diff --git a/.sops.yaml b/.sops.yaml
index f366f9eb..c47abafe 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -7,6 +7,7 @@ keys:
 - &tei_osh age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
 - &mediabox_osh age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489
 - &kuwubernetes_osh age1q2yjpxlqkfhsfxumtmax6zsyt669vlr9ffjks3dpkjf3cqdakcwqt2nt66
+- &kuwubernetes_cluster age1nmdv4q8hcyj3s6qevrmc9w2vhd4a8tsj5j5e0cry5utex7vqeprslyjvxz
 creation_rules:
 - path_regex: 'nixos/secrets/.+\.yaml$'
   shamir_threshold: 1
@@ -57,3 +58,9 @@ creation_rules:
   shamir_threshold: 1
   key_groups:
   - pgp: *pgp_common
+- path_regex: 'k8s/[^/]+/secret.yaml'
+  shamir_threshold: 1
+  key_groups:
+  - pgp: *pgp_common
+    age:
+      *kuwubernetes_cluster
diff --git a/k8s/bootstrap.sh b/k8s/bootstrap.sh
deleted file mode 100755
index f7216c99..00000000
--- a/k8s/bootstrap.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/usr/bin/env -S nix shell nixpkgs#kubernetes-helm --command bash
-echo "Installing flannel (CNI/Network Fabric)"
-kubectl create ns kube-flannel
-kubectl label --overwrite ns kube-flannel pod-security.kubernetes.io/enforce=privileged
-helm repo add flannel https://flannel-io.github.io/flannel/
-helm install flannel --set podCidr="10.42.0.0/16" --namespace kube-flannel flannel/flannel
-echo "Installing CoreDNS (Cluster DNS)"
-helm repo add coredns https://coredns.github.io/helm
-helm --namespace=kube-system install coredns coredns/coredns --set service.clusterIP=10.43.0.2
-echo "Installing ArgoCD (GitOps)"
-helm repo add argo https://argoproj.github.io/argo-helm
-helm install argocd argo/argo-cd --namespace argocd --create-namespace
diff --git a/k8s/bootstrap/.gitignore b/k8s/bootstrap/.gitignore
new file mode 100644
index 00000000..62c169be
--- /dev/null
+++ b/k8s/bootstrap/.gitignore
@@ -0,0 +1,2 @@
+keys.txt
+sops-age-key-file.yaml
\ No newline at end of file
diff --git a/k8s/bootstrap/bootstrap.sh b/k8s/bootstrap/bootstrap.sh
new file mode 100755
index 00000000..a6fe9db0
--- /dev/null
+++ b/k8s/bootstrap/bootstrap.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env -S nix shell nixpkgs#kubernetes-helm nixpkgs#rage --command bash
+echo "Installing flannel (CNI/Network Fabric)"
+kubectl create ns kube-flannel
+kubectl label --overwrite ns kube-flannel pod-security.kubernetes.io/enforce=privileged
+helm repo add flannel https://flannel-io.github.io/flannel/
+helm install flannel --set podCidr="10.42.0.0/16" --namespace kube-flannel flannel/flannel
+echo "Installing CoreDNS (Cluster DNS)"
+helm repo add coredns https://coredns.github.io/helm
+helm --namespace=kube-system install coredns coredns/coredns --set service.clusterIP=10.43.0.2
+echo "Installing ArgoCD (GitOps)"
+helm repo add argo https://argoproj.github.io/argo-helm
+helm install argocd argo/argo-cd --namespace argocd --create-namespace
+echo "Generating an age keyfile for sops-secrets-operator, the next line will be the public key, please add it to .sops.yaml"
+rage-keygen -o keys.txt 2>&1 | awk '{ print $3 }'
+kubectl create ns sops
+kubectl create secret generic sops-age-key-file --from-file=keys.txt -o yaml --dry-run=client -n sops > sops-age-key-file.yaml
+kubectl apply -f sops-age-key-file.yaml -n sops
+echo "Installing sops-secrets-operator"
+helm repo add sops-secrets-operator https://inloco.github.io/sops-secrets-operator
+helm install sops-secrets-operator sops-secrets-operator/sops-secrets-operator --namespace sops --values sops-values.yaml
\ No newline at end of file
diff --git a/k8s/bootstrap/sops-values.yaml b/k8s/bootstrap/sops-values.yaml
new file mode 100644
index 00000000..dc5480b6
--- /dev/null
+++ b/k8s/bootstrap/sops-values.yaml
@@ -0,0 +1,6 @@
+secretsAsFiles:
+  - mountPath: /etc/sops-age-key-file
+    secretName: sops-age-key-file
+extraEnv:
+  - name: SOPS_AGE_KEY_FILE
+    value: /etc/sops-age-key-file/sops.key
\ No newline at end of file
diff --git a/k8s/system/sops-secrets-operator/application.yaml b/k8s/system/sops-secrets-operator/application.yaml
new file mode 100644
index 00000000..967b49e8
--- /dev/null
+++ b/k8s/system/sops-secrets-operator/application.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: sops-secrets-operator
+  namespace: argocd
+spec:
+  project: system
+  source:
+    repoURL: "https://isindir.github.io/sops-secrets-operator/"
+    targetRevision: 0.18.0
+    chart: sops-secret-operator
+    helm:
+      valuesObject:
+        secretsAsFiles:
+          - mountPath: /etc/sops-age-key-file
+            secretName: sops-age-key-file
+        extraEnv:
+          - name: SOPS_AGE_KEY_FILE
+            value: /etc/sops-age-key-file/sops.key
+  destination:
+    namespace: sops
+    name: in-cluster
+  syncPolicy:
+    syncOptions:
+      - ServerSideApply=true
\ No newline at end of file