diff --git a/kubernetes/talos-flux/apps/gaming-public/minecraft-java/velocity-proxy/helm-release.yaml b/kubernetes/talos-flux/apps/gaming-public/minecraft-java/velocity-proxy/helm-release.yaml
index 2c4415dd8..bc8ba7c1b 100644
--- a/kubernetes/talos-flux/apps/gaming-public/minecraft-java/velocity-proxy/helm-release.yaml
+++ b/kubernetes/talos-flux/apps/gaming-public/minecraft-java/velocity-proxy/helm-release.yaml
@@ -31,6 +31,8 @@ spec:
         annotations:
           reloader.stakater.com/auto: "true"
         pod:
+          labels:
+            ingress.home.arpa/playit: allow
           securityContext:
             fsGroup: 1000
             runAsGroup: 1000
diff --git a/kubernetes/talos-flux/apps/networking/kustomization.yaml b/kubernetes/talos-flux/apps/networking/kustomization.yaml
index a9d2f9dc7..7663288d0 100644
--- a/kubernetes/talos-flux/apps/networking/kustomization.yaml
+++ b/kubernetes/talos-flux/apps/networking/kustomization.yaml
@@ -8,5 +8,6 @@ resources:
   - ./adguard-home/flux-sync.yaml
   - ./cloudflared/flux-sync.yaml
   - ./external-dns/flux-sync.yaml
+  - ./playit/flux-sync.yaml
   - ./redirect-service/flux-sync.yaml
   - ./unifi/flux-sync.yaml
diff --git a/kubernetes/talos-flux/apps/networking/playit/app/external-secret.yaml b/kubernetes/talos-flux/apps/networking/playit/app/external-secret.yaml
new file mode 100644
index 000000000..9f8edb83a
--- /dev/null
+++ b/kubernetes/talos-flux/apps/networking/playit/app/external-secret.yaml
@@ -0,0 +1,29 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name playit
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: *name
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        playit.toml: |
+          api_url = "https://api.playit.cloud/agent"
+          ping_target_addresses = []
+          control_address = "control.playit.gg"
+          refresh_from_api = true
+          api_refresh_rate = 5000
+          ping_interval = 5000
+          secret_key = "{{ .PLAYIT_SECRET_KEY }}"
+          mappings = []
+  dataFrom:
+    - extract:
+        key: infra/techtales/network/playit
diff --git a/kubernetes/talos-flux/apps/networking/playit/app/helm-release.yaml b/kubernetes/talos-flux/apps/networking/playit/app/helm-release.yaml
new file mode 100644
index 000000000..d457aa1a3
--- /dev/null
+++ b/kubernetes/talos-flux/apps/networking/playit/app/helm-release.yaml
@@ -0,0 +1,80 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app playit
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.6.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s-charts
+        namespace: flux-system
+      interval: 15m
+  install:
+    createNamespace: false
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    defaultPodOptions:
+      automountServiceAccountToken: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        fsGroup: 65534
+        fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
+
+    controllers:
+      plait:
+        replicas: 1
+        annotations:
+          reloader.stakater.com/auto: "true"
+        containers:
+          app:
+            nameOverride: *app
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities:
+                drop: [ALL]
+            env:
+              TZ: ${SETTING_TZ}
+            image:
+              repository: ghcr.io/playit-cloud/playit-agent
+              tag: 0.15.26@sha256:3d08eb4a627a6d167f3cce497d8e2ec8f9e7d2df4e96f0599ca41e4b957c852c
+            ports:
+              - name: http
+                containerPort: 8080
+                protocol: TCP
+            resources:
+              requests:
+                cpu: 10m
+                memory: 150Mi
+            probes:
+              liveness:
+                enabled: false
+              readiness:
+                enabled: false
+              startup:
+                enabled: false
+
+    persistence:
+      playit-toml:
+        type: secret
+        name: playit
+        globalMounts:
+          - path: /config/playit.toml
+            subPath: playit.toml
+            readOnly: false
diff --git a/kubernetes/talos-flux/apps/networking/playit/app/kustomization.yaml b/kubernetes/talos-flux/apps/networking/playit/app/kustomization.yaml
new file mode 100644
index 000000000..3e2e6109b
--- /dev/null
+++ b/kubernetes/talos-flux/apps/networking/playit/app/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: home-automation
+resources:
+  - external-secret.yaml
+  - networkpolicy.yaml
+  - helm-release.yaml
diff --git a/kubernetes/talos-flux/apps/networking/playit/app/networkpolicy.yaml b/kubernetes/talos-flux/apps/networking/playit/app/networkpolicy.yaml
new file mode 100644
index 000000000..fcded2269
--- /dev/null
+++ b/kubernetes/talos-flux/apps/networking/playit/app/networkpolicy.yaml
@@ -0,0 +1,36 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: playit
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: playit
+
+  egress:
+    - toEntities:
+        - world # TODO: get concrete info on what ports are required
+    - toEndpoints:
+        - matchLabels:
+            ingress.home.arpa/playit: allow
+          matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists # any namespace
+
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: playit-to-app
+spec:
+  endpointSelector:
+    matchLabels:
+      ingress.home.arpa/playit: allow
+
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: playit
diff --git a/kubernetes/talos-flux/apps/networking/playit/flux-sync.yaml b/kubernetes/talos-flux/apps/networking/playit/flux-sync.yaml
new file mode 100644
index 000000000..dc35ebda9
--- /dev/null
+++ b/kubernetes/talos-flux/apps/networking/playit/flux-sync.yaml
@@ -0,0 +1,24 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &appname playit
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  targetNamespace: networking
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *appname
+  interval: 30m
+  path: ./kubernetes/talos-flux/apps/networking/playit/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops
+  wait: true
+  timeout: 5m
+  dependsOn:
+    - name: apps-external-secrets-stores