+    resources {
+      requests = {
+        storage = "10Gi"
+      }
+    }
+    storage_class_name = "vultr-block-storage"
+  }
+}
\ No newline at end of file
diff --git a/terraform/vultr/services.tf b/terraform/vultr/services.tf
new file mode 100644
index 0000000..14df0e7
--- /dev/null
+++ b/terraform/vultr/services.tf
@@ -0,0 +1,29 @@
+resource "kubernetes_service" "keyoxide" {
+  metadata {
+    name = "keyoxide"
+    namespace = "default"
+    labels = {
+      svc = "keyoxide"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "keyoxide"
+    }
+
+    ip_family_policy = "SingleStack"
+    ip_families = ["IPv4"]
+
+    type = "ClusterIP"
+    cluster_ip = "None"
+    # external_traffic_policy = "Local"
+
+    port {
+      name        = "http"
+      port        = 3000
+      target_port = 3000
+      protocol    = "TCP"
+    }
+  }
+}
diff --git a/todo/vultr.todo b/todo/vultr.todo
new file mode 100644
index 0000000..53a2932
--- /dev/null
+++ b/todo/vultr.todo
@@ -0,0 +1,18 @@
+revert to using ansible for k8s manifest installs
+    - Employ Ansible as a provider in TF?
+install nginx-ingress-controller
+edit the nginx-ingress-controller service
+    - change the service type to ClusterIP
+    - Change external and internal traffic policy
+    - Add external IPs
+Install the operator lifecycle manager
+    - Scrape current version from GH releases
+    - Download the OLM install script
+    - Run with current version
+
+Install operators:
+    - Cert manager
+    - CNPG
+    - Keycloak
+
+Create cluster cert issuers
\ No newline at end of file