diff --git a/vault/deployment.yaml b/vault/deployment.yaml
new file mode 100644
index 0000000..4e27c30
--- /dev/null
+++ b/vault/deployment.yaml
@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: vault
+  name: vault
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: vault
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: vault
+    spec:
+      containers:
+        - env:
+           - name: VAULT_ADDR
+             value: "http://127.0.0.1:8200"
+           - name: VAULT_LOCAL_CONFIG
+             value: |
+               storage "file" {
+                 path    = "/vault/file"
+               }
+
+               listener "tcp" {
+                 address     = "0.0.0.0:8200"
+                 tls_disable = 1
+               }
+
+               api_addr = "https://vault.strudelline.net"
+               ui = true
+               
+               disable_mlock = true  # k8s can't swap anyway
+          image: hashicorp/vault:1.13.1
+          args:
+           - server
+          name: vault
+          volumeMounts:
+            - mountPath: /vault/logs
+              name: vault-logs
+            - mountPath: /vault/file
+              name: vault-file
+      restartPolicy: Always
+      volumes:
+        - name: vault-file
+          persistentVolumeClaim:
+            claimName: vault-file
+        - name: vault-logs
+          persistentVolumeClaim:
+            claimName: vault-logs
diff --git a/vault/ingress.yaml b/vault/ingress.yaml
new file mode 100644
index 0000000..edb52c5
--- /dev/null
+++ b/vault/ingress.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: vault
+  namespace: vault
+  annotations:
+    haproxy-ingress.github.io/ssl-redirect: "true"
+spec:
+  ingressClassName: haproxy
+  rules:
+  - host: vault.strudelline.net
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: vault
+            port:
+              number: 8200
+  tls:
+  - hosts:
+    - vault.strudelline.net
+    secretName: wildcard-tls
diff --git a/vault/nfs-file-vol.yaml b/vault/nfs-file-vol.yaml
new file mode 100644
index 0000000..b71a78e
--- /dev/null
+++ b/vault/nfs-file-vol.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vault-file
+  namespace: vault
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: nfs
diff --git a/vault/nfs-logs-vol.yaml b/vault/nfs-logs-vol.yaml
new file mode 100644
index 0000000..7c61084
--- /dev/null
+++ b/vault/nfs-logs-vol.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vault-logs
+  namespace: vault
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: nfs
diff --git a/vault/ns.yaml b/vault/ns.yaml
new file mode 100644
index 0000000..0158c8f
--- /dev/null
+++ b/vault/ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault
diff --git a/vault/svc.yaml b/vault/svc.yaml
new file mode 100644
index 0000000..ef77847
--- /dev/null
+++ b/vault/svc.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: vault
+  name: vault
+  namespace: vault
+spec:
+  selector:
+    app: vault
+  ports:
+   - name: http
+     port: 8200
+     protocol: TCP
+     targetPort: 8200
+  #clusterIP: None
+  type: ClusterIP