diff --git a/kubernetes/app/podsync/configmap.sops.yaml b/kubernetes/app/podsync/configmap.sops.yaml
new file mode 100644
index 0000000..9b79cf9
--- /dev/null
+++ b/kubernetes/app/podsync/configmap.sops.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+    name: podsync-config
+    namespace: podsync
+data:
+    config.toml: ENC[AES256_GCM,data:ud/lwdZMMjk7VOwOkw/FHB5rEXgt3yJiOtpVjm/jriWWmWjCruNE/hei/sgF/ea2G49XacHQHnDOJFX95mq9ZuBgdj4KBx9nW91pNODF5PKVDE24jShFhepN7MCPvfHgRaRZbe23YQkjIceGcswfYpwAr4Mr21jeiMgK0cJVUyeR/mO9pk3kRm4kFqIcDnl+gpmLnlj1gKm/GkIymt+tQqaw0LVuSZj1eGGk2ZReBPO7Thkj4OlGc/vf1vAoZcLuEqBF1flvibOHn9PqbO+QDxcJvAUx6MfbFJ8fW/p45jFrfxsUnVaJPD7kp6R2IMvbvH6r1jObr49/IEY6MrCApoujbP5mi3nPo13yRcT4fNr8kWmIBY2nBDahRHpbwg8R13XWIvhEYZW/8I7srNYOj3sfR13jLulyjiO67M8cA6a7CMER0sH4mt6JtBCXK6/pRTOD5PzElw5ga3h0HRkcu5+VneGiNTiPipaxNe0HoD/OGkjcao7ztEFC9eYmpRK25QPNHBdRtAvrkX2GBGCNLGn9MTEXHCeLJtuI8MebHRgT+cR9puFd6ezB0kUuDLt39crm5DtuhN7yPbii/s/1MJ6yhSxsrQMZm4OYNO2/5VcjDEVfSxgsJsV1K82vzk1YjpAgPsqpSg/3AodlM2cEjuKy/BjX7fvog9rauEEkmrCGbI6FN7dJFwyJ9rT2TQ65kvr+O00gdAeQHi0rfFAaKZ/eFkzgEnBaJHEJHm9B+khZlopPWtvESK91qVMvScNXD4yu6uhdYihR28/MUfLdPRYIrEVwlk1LC+uc+h9sGBMPk6hs73mjy6ll7GzhOrZ7/PGrW68ZWzAUTfsVj8b3ota0K/uzqTkktAyqQ3FrZe6f70sSdjXrcbd2r2CQwbMj9zz/vqj6gGJQQpsAOAPJPUGw2WV1741rwq1jz2/1aXJwFFBmm89u/N6ALKxAc82ZQ9punlotSpW9kFKEmvJkLu1nXPp5UNFOmlhEE6lTeQ2cOwfFJn8AEgV/LIvmIN1odli7ZZgiMBDB+b+i7ygxRxTTgm+Yaxzy4s0MEKoWBdfKgsGCKVlazcC+vzjrxs2HHhMaVacWGwROFnlSLs3KpLa1jaTWAcs5t444wrAM5yUeqZL76NLP85XPU2M3A9nFYeG0P/jEJj5ng5oKZKjZo7sesG+SfywNDb5ZnDrfqF2IFodTHlQZl2RIh+EkINLgC70c+DlHdj5bWBjlVgwxR+3iv1QMf4froxyA6hg/0Rjzh/gGS8pOLUnNrh6EFfNdWJXfhly5Iklb0q3ynh8bEnUTJxmCE1fOCLOHFjW0a1Pzwd1Fp6P64C1I89lWYM/000JbxsOzVrBA3t9VWeoBEsc2RBxzEgV8k0GCgHaSVLwG6dxSO+dKAPmKvgdpaz2a70KC,iv:SWzY/BbV0vStgEuMg6zKRwHzA1XgJd9Wbb3OZrWx7wA=,tag:54E7l/Vb9R2RBzGZLueRVA==,type:str]
+sops:
+    age:
+        - recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QTBUbnNBcGFhYjNiNGRG
+            T3JqdFY0dTIzWDA3OGNVUkoreVhONXVDeFVVCkR0amlYMThyejlPaWlPSkdGL0xy
+            YUN3VEhGajJoQjNiRVV5ckw0cE1JaTAKLS0tIDFSWnpWWVFxQ0VVY2U4bUFtTWVk
+            bkg3K01kWFl4ZWZuK21KRTIxUEhDUEEKPGWzrJlyZGNOsvrVhWKw56y8iAwrqDQK
+            OWJYIq0gt9NWfNBao8UpiuKJXU4SX01hW4fa1OEfGSDJAjNNxGpFVA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-28T20:36:14Z"
+    mac: ENC[AES256_GCM,data:nLST3PCcdNQ0zOsqUMHZVP9Zp2WmqVFzGcJkZRPgfI0Acb7xP+KZHeMEGscEgwvBKDa72pH4zSoQ60bFJcoVv9dH/MkCyz1BHIDfkO4DNo6nvHgZ83Gqwl5MU/LPYBQY267504QEDCr6VZFzXY8SRVIvD1e0y8qxpbgS4MPW2Tg=,iv:NiLrvTKQZJdHHFXqvfZ0qQ8Lx1E6GLiAdtAneYWc4m0=,tag:3zheqtMglkwg5w66mljW3Q==,type:str]
+    encrypted_regex: ^(data|stringData|email)$
+    version: 3.12.1
diff --git a/kubernetes/app/podsync/deployment.yaml b/kubernetes/app/podsync/deployment.yaml
new file mode 100644
index 0000000..f5bf8f9
--- /dev/null
+++ b/kubernetes/app/podsync/deployment.yaml
@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: podsync
+  namespace: podsync
+spec:
+  replicas: 0
+  selector:
+    matchLabels:
+      app: podsync
+  template:
+    metadata:
+      labels:
+        app: podsync
+    spec:
+      containers:
+        - name: podsync
+          image: ghcr.io/mxpv/podsync
+          ports:
+            - containerPort: 8080
+          volumeMounts:
+            - name: data
+              mountPath: /app/data
+            - name: database
+              mountPath: /app/db
+            - name: config
+              mountPath: /app/config.toml
+              subPath: config.toml
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: podsync-data
+        - name: database
+          persistentVolumeClaim:
+            claimName: podsync-database
+        - name: config
+          configMap:
+            name: podsync-config
diff --git a/kubernetes/app/podsync/ingress.yaml b/kubernetes/app/podsync/ingress.yaml
new file mode 100644
index 0000000..f65f393
--- /dev/null
+++ b/kubernetes/app/podsync/ingress.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: podsync
+  namespace: podsync
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: authelia-chain-authelia-authelia-auth@kubernetescrd
+spec:
+  tls:
+    - hosts:
+        - ${PODSYNC_HOST}
+      secretName: podsync-tls
+  rules:
+    - host: ${PODSYNC_HOST}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: podsync
+                port:
+                  number: 8080
diff --git a/kubernetes/app/podsync/namespace.yaml b/kubernetes/app/podsync/namespace.yaml
new file mode 100644
index 0000000..001e703
--- /dev/null
+++ b/kubernetes/app/podsync/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: podsync
diff --git a/kubernetes/app/podsync/networkpolicy.yaml b/kubernetes/app/podsync/networkpolicy.yaml
new file mode 100644
index 0000000..e5e6022
--- /dev/null
+++ b/kubernetes/app/podsync/networkpolicy.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: podsync
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-traefik-ingress
+  namespace: podsync
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
diff --git a/kubernetes/app/podsync/pv.yaml b/kubernetes/app/podsync/pv.yaml
new file mode 100644
index 0000000..345ba3e
--- /dev/null
+++ b/kubernetes/app/podsync/pv.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: podsync-data-nfs
+spec:
+  capacity:
+    storage: 100Gi
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: ""
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nointr
+  nfs:
+    server: synology.storage.lviv
+    path: ${PODSYNC_NFS_PATH}
diff --git a/kubernetes/app/podsync/pvc.yaml b/kubernetes/app/podsync/pvc.yaml
new file mode 100644
index 0000000..deb999c
--- /dev/null
+++ b/kubernetes/app/podsync/pvc.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: podsync-data
+  namespace: podsync
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: ""
+  volumeName: podsync-data-nfs
+  resources:
+    requests:
+      storage: 100Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: podsync-database
+  namespace: podsync
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: nfs-synology-ssd
+  resources:
+    requests:
+      storage: 1Gi
diff --git a/kubernetes/app/podsync/service.yaml b/kubernetes/app/podsync/service.yaml
new file mode 100644
index 0000000..ffa0764
--- /dev/null
+++ b/kubernetes/app/podsync/service.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: podsync
+  namespace: podsync
+spec:
+  selector:
+    app: podsync
+  ports:
+    - port: 8080
+      targetPort: 8080
diff --git a/kubernetes/config/cluster-vars.sops.yaml b/kubernetes/config/cluster-vars.sops.yaml
index ee4e64c..5e1bfaa 100644
--- a/kubernetes/config/cluster-vars.sops.yaml
+++ b/kubernetes/config/cluster-vars.sops.yaml
@@ -17,6 +17,8 @@ stringData:
     ARCHMIRROR_HOST: ENC[AES256_GCM,data:lCi7iVRn7yITYLi63kWdZXw7mCGXoe4=,iv:vuk/YuwfiBZhLS2+k1+WkNq96XrWA6BWtGjjWkKqTXc=,tag:Z0HJzMAmFSJvPkVPpIdFzg==,type:str]
     ARCHMIRROR_NFS_PATH: ENC[AES256_GCM,data:RHNbu/Jobo8Q5DzKjF4RojvrYQ==,iv:khpEqK0KzdZeZm8qKZ3MJQDk2P799FBCNPOJGx4Tdhk=,tag:CKHeuRZttLRwN6noSaehDQ==,type:str]
     ARCHMIRROR_MIRROR_URL: ENC[AES256_GCM,data:cIORJWshvr4fL/OqyvplXllcrMdh3UMrt11cBqwgS12O3wGBgyULJNDcP7c2,iv:8Efs43us8xlUvkafWf15K5wqBoJnYLmC50j094taoFs=,tag:6hV2emMunQ1jOteRCANRsA==,type:str]
+    PODSYNC_HOST: ENC[AES256_GCM,data:MK+WWo8R2uS45U8suBDusOp922YqngM=,iv:7QfuVU6ICEmpNwtgpnXa2phwP0+0pcmv8w3CJSLwvrA=,tag:z6qizhm8fzzDZq/726kKsQ==,type:str]
+    PODSYNC_NFS_PATH: ENC[AES256_GCM,data:O1ZHSOsmwe57nY0T42pHOHcc/aB9,iv:FS4Yb9F4mzrvKni0hg6HD22R83v3YoGlDAeEPBc4RzE=,tag:f+Wi8BOPIVod/8upGZmw5A==,type:str]
 sops:
     age:
         - recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
@@ -28,7 +30,7 @@ sops:
             LzhUN3Z4cExIL1IyS3ZCNWh5aWpLbDgKQ7c3MmLykA00NaLoctKVDfJvPqTqh3Ia
             cDZJUc6jYJXOJYM6YYyZOYcCL2z8V2RpIfA9sPg8PB2eiipZxjk+Cg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-27T20:24:05Z"
-    mac: ENC[AES256_GCM,data:fYYaSZF2TGw4IQZCssW11j5Aj0STRaGOPN8C6nFUGRm2XhLof8n5i4Lnev7sVauOlG3PByWZJgye04vP2wQjX27MKeNXoaSUEIbMj2X242WH95GQXyHbaaN2D9bUXihLD8jaqJnIuKq9Kskkd4Rpf41mdlr7P8sOudY9tSHrVIM=,iv:72KkRWBoVJqSsBgniwgSuu6Nx5BSF0QcyHIgndRiuvA=,tag:zCiapUCAHcpShy5jBaaJ/Q==,type:str]
+    lastmodified: "2026-02-28T20:47:12Z"
+    mac: ENC[AES256_GCM,data:c8pE3AixjxpDSGwnTYrhHRDDXFAAhHs4zaveies6/4feWUY1o+26Z0aWQssWQaQCR9V5mo831B400jMg4tudbJflRHE6VV0ah5eFh5+N7M5vnbxrWHCwGW3Y5bAUXAuaMFDgOO5fCi+iryCC8WZe6FxqZTMawWAcjMq93X55jbY=,iv:RWU3PTXd1XOdmGbr87LSqUud1Aak8VzXzjLLorh2UHc=,tag:rNWOmU/W0NfIupMV9mMfig==,type:str]
     encrypted_regex: ^(data|stringData|email)$
     version: 3.12.1