diff --git a/playbooks/k3s-loadbalancer.yml b/playbooks/k3s-loadbalancer.yml
index c1d4a6f..5f0e46e 100644
--- a/playbooks/k3s-loadbalancer.yml
+++ b/playbooks/k3s-loadbalancer.yml
@@ -11,7 +11,7 @@
       tags:
         - k3s_loadbalancer
       when: inventory_hostname in groups["k3s_loadbalancer"]
-    - role: node_exporter
-      tags:
-        - node_exporter
-      when: inventory_hostname in groups["k3s_loadbalancer"]
+    # - role: node_exporter
+    #   tags:
+    #     - node_exporter
+    #   when: inventory_hostname in groups["k3s_loadbalancer"]
diff --git a/playbooks/k3s-servers.yml b/playbooks/k3s-servers.yml
index c260dd5..5998b0d 100644
--- a/playbooks/k3s-servers.yml
+++ b/playbooks/k3s-servers.yml
@@ -3,10 +3,10 @@
   hosts: k3s
   gather_facts: true
   roles:
-    - role: common
-      tags:
-        - common
-      when: inventory_hostname in groups["k3s_server"]
+    # - role: common
+    #   tags:
+    #     - common
+    #   when: inventory_hostname in groups["k3s_server"]
     - role: k3s_server
       tags:
         - k3s_server
diff --git a/playbooks/k3s-storage.yml b/playbooks/k3s-storage.yml
index fb78a7a..66e6d79 100644
--- a/playbooks/k3s-storage.yml
+++ b/playbooks/k3s-storage.yml
@@ -10,7 +10,7 @@
       when: inventory_hostname in groups["k3s_storage"]
       tags:
         - k3s_storage
-    - role: node_exporter
-      when: inventory_hostname in groups["k3s_storage"]
-      tags:
-        - node_exporter
+    # - role: node_exporter
+    #   when: inventory_hostname in groups["k3s_storage"]
+    #   tags:
+    #     - node_exporter
diff --git a/playbooks/kubernetes_setup.yml b/playbooks/kubernetes_setup.yml
index 8580772..cee1d1e 100644
--- a/playbooks/kubernetes_setup.yml
+++ b/playbooks/kubernetes_setup.yml
@@ -16,3 +16,5 @@
       when: is_localhost
     - role: kubernetes_cert_manager
       when: is_localhost
+    # - role: kubernetes_argo_apps
+    #   when: is_localhost
diff --git a/roles/docker_host/tasks/20_installation.yml b/roles/docker_host/tasks/20_installation.yml
index 688ca5f..d49b34d 100644
--- a/roles/docker_host/tasks/20_installation.yml
+++ b/roles/docker_host/tasks/20_installation.yml
@@ -26,6 +26,7 @@
     - curl
     - gnupg
     - lsb-release
+    - qemu-guest-agent
   become: true
 
 - name: Add Docker apt key.
diff --git a/roles/docker_host/tasks/main.yml b/roles/docker_host/tasks/main.yml
index c6a499d..d50cb1a 100644
--- a/roles/docker_host/tasks/main.yml
+++ b/roles/docker_host/tasks/main.yml
@@ -1,6 +1,7 @@
 ---
 - name: Setup VM
   ansible.builtin.include_tasks: 10_setup.yml
+
 - name: Install docker
   ansible.builtin.include_tasks: 20_installation.yml
 
diff --git a/roles/k3s_agent/tasks/installation.yml b/roles/k3s_agent/tasks/installation.yml
index 7617d75..38da0c1 100644
--- a/roles/k3s_agent/tasks/installation.yml
+++ b/roles/k3s_agent/tasks/installation.yml
@@ -1,4 +1,12 @@
 ---
+- name: Install dependencies for apt to use repositories over HTTPS
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - qemu-guest-agent
+  become: true
+
 - name: See if k3s file exists
   ansible.builtin.stat:
     path: /usr/local/bin/k3s
diff --git a/roles/k3s_loadbalancer/tasks/configuration.yml b/roles/k3s_loadbalancer/tasks/configuration.yml
index b5355db..31e5ece 100644
--- a/roles/k3s_loadbalancer/tasks/configuration.yml
+++ b/roles/k3s_loadbalancer/tasks/configuration.yml
@@ -9,8 +9,6 @@
   become: true
   notify:
     - Restart nginx
-  vars:
-    k3s_server_ips: "{{ k3s_primary_server_ip }}"
 
 - name: Enable nginx
   ansible.builtin.systemd:
diff --git a/roles/k3s_loadbalancer/tasks/installation.yml b/roles/k3s_loadbalancer/tasks/installation.yml
index 47107b3..72b295c 100644
--- a/roles/k3s_loadbalancer/tasks/installation.yml
+++ b/roles/k3s_loadbalancer/tasks/installation.yml
@@ -4,6 +4,14 @@
     update_cache: true
   become: true
 
+- name: Install dependencies for apt to use repositories over HTTPS
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - qemu-guest-agent
+  become: true
+
 - name: Install Nginx
   ansible.builtin.apt:
     name:
diff --git a/roles/k3s_loadbalancer/tasks/main.yml b/roles/k3s_loadbalancer/tasks/main.yml
index bb97f4a..8f4edd4 100644
--- a/roles/k3s_loadbalancer/tasks/main.yml
+++ b/roles/k3s_loadbalancer/tasks/main.yml
@@ -1,6 +1,7 @@
 ---
 - name: Installation
   ansible.builtin.include_tasks: installation.yml
+
 - name: Configure
   ansible.builtin.include_tasks: configuration.yml
 
diff --git a/roles/k3s_loadbalancer/templates/nginx.conf.j2 b/roles/k3s_loadbalancer/templates/nginx.conf.j2
index bb59cab..5b9b450 100644
--- a/roles/k3s_loadbalancer/templates/nginx.conf.j2
+++ b/roles/k3s_loadbalancer/templates/nginx.conf.j2
@@ -3,11 +3,10 @@ include /etc/nginx/modules-enabled/*.conf;
 events {}
 
 stream {
-# TCP Load Balancing for the K3s API
   upstream k3s_servers {
-    {% for ip in k3s_server_ips %}
+{% for ip in k3s_server_ips %}
     server {{ ip }}:{{ k3s.loadbalancer.default_port }};
-    {% endfor %}
+{% endfor %}
   }
 
   server {
@@ -15,10 +14,22 @@ stream {
     proxy_pass k3s_servers;
   }
 
+  upstream etcd_servers {
+{% for ip in k3s_server_ips %}
+    server {{ ip }}:2379;
+{% endfor %}
+  }
+
+  server {
+    listen 2379;
+    proxy_pass etcd_servers;
+  }
+
+
   upstream dns_servers {
-    {% for ip in k3s_server_ips %}
+{% for ip in k3s_server_ips %}
     server {{ ip }}:53;
-    {% endfor %}
+{% endfor %}
   }
 
   server {
diff --git a/roles/k3s_server/tasks/installation.yml b/roles/k3s_server/tasks/installation.yml
deleted file mode 100644
index 217c2ad..0000000
--- a/roles/k3s_server/tasks/installation.yml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-- name: Download K3s install script to /tmp/
-  ansible.builtin.get_url:
-    url: https://get.k3s.io
-    dest: /tmp/k3s_install.sh
-    mode: "0755"
-
-- name: Install K3s server with node taint and TLS SAN
-  when: (ansible_default_ipv4.address == k3s_primary_server_ip)
-  ansible.builtin.command: |
-    /tmp/k3s_install.sh server \
-    --node-taint CriticalAddonsOnly=true:NoExecute \
-    --tls-san {{ hostvars['k3s-loadbalancer'].ansible_default_ipv4.address }}
-    --tls-san {{ k3s_server_name }}
-  become: true
-  register: k3s_primary_install
-
-- name: Install K3s on the secondary servers
-  when: (ansible_default_ipv4.address != k3s_primary_server_ip)
-  ansible.builtin.command: |
-    /tmp/k3s_install.sh server \
-    --node-taint CriticalAddonsOnly=true:NoExecute \
-    --tls-san {{ k3s.loadbalancer.ip }}
-  environment:
-    K3S_TOKEN: "{{ k3s_token }}"
-  become: true
diff --git a/roles/k3s_server/tasks/main.yml b/roles/k3s_server/tasks/main.yml
index 5419e8a..b25187d 100644
--- a/roles/k3s_server/tasks/main.yml
+++ b/roles/k3s_server/tasks/main.yml
@@ -1,21 +1,29 @@
 ---
+- name: Install dependencies for apt to use repositories over HTTPS
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+    update_cache: true
+  loop:
+    - qemu-guest-agent
+  become: true
+
 - name: See if k3s file exists
   ansible.builtin.stat:
     path: /usr/local/bin/k3s
   register: k3s_status
 
-- include_tasks: installation.yml
-  when: not k3s_status.stat.exists
-
-- include_tasks: create_kubeconfig.yml
+- name: Install primary k3s server
+  include_tasks: primary_installation.yml
   when: ansible_default_ipv4.address == k3s_primary_server_ip
 
-- name: Check if k3s token vault file already exists
-  ansible.builtin.stat:
-    path: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}"
-  register: k3s_vault_file_stat
-  delegate_to: localhost
-  run_once: true
+- name: Get token from primary k3s server
+  include_tasks: pull_token.yml
 
-- include_tasks: pull_token.yml
-  when: not k3s_vault_file_stat.stat.exists
+- name: Install seconary k3s servers
+  include_tasks: secondary_installation.yml
+  when: ansible_default_ipv4.address != k3s_primary_server_ip
+
+- name: Set kubeconfig on localhost
+  include_tasks: create_kubeconfig.yml
+  when: ansible_default_ipv4.address == k3s_primary_server_ip
diff --git a/roles/k3s_server/tasks/primary_installation.yml b/roles/k3s_server/tasks/primary_installation.yml
new file mode 100644
index 0000000..af61090
--- /dev/null
+++ b/roles/k3s_server/tasks/primary_installation.yml
@@ -0,0 +1,14 @@
+---
+- name: Download K3s install script to /tmp/
+  ansible.builtin.get_url:
+    url: https://get.k3s.io
+    dest: /tmp/k3s_install.sh
+    mode: "0755"
+
+- name: Install K3s server with and TLS SAN
+  ansible.builtin.command: |
+    /tmp/k3s_install.sh server \
+    --cluster-init
+    --tls-san {{ hostvars['k3s-loadbalancer'].ansible_default_ipv4.address }} \
+    --tls-san {{ k3s_server_name }}
+  become: true
diff --git a/roles/k3s_server/tasks/pull_token.yml b/roles/k3s_server/tasks/pull_token.yml
index 9b91065..4a8dc8f 100644
--- a/roles/k3s_server/tasks/pull_token.yml
+++ b/roles/k3s_server/tasks/pull_token.yml
@@ -1,6 +1,5 @@
 - name: Get K3s token from the first server
-  when:
-    - ansible_default_ipv4.address == k3s_primary_server_ip
+  when: ansible_default_ipv4.address == k3s_primary_server_ip
   ansible.builtin.slurp:
     src: /var/lib/rancher/k3s/server/node-token
   register: k3s_token
@@ -9,6 +8,8 @@
 - name: Set fact on k3s_primary_server_ip
   ansible.builtin.set_fact:
     k3s_token: "{{ k3s_token['content'] | b64decode | trim }}"
+  when:
+    - ansible_default_ipv4.address == k3s_primary_server_ip
 
 - name: Write K3s token to local file for encryption
   ansible.builtin.copy:
@@ -22,3 +23,4 @@
 - name: Encrypt k3s token
   ansible.builtin.shell: cd ../; ansible-vault encrypt "{{ playbook_dir }}/{{k3s_server_token_vault_file}}"
   delegate_to: localhost
+  run_once: true
diff --git a/roles/k3s_server/tasks/secondary_installation.yml b/roles/k3s_server/tasks/secondary_installation.yml
new file mode 100644
index 0000000..9b1ac53
--- /dev/null
+++ b/roles/k3s_server/tasks/secondary_installation.yml
@@ -0,0 +1,21 @@
+---
+- name: Add token vault
+  ansible.builtin.include_vars:
+    file: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}"
+    name: k3s_token_vault
+
+- name: Download K3s install script to /tmp/
+  ansible.builtin.get_url:
+    url: https://get.k3s.io
+    dest: /tmp/k3s_install.sh
+    mode: "0755"
+
+- name: Install K3s on the secondary servers
+  ansible.builtin.command: |
+    /tmp/k3s_install.sh \
+    --server "https://{{ hostvars['k3s-loadbalancer'].ansible_default_ipv4.address }}:{{ k3s.loadbalancer.default_port }}" \
+    --tls-san {{ hostvars['k3s-loadbalancer'].ansible_default_ipv4.address }} \
+    --tls-san {{ k3s_server_name }}
+  environment:
+    K3S_TOKEN: "{{ k3s_token_vault.k3s_token }}"
+  become: true
diff --git a/roles/kubernetes_cert_manager/tasks/main.yml b/roles/kubernetes_cert_manager/tasks/main.yml
index a45dea8..c1563ae 100644
--- a/roles/kubernetes_cert_manager/tasks/main.yml
+++ b/roles/kubernetes_cert_manager/tasks/main.yml
@@ -19,13 +19,6 @@
     name: cert-manager-webhook-netcup
     repo_url: https://aellwein.github.io/cert-manager-webhook-netcup/charts/
 
-- name: Install NetCup Webhook
-  kubernetes.core.helm:
-    name: my-cert-manager-webhook-netcup
-    chart_ref: cert-manager-webhook-netcup/cert-manager-webhook-netcup
-    release_namespace: cert-manager
-    create_namespace: true
-
 - name: Download cert-manager manifest
   ansible.builtin.get_url:
     url: "{{ cert_manager_manifest }}"
@@ -75,3 +68,10 @@
   tags:
     - cert_manager
     - certificate
+
+- name: Install NetCup Webhook
+  kubernetes.core.helm:
+    name: my-cert-manager-webhook-netcup
+    chart_ref: cert-manager-webhook-netcup/cert-manager-webhook-netcup
+    release_namespace: cert-manager
+    create_namespace: true
diff --git a/roles/kubernets_argo_apps/defaults/main.yml b/roles/kubernets_argo_apps/defaults/main.yml
new file mode 100644
index 0000000..71e365f
--- /dev/null
+++ b/roles/kubernets_argo_apps/defaults/main.yml
@@ -0,0 +1,2 @@
+argocd_apps_repo_url: ssh://git@git.tudattr.dev/tudattr/argocd.git
+argocd_apps_target_revision: main
diff --git a/roles/kubernets_argo_apps/tasks/install_argo_app.yml b/roles/kubernets_argo_apps/tasks/install_argo_app.yml
new file mode 100644
index 0000000..22f6561
--- /dev/null
+++ b/roles/kubernets_argo_apps/tasks/install_argo_app.yml
@@ -0,0 +1,10 @@
+- name: Render Argo CD Application YAML to a variable
+  ansible.builtin.set_fact:
+    argo_app_manifest: "{{ lookup('ansible.builtin.template', '../templates/argo_app.yaml.j2') }}"
+
+- name: Apply Argo CD Application to Kubernetes using k8s module
+  kubernetes.core.k8s:
+    state: present
+    definition: "{{ argo_app_manifest }}"
+  register: k8s_apply_result
+  delegate_to: localhost
diff --git a/roles/kubernets_argo_apps/tasks/main.yml b/roles/kubernets_argo_apps/tasks/main.yml
new file mode 100644
index 0000000..92aaed0
--- /dev/null
+++ b/roles/kubernets_argo_apps/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Install Argo Application
+  ansible.builtin.include_tasks: ./install_argo_app.yml
+  loop: argo_apps
+  loop_control:
+    loop_var: app
diff --git a/roles/kubernets_argo_apps/templates/argo-app.yaml.j2 b/roles/kubernets_argo_apps/templates/argo-app.yaml.j2
new file mode 100644
index 0000000..332f1e7
--- /dev/null
+++ b/roles/kubernets_argo_apps/templates/argo-app.yaml.j2
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ app.name }}
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: {{ argocd_apps_repo_url }}
+    targetRevision: {{ argocd_apps_target_revision | default("HEAD") }}
+    path: argocd/{{ app.name }}
+    directory:
+      recurse: true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: {{ argocd_apps_target_namespace | default(app.name) }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/roles/kubernets_argo_apps/templates/argo_repo.yaml.j2 b/roles/kubernets_argo_apps/templates/argo_repo.yaml.j2
new file mode 100644
index 0000000..7d062e0
--- /dev/null
+++ b/roles/kubernets_argo_apps/templates/argo_repo.yaml.j2
@@ -0,0 +1,11 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Repository
+metadata:
+  name: {{ argocd_apps_repo_name }}
+  namespace: argocd
+spec:
+  url: {{ argocd_apps_repo_url }}
+  type: git
+  sshPrivateKeySecret:
+    name: {{ argocd_apps_ssh_private_key_secret_name }}
+    key: {{ argocd_apps_ssh_private_key_secret_key }}
diff --git a/roles/proxmox/vars/main.yml b/roles/proxmox/vars/main.yml
index 5e32075..fb9022c 100644
--- a/roles/proxmox/vars/main.yml
+++ b/roles/proxmox/vars/main.yml
@@ -19,8 +19,6 @@ proxmox_tags:
   - "{{ proxmox_creator }}"
 
 proxmox_node_dependencies:
-  - libguestfs-tools
-  - qemu-guest-agent
   - nmap
 
 proxmox_localhost_dependencies: []
diff --git a/roles/reverse_proxy/tasks/20_xcaddy_install.yml b/roles/reverse_proxy/tasks/20_xcaddy_install.yml
index 2569f42..645f6d3 100644
--- a/roles/reverse_proxy/tasks/20_xcaddy_install.yml
+++ b/roles/reverse_proxy/tasks/20_xcaddy_install.yml
@@ -25,7 +25,7 @@
   become: true
 
 - name: Build Custom Caddy with netcup
-  ansible.builtin.command: xcaddy build --with github.com/caddy-dns/netcup {{ reverse_proxy_caddy_version}}
+  ansible.builtin.command: xcaddy build --with github.com/caddy-dns/netcup
   environment:
     PATH: "{{ ansible_env.PATH }}:/usr/local/go/bin"
   register: xcaddy_build
diff --git a/roles/reverse_proxy/templates/Caddyfile.j2 b/roles/reverse_proxy/templates/Caddyfile.j2
index 72933a0..634a13b 100644
--- a/roles/reverse_proxy/templates/Caddyfile.j2
+++ b/roles/reverse_proxy/templates/Caddyfile.j2
@@ -1,6 +1,14 @@
 {
-    email {{ caddy.admin_email | default('admin@example.com') }}
-    acme_ca {{ caddy.acme_ca | default('https://acme-v02.api.letsencrypt.org/directory') }}
+	acme_dns netcup {
+		customer_number {{ netcup_customer_id }}
+		api_key {{ netcup_api_key }}
+		api_password {{ netcup_api_password }}
+	}
+  email {{ caddy.admin_email | default('admin@example.com') }}
+  acme_ca {{ caddy.acme_ca | default('https://acme-v02.api.letsencrypt.org/directory') }}
+}
+
+*.{{ domain }} {
 }
 
 {% for service in services %}
@@ -16,17 +24,6 @@
       output file /var/log/caddy/{{ service.name }}.log
       format json
   }
-
-	tls {
-		dns netcup {
-			customer_number {{ vault_netcup.customer_number }}
-			api_key {{ vault_netcup.api_key }}
-			api_password {{ vault_netcup.api_password }}
-		}
-    propagation_timeout 900s
-		propagation_delay 600s
-		resolvers 1.1.1.1
-	}
 }
 
 {% endif %}
diff --git a/roles/reverse_proxy/vars/main.yml b/roles/reverse_proxy/vars/main.yml
index fcd1014..50782a3 100644
--- a/roles/reverse_proxy/vars/main.yml
+++ b/roles/reverse_proxy/vars/main.yml
@@ -1,4 +1,4 @@
-reverse_proxy_caddy_version: v2.9.1
+reverse_proxy_caddy_version: v1.0.0
 
 reverse_proxy_custom_caddy_source_path: "{{ ansible_env.HOME }}/caddy"
 reverse_proxy_default_caddy_path: "/usr/bin/caddy"
diff --git a/vars/docker.ini b/vars/docker.ini
index 7638aec..139a196 100644
--- a/vars/docker.ini
+++ b/vars/docker.ini
@@ -1,10 +1,10 @@
 [docker_host]
-docker-host01 ansible_become_pass="{{ vault_docker.host01.sudo }}"
+docker-host11
 docker-host10
 docker-host12
 
 [docker_lb]
-docker-lb ansible_become_pass="{{ vault_docker.lb.sudo }}"
+docker-lb
 
 [docker]
 
diff --git a/vars/group_vars/docker/docker.yml b/vars/group_vars/docker/docker.yml
index 5552327..65032ab 100644
--- a/vars/group_vars/docker/docker.yml
+++ b/vars/group_vars/docker/docker.yml
@@ -78,7 +78,7 @@ services:
       - VERSION=docker
   - name: jellyfin
     vm:
-      - docker-host01
+      - docker-host11
     container_name: jellyfin
     image: jellyfin/jellyfin:10.10
     volumes:
@@ -108,7 +108,7 @@ services:
     environment:
   - name: hass
     vm:
-      - docker-host01
+      - docker-host11
     container_name: homeassistant
     image: "ghcr.io/home-assistant/home-assistant:stable"
     privileged: true
@@ -284,7 +284,7 @@ services:
         external: "{{ services_external_http.pdf }}"
   - name: git
     vm:
-      - docker-host01
+      - docker-host11
     container_name: gitea
     image: gitea/gitea:1.23-rootless
     volumes:
@@ -408,9 +408,9 @@ services:
       - QBT_WEBUI_PORT="8082"
   - name: cadvisor
     vm:
-      - docker-host12
       - docker-host10
-      - docker-host01
+      - docker-host11
+      - docker-host12
     container_name: cadvisor
     image: gcr.io/cadvisor/cadvisor:v0.52.1
     ports:
@@ -432,7 +432,7 @@ services:
         external: /var/lib/docker
   - name: karakeep
     vm:
-      - docker-host01
+      - docker-host11
     container_name: karakeep
     image: ghcr.io/karakeep-app/karakeep:0.23.2
     ports:
@@ -460,43 +460,43 @@ services:
         openai_key: "{{ vault_docker.karakeep.openai_key }}"
       - name: chrome
         version: 123
-  - name: keycloak
-    vm:
-      - docker-host01
-    container_name: keycloak
-    image: quay.io/keycloak/keycloak:26.2
-    depends_on:
-      - keycloak-postgres
-    ports:
-      - name: "http"
-        internal: 8080
-        external: "{{ services_external_http.keycloak }}"
-    volumes:
-      - name: "config"
-        internal: /opt/keycloak/data/import/homelab-realm.json
-        external: "{{ docker.directories.local }}/keycloak/homelab-realm.json"
-      - name: "config"
-        internal: /opt/keycloak/data/import/master-realm.json
-        external: "{{ docker.directories.local }}/keycloak/master-realm.json"
-    command:
-      - "start"
-      - "--import-realm"
-    environment:
-      - KC_DB=postgres
-      - KC_DB_URL=jdbc:postgresql://keycloak-postgres:5432/keycloak
-      - KC_DB_USERNAME={{ keycloak_config.database.username }}
-      - KC_DB_PASSWORD={{ keycloak_config.database.password }}
-      - KC_HOSTNAME=keycloak.{{ internal_domain }}
-      - KC_HTTP_ENABLED=true
-      - KC_HTTP_RELATIVE_PATH=/
-      - KC_PROXY=edge
-      - KC_PROXY_HEADERS=xforwarded
-      - KC_HOSTNAME_URL=https://keycloak.{{ internal_domain }}
-      - KC_HOSTNAME_ADMIN_URL=https://keycloak.{{ internal_domain }}
-      - KC_BOOTSTRAP_ADMIN_USERNAME=serviceadmin-{{ keycloak_admin_hash }}
-      - KC_BOOTSTRAP_ADMIN_PASSWORD={{ vault_docker.keycloak.admin.password }}
-    sub_service:
-      - name: postgres
-        version: 17
-        username: "{{ keycloak_config.database.username }}"
-        password: "{{ keycloak_config.database.password }}"
+#  - name: keycloak
+#    vm:
+#      - docker-host11
+#    container_name: keycloak
+#    image: quay.io/keycloak/keycloak:26.2
+#    depends_on:
+#      - keycloak-postgres
+#    ports:
+#      - name: "http"
+#        internal: 8080
+#        external: "{{ services_external_http.keycloak }}"
+#    volumes:
+#      - name: "config"
+#        internal: /opt/keycloak/data/import/homelab-realm.json
+#        external: "{{ docker.directories.local }}/keycloak/homelab-realm.json"
+#      - name: "config"
+#        internal: /opt/keycloak/data/import/master-realm.json
+#        external: "{{ docker.directories.local }}/keycloak/master-realm.json"
+#    command:
+#      - "start"
+#      - "--import-realm"
+#    environment:
+#      - KC_DB=postgres
+#      - KC_DB_URL=jdbc:postgresql://keycloak-postgres:5432/keycloak
+#      - KC_DB_USERNAME={{ keycloak_config.database.username }}
+#      - KC_DB_PASSWORD={{ keycloak_config.database.password }}
+#      - KC_HOSTNAME=keycloak.{{ internal_domain }}
+#      - KC_HTTP_ENABLED=true
+#      - KC_HTTP_RELATIVE_PATH=/
+#      - KC_PROXY=edge
+#      - KC_PROXY_HEADERS=xforwarded
+#      - KC_HOSTNAME_URL=https://keycloak.{{ internal_domain }}
+#      - KC_HOSTNAME_ADMIN_URL=https://keycloak.{{ internal_domain }}
+#      - KC_BOOTSTRAP_ADMIN_USERNAME=serviceadmin-{{ keycloak_admin_hash }}
+#      - KC_BOOTSTRAP_ADMIN_PASSWORD={{ vault_docker.keycloak.admin.password }}
+#    sub_service:
+#      - name: postgres
+#        version: 17
+#        username: "{{ keycloak_config.database.username }}"
+#        password: "{{ keycloak_config.database.password }}"
diff --git a/vars/group_vars/docker/secrets.yml b/vars/group_vars/docker/secrets.yml
index 5e6bb90..ee21952 100644
--- a/vars/group_vars/docker/secrets.yml
+++ b/vars/group_vars/docker/secrets.yml
@@ -1,53 +1,46 @@
 $ANSIBLE_VAULT;1.1;AES256
-30306666383965373266313366653831386438333732386238623261356631383664323462663135
-6163663162383431623931393831376163636262363766350a316463646662343161366531316531
-36323665366263616565633064646664383065346166343536313633613034353030303062383637
-3139393833316232610a383031363839393463336461653963363131303664663765656234363531
-62666665333730623463663134386232383534353334333336363434653838353762323063383562
-36316533303333313565646139306238316534383235336432346364633265316435373763313861
-62353566623665306137643934333534653730386138383462623864613433303633386339643461
-33373330656431336434353965303133363237393864333634383463663065303633646239656665
-64623562373864353865656664323064343535303931363635376233666339656236363133643536
-37653831396538366466663830376665386231633438316437396331323534386433313634383137
-32356435383965616635373432633563653630326334303165316166383165353734393966363861
-32333534386634633561356538626536383838653461353664303264333737326237383234373561
-35333234643461303961646430343334306332663039326237353836656531363262633661366138
-32386635343738383732663538313164316531386564653939373032653631396566386638316464
-38313731653234343037633066393134346136636637616666653038383464623065386635623031
-34363064333036336263613964396433303538353134623130303032356438323237366664336238
-36333335363261363038346264633263636461376538613866313935623762623234393763356638
-32313363653739376333646235306136616132366566356530613362313436306361306633643262
-65373039393636303164383736643631323662613637316565313938616436643137343065353261
-63313661356633623266353233346436323230623966373262353336333935383938356462643637
-39373232643035396533353063376234316330353764313930363435303932656464396265303035
-35313463393664326438346161633735333639303930396166663730303033663836663232363733
-65323839376638306133393161363864623365623238646165383765646139366535323631346437
-64356465623366666439626463636261616439323230393938386231653837393738363532313962
-33636635653862363962393966336235383361646366386365656338613064303133313364346532
-36643566326564316335393534323836623963633638326531623030666334313665666636633639
-64393139343637633036303236333861386135303235343735613431643734356338336537663138
-35313063363966353837633130313739643630623263653064656530343131616465303664656536
-37616534353033343235663665396437326338336661303566376361386665373930616130396136
-37666338336538626663363639333532636566323634663135376239336339393838383837346239
-63383636333038633264396463353739313234336338383639396531626534393764626235636338
-31663865666530336666333137343835393739623732633630303833396539363131343663626235
-31313563366264333737363036316136336138616134656232626438313033333136663731376531
-32613237393463346161613334386135633661386666633135323133376335336631356437613261
-63393132623863336461386431666263376265393138316162356239363037653065623633333632
-62376131303532373031626431323030666165306336343764343363366661626333396233636231
-31333836353731363062663334333736316265653130333836623236373263316639316437343537
-39353233663965666564626632343263646339383934323564303730396166303362363736383838
-35616561646531386338303936373565396465383839323830636539653934663039663938373738
-32346361383135633365366634643139636431336436623330373931643233313134356364366638
-63386138653331376638376663323736383734623463373439313962393661333539323737666633
-36313639663864663564646166333033356163656339373063353338653634353538653736356134
-64373435346136396461303733373134343735323663613561303062353330303734316333346331
-35353835396661663932643432303433636230616232633032303137366232333239313463336231
-66376261356564343064393531333066663562646165383737373632393261313638323862373936
-34333234323261363830643332393338396338326432623736313836626462303839313732333730
-36623863383364396366363065306334653837353837623437386465346463386166643939666161
-38353136353037663834613162396139653164326536313734633664613233316665626661383661
-32323263616164653334306231663439626134626535393630653639666261356537303135323934
-64356263633635313336643531616639346565303938333334636263623633353764613232313165
-35616235333364353339373562333938643731613031356638376439326533633236363335306138
-31316436663536353861
+33323936633431613435363163396538366265336666373735376432383064393361353562623864
+3366666130666163613234623164333164383565373366390a623932383934366239663765646633
+32393336653165386135613432656363386438343862633735653938666364386365313563376464
+6435363766383361310a303739323866623532363765343730336339616464373435636431356463
+66613830636261653135396437663433636435363033666162313739666237393939313039376537
+32393033326365376235623437663436373532333231656334653161623865666361663166663431
+31353966323134646563393731376261663235366263643435303330383431643635656161396332
+31623266656330393666636539366364376634373230646264646563326334653261623964326631
+61323463376131663239313439656361363430313062623432363264626239336336316138643064
+64383065353965373431643665626332666330323961393764393237383635306666346336613435
+61346231336263346465383333336365336436336631343633303131356633626131333165613637
+39303764333036353365666366376161386561386339616131383333333833343131653464623335
+63363837633565646264393833313934366664326130393961666136373966386432663065376465
+62383632393033633935373635613739613463616133653734393139666138306366383362623733
+32323537623163636262303566353133646532653834653934326533313466396165373135316565
+63636330616638343537393332376638363563393833303333376465393130643933373261653832
+34663163663064646235393736366331313933396431626634323764343439633139316535666662
+61646663626530626431636436626164303838336464346366323938306266333864333638633832
+61663239656238656532303264613365653036626330653561393633666533613663643933646366
+38313736396236646263353432393936623266333566366538613863393264343235643539663566
+62396133613331393630373239643536653739643065343239613231333437616266333632646531
+61633464356564353032663231363639363163376330376532326538386238623637626633336431
+35313165363638393536346335366664656462616363393239623064363932393033623436333565
+61636565323862633162326330383937393231326462356662356634643735306137356136363365
+39653632636138393866376135616164303265613738333137393331303032313237613162663237
+63343432643432396164343531626131336438306336626332303534303638353631383964383736
+37383437396464306537643433366364653065653538343866656334366336373263636135373637
+32633937623765623163363832396165646561396431333765323663616632633434663364663532
+65653430313436396539613530306564613334646133326564373261346237313862623761326636
+33383037323736636532393064363137353633386439373065373166363161373863363635333963
+62363939333961653837313838366362626638333966326135386333323637343830623034643331
+35323865663536663761653730666438376664636435656331393166653334313366343038623937
+61653262383161353866366433386365646431663738663131643161376634643039663231336565
+65343336306230316430663231643166663366643431396530646465653363643462303430653264
+62393164643664366439336435386435653932613733656662653737373238343734376165666634
+66653561383633376233396232656465386461656431323565333039363638663431656437393062
+61663662343763643635306331323566366234386634386430383837356661346236376536363834
+62393634333337313362326232636235326231663963356262643531316434376138646462303732
+33646135326232663862613239376165306537613330613637393136336261376137616631356664
+39613931346564323730373364346635326665326632306432636361356634646636643566326330
+62663037623232383964376261323232646330323939333263313139336532383965643163303632
+35323265653266353161636463363830646466343464313439356466616432633532343838613038
+38626137353130343831613939393563343837663439393061663735666533316439336333386266
+61643161653463636531373334363439303636373636323465336137663366653936663831323430
+6535
diff --git a/vars/group_vars/k3s/secrets_token.yml b/vars/group_vars/k3s/secrets_token.yml
index c5b413f..a082e6d 100644
--- a/vars/group_vars/k3s/secrets_token.yml
+++ b/vars/group_vars/k3s/secrets_token.yml
@@ -1,11 +1,11 @@
 $ANSIBLE_VAULT;1.1;AES256
-62386434633264613939616264613563656365363664343761333233393933323264646330323637
-6565323739323834626331373539323730376538323635620a356338616537393835613834633036
-65333533646465383964363664616338316565613131336339643432656564363034663662376137
-6366633766366234360a643138396636616362383364666166323965643831363563343164343164
-38633165323935643463613939363633623131306234333863366538376363346563656263616263
-33333533376534663561303733613364376266366634616361363330333230626364653035353834
-38343033633130393166353965646635303738666562643138653435316230613131323862623264
-32393462363738666538613539393162613061343062643036643937336133663132303162323331
-38623530393531333037376535623133656238656339666361646230353438343961353333343064
-3261306235386331333063346433393534626362323731366362
+36666266313661333466623135393337366266366135643630663632653035383365393137386636
+3462613661396661643733383663386239353238333066650a346334616636376137373866383431
+34633734306565333463343230333561633435306564353833613632653531376435363465323237
+3462343537373362320a386434633737373535313866393334353239373661393837646637336638
+30373364666661373864613136623632333961633134633163333464656131333464323039653432
+64383866663935396231356265396334663532376439663335363563326637313730323437363836
+65383930646266636261383037613266613238623964633063666266386134313165396336373934
+30376433663332316537373466643130656536356439323261643839636537383539646434646665
+64376530383832343263303333383435663133363562626638373331663037306462656233316431
+6334663737316633613438623762333038663230626133393239
diff --git a/vars/group_vars/k3s/vars.yml b/vars/group_vars/k3s/vars.yml
index b9a37d5..0550c0d 100644
--- a/vars/group_vars/k3s/vars.yml
+++ b/vars/group_vars/k3s/vars.yml
@@ -3,6 +3,7 @@ k3s:
     default_port: 6443
 
 k3s_primary_server_ip: "{{ groups['k3s_server'] | map('extract', hostvars, 'ansible_default_ipv4') | map(attribute='address') | unique | list | first }}"
+k3s_server_ips: "{{ groups['k3s_server'] | map('extract', hostvars, 'ansible_default_ipv4') | map(attribute='address') | unique | list }}"
 
 k3s_server_name: "k3s.{{ internal_domain }}"
 k3s_cluster_name: homelab
diff --git a/vars/group_vars/kubernetes/secrets.yml b/vars/group_vars/kubernetes/secrets.yml
new file mode 100644
index 0000000..72edc57
--- /dev/null
+++ b/vars/group_vars/kubernetes/secrets.yml
@@ -0,0 +1,30 @@
+$ANSIBLE_VAULT;1.1;AES256
+36633030306535356337326461613132636632356364633463643133333534626261653034373737
+6335626664363163316164396432613935353633333635370a323537346261643962336636386163
+64306635366538663736316361663564366636366261336130346563623138323739373230346134
+3931373064323063630a656261373630343361613939623163313833663762313833356463356432
+64366364363862343466623139346132363361373762363934383731393637653333343036396562
+38373336616237323237643730373963663561346430373132313865393662306664306133323163
+35633035323339363563323131393130643537323439323138376366386634363566626238613166
+32386434333534376166356565646235353533633163643937393337613766616137343463373636
+36333637376434383633366166666661373332303266306235376666313562663463613761363637
+66653630313934353566663362376633306564313239393433383565653064643632356235386237
+32633435336564353130633466373264643765376164663231636232623739326136353439393135
+38623461636531653264363732633832343537653833373564366363633032653332346162393137
+31333738373965323131623336356136313863616363356130363930653166373034386161343763
+31363466643531323865303637333436366636633166666334653934613763393635623563636462
+37306337623933313136663665343864643363383839333266303436636435666262336330346337
+37663664353066333065666662636663386537366631366465653861633862643733386438653932
+30343537343265626430653361396366663565306536343232366138346132343232663831323665
+35356233373766333862613235656533623166303033623135373166386564333736393235366662
+36623463383135636266396333666134623766616437666538313633316531326565623735396132
+64323037636637353633653563333466363432383935346366346631306637323538663062393935
+38376363363630653964666637623836666239623638333438383261613038303233363666356266
+62613464326265666133323534326339326235376134313530636132303764346331663466323933
+30366330663039653662323831393363373236616364366233376232313365383838616331383834
+33636165303735376262653137396635373633333735396433633235396264643761336634373637
+61386432653565616263613637386431333634346165356637333232393862353234623134363631
+34343032313032386136646232633532626137386264653539373361656436663465653535373339
+61373539663635623239663137313337373535396535633532363338323930386661366536626533
+32623862353233633962313364666537336539643737613734616261313634666533316564323561
+3061
diff --git a/vars/group_vars/kubernetes/services.yml b/vars/group_vars/kubernetes/services.yml
index e422576..03eeb3e 100644
--- a/vars/group_vars/kubernetes/services.yml
+++ b/vars/group_vars/kubernetes/services.yml
@@ -3,3 +3,6 @@ services:
     ip: 192.168.20.240
   - name: traefik
     ip: 192.168.20.240
+
+argo_apps:
+  - name:
diff --git a/vars/group_vars/kubernetes/vars.yml b/vars/group_vars/kubernetes/vars.yml
index aa06c3c..e57708b 100644
--- a/vars/group_vars/kubernetes/vars.yml
+++ b/vars/group_vars/kubernetes/vars.yml
@@ -12,7 +12,9 @@ argocd_hostname: "argocd.k3s.{{ domain }}"
 
 metallb_ip_range: "192.168.20.240-192.168.20.250"
 
-traefik_password: "{{ vault_kubernetes.traefik_password }}"
-
 kubernetes_nfs_server_host: "{{ nfs_server }}"
 kubernetes_nfs_server_path: /media/kubernetes
+
+argocd_apps_repo_url: ssh://git.seyshiro.de:2222/tudattr/ansible.git
+argocd_apps_ssh_private_key_secret_name: argocd
+argocd_apps_ssh_private_key_secret_key: "{{ vault_kubernetes.argocd_repo_ssh_key }}"
diff --git a/vars/group_vars/proxmox/secrets_vm.yml b/vars/group_vars/proxmox/secrets_vm.yml
index 38b692a..160edb4 100644
--- a/vars/group_vars/proxmox/secrets_vm.yml
+++ b/vars/group_vars/proxmox/secrets_vm.yml
@@ -1,34 +1,37 @@
 $ANSIBLE_VAULT;1.1;AES256
-64336139336538333337376465316164383766643666336666643166333134636338323562303364
-6235613337366634613532373933396230666137373562650a643633306165643331643464633762
-35336433626161393735353133343739353738653061613733393135313061643663616665316463
-6238376435633435650a306636303934383739656439383632313964356434353536373961646531
-35303533666633346363663936366535613039356164383362393736306338613236373138663731
-65666635353734353261333332393962636664653332313062336239313834653536363539306630
-61316431313631643637616434376334323232306232363936613139373762613862653938373461
-34366363643337326439633963303430613935323866343764326639663531303931396235643231
-36346463653866653137653931303439326433366231303530316632613033333761326536326335
-30343233333232333434303562396166386133313633323732636532376539633336613532633765
-66656663353964316364636236623133306533656465303833346563376461396639626262333133
-33663966393030653762636164653534363338613536636432663938393033313933323830336538
-61663865353466393836333539636466613137396430636566303135326565383764373831336532
-66626332383065643636663638616337316136623131333630613861353730646339366239633861
-31343133346138343637373039633930653731396537323438623237393436303063623862663965
-65353332393331623933323138633231363539323834333631643337613863643737306363323135
-61353663643563393539373839643462616339333762353962653065653134653063336466343431
-61313262616631343265386530653431356632616230633032363165656666333662636339306539
-37646634353961346165356565313038303333303564333862323766366238366434643562306262
-38656532333339643335386130356637353434393037636530363233393162663330663566663962
-34343333383631343330663962343639633464353961343933653764643666626631346434366365
-37303433626330346630353064613766303634386238636230346531663038653865393939663732
-37613461313738313766306663653264616563633966316362356539373239663464386430636464
-61373864313064626133623332643139336163643465376234373530666630656361616236336130
-37623962393237623135656534613839363831613165356563333039366462306230636432653636
-64333633393532313635323830333432666134373630666561626231666433303132663939633965
-61373137633865323564343661623039616331323164396133343165656263383865383861616262
-64636230336130356364333964336335656664303334326537303033613331353038353666646463
-63363631613238633831666136363833363964356432373434643131653531666166666233613861
-30306435306563303333343364333065616438383331383437353234323633393733653965313165
-30643539663330356630363833643136643265623966636466336539353738373136616265393265
-36613564653634313438666334313636653435336263393635656138343534336232346332356264
-33366232613832643862386532663264353735393033303864356230333864363366
+35623165396364393163336632343430303264653631656638663633363139643231643764663864
+6632636634616537643630666264666331396363396132620a663665353138383637653037653762
+32653366396562386366323634363938613232323335663339643938626139386430303131383739
+6134356662316433630a613663653061643363656239623361323162623661633762363039333537
+63383834396662653561303039336663616437633333656266383261323833623166333562636461
+38653130393064326539663463633862353937386562623766323863666539323038613461613766
+39616263666432616432373432633966353332643161343939326436353037346130636534303464
+65366434633862363438626664326333323739336538336630373034643162353362373038363665
+34323066353433313462633930343266636461313331303938306531386237383836323836366637
+37333438313236656339643839376639663562366539633663656663336536613736666462636665
+32346339373831383432343039313332656538373837336263363665366338666630336561326431
+63366537636433386237653336396532363463613031393138323636366362343736626131313365
+37323761383861303731343133366331633661623131643465303962646162663735633937646264
+33653433366335383661323766633536353530626363356632666237356532366634623661306263
+66326430323332303161643463643065373632386638396334663165366439323864356661346635
+66666337346461616565306335613632666264663633313137663932383731666336636465633734
+66323662663933356566326335633439383531633831653130383964383537373633643838373265
+33323731343662373535633730623662616136373161633663303435636466383264663036633035
+61663635353932333435306437373264333134333837376136326462343764633833653061626162
+35633163363665336433643765333764366236626433366535626430613239326339313535383833
+33333739373436336436663662323134393438323633656236623134353833366263613466346565
+37326233303036383337303832633166663866353431636139353833363263383766613838336663
+65303537633336636137316635653638396334313463363536623261646336343166656233303930
+32346365316435393362393639623636376465623031613562336239666665303739353631623737
+66363038666264373931613635366464356435663032313436653339373334373236373930653866
+35613533643134393164633338663862613737343866623436316263656433633062333436343163
+35616263323933633962346139663438333436613161646166396435613939613264353030323334
+30333062633462383332323135623430323431326366663766323966646166336631333835373538
+63653962366536353830313836666637343139356539616564656265613332396234306661646639
+62306638623632646633393364383739656435613266633632306537666166663330353431633532
+34363964633232623464643131613131363963656233383661333436363531306361306230376236
+31376663623664653966633535646565356163656363663134376263323536383430666264376633
+32626433626335613034336362636566633063383163393633613432326237653361323331373530
+32383232363266633539396232353534646162393730653561346333313832623932363831353666
+31363532613830343636663533333737313739303637613164303033363965666634323838373733
+39333862393566363036
diff --git a/vars/group_vars/proxmox/vms.yml b/vars/group_vars/proxmox/vms.yml
index c6c29ab..594d37f 100644
--- a/vars/group_vars/proxmox/vms.yml
+++ b/vars/group_vars/proxmox/vms.yml
@@ -11,18 +11,20 @@ vms:
     sshkeys: "{{ pubkey }}"
     disk_size: 128 # in Gb
     hostpci:
-      hostpci0: "0000:00:02.0"
+      hostpci0: "mapping=quicksync-lulu"
   - name: "docker-host11"
-    node: "lulu"
+    node: "inko01"
     vmid: 411
     cores: 2
     memory: 4096 # in MiB
     net:
       net0: "virtio,bridge=vmbr0,firewall=1"
-    boot_image: "{{ proxmox_cloud_init_images.ubuntu.name }}"
+    boot_image: "{{ proxmox_cloud_init_images.debian.name }}"
     ciuser: "{{ user }}"
     sshkeys: "{{ pubkey }}"
     disk_size: 128 # in Gb
+    hostpci:
+      hostpci0: "mapping=quicksync-inko01"
   - name: "docker-host12"
     node: "naruto01"
     vmid: 412
@@ -68,7 +70,7 @@ vms:
     sshkeys: "{{ pubkey }}"
     disk_size: 64 # in Gb
   - name: "k3s-agent12"
-    node: "inko"
+    node: "naruto01"
     vmid: 212
     cores: 2
     memory: 4096 # in MiB
@@ -89,3 +91,36 @@ vms:
     ciuser: "{{ user }}"
     sshkeys: "{{ pubkey }}"
     disk_size: 32 # in Gb
+  - name: "k3s-server11"
+    node: "inko01"
+    vmid: 111
+    cores: 2
+    memory: 4096 # in MiB
+    net:
+      net0: "virtio,bridge=vmbr0,firewall=1"
+    boot_image: "{{ proxmox_cloud_init_images.debian.name }}"
+    ciuser: "{{ user }}"
+    sshkeys: "{{ pubkey }}"
+    disk_size: 64 # in Gb
+  - name: "docker-lb"
+    node: "naruto01"
+    vmid: 350
+    cores: 1
+    memory: 2048 # in MiB
+    net:
+      net0: "virtio,bridge=vmbr0,firewall=1"
+    boot_image: "{{ proxmox_cloud_init_images.debian.name }}"
+    ciuser: "{{ user }}"
+    sshkeys: "{{ pubkey }}"
+    disk_size: 32 # in Gb
+  - name: "k3s-server12"
+    node: "naruto01"
+    vmid: 112
+    cores: 2
+    memory: 4096 # in MiB
+    net:
+      net0: "virtio,bridge=vmbr0,firewall=1"
+    boot_image: "{{ proxmox_cloud_init_images.debian.name }}"
+    ciuser: "{{ user }}"
+    sshkeys: "{{ pubkey }}"
+    disk_size: 64 # in Gb
diff --git a/vars/k3s.ini b/vars/k3s.ini
index d918471..f7c8dea 100644
--- a/vars/k3s.ini
+++ b/vars/k3s.ini
@@ -8,9 +8,13 @@ k3s_loadbalancer
 
 [k3s_server]
 k3s-server10
+k3s-server11
+k3s-server12
 
 [k3s_agent]
-k3s-agent[10:12]
+k3s-agent10
+k3s-agent11
+k3s-agent12
 
 [k3s_loadbalancer]
 k3s-loadbalancer
diff --git a/vars/proxmox.ini b/vars/proxmox.ini
index cb7553b..f9c0a25 100644
--- a/vars/proxmox.ini
+++ b/vars/proxmox.ini
@@ -7,5 +7,5 @@ proxmox_nodes
 [proxmox_nodes]
 aya01
 lulu
-inko
+inko01
 naruto01