diff --git a/kubernetes/kube-nas/apps/cert-manager/namespace.yaml b/kubernetes/kube-nas/apps/cert-manager/namespace.yaml
index 977c578a1..ed788350f 100644
--- a/kubernetes/kube-nas/apps/cert-manager/namespace.yaml
+++ b/kubernetes/kube-nas/apps/cert-manager/namespace.yaml
@@ -5,4 +5,3 @@ metadata:
   name: cert-manager
   labels:
     kustomize.toolkit.fluxcd.io/prune: disabled
-    goldilocks.fairwinds.com/enabled: "true"
diff --git a/kubernetes/kube-nas/apps/default/echo-server/app/helm-release.yaml b/kubernetes/kube-nas/apps/default/echo-server/app/helm-release.yaml
new file mode 100644
index 000000000..269765af2
--- /dev/null
+++ b/kubernetes/kube-nas/apps/default/echo-server/app/helm-release.yaml
@@ -0,0 +1,91 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: echo-server
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 2.0.3
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s-charts
+        namespace: flux-system
+  maxHistory: 15
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    # https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+    controllers:
+      main:
+        containers:
+          main:
+            image:
+              repository: docker.io/jmalloc/echo-server
+              tag: 0.3.5
+            strategy: RollingUpdate
+            resources:
+              requests:
+                cpu: 5m
+                memory: 10Mi
+              limits:
+                memory: 50Mi
+            probes:
+              liveness: &probes
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /health
+                    port: &port 8080
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+              readiness: *probes
+              startup:
+                enabled: false
+
+    service:
+      main:
+        ports:
+          http:
+            port: *port
+
+    ingress:
+      main:
+        enabled: true
+        className: traefik
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production
+          kubernetes.io/tls-acme: "true"
+          traefik.ingress.kubernetes.io/router.middlewares: traefik-ingress-sso@kubernetescrd
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+          traefik.ingress.kubernetes.io/affinity: "true"
+          traefik.ingress.kubernetes.io/router.tls: "true"
+          external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"
+          hajimari.io/icon: video-input-antenna
+          hajimari.io/enable: "true"
+        hosts:
+          - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+                service:
+                  name: main
+                  port: http
+        tls:
+          - hosts:
+              - *host
+            secretName: "{{ .Release.Name }}-tls"
diff --git a/kubernetes/kube-nas/apps/default/echo-server/app/kustomization.yaml b/kubernetes/kube-nas/apps/default/echo-server/app/kustomization.yaml
new file mode 100644
index 000000000..6c08326a6
--- /dev/null
+++ b/kubernetes/kube-nas/apps/default/echo-server/app/kustomization.yaml
@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helm-release.yaml
+commonLabels:
+  app.kubernetes.io/name: echo-server
+  app.kubernetes.io/instance: echo-server
diff --git a/kubernetes/kube-nas/apps/default/echo-server/flux-sync.yaml b/kubernetes/kube-nas/apps/default/echo-server/flux-sync.yaml
new file mode 100644
index 000000000..1a11d9e00
--- /dev/null
+++ b/kubernetes/kube-nas/apps/default/echo-server/flux-sync.yaml
@@ -0,0 +1,17 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: apps-echo-server
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  interval: 10m
+  path: ./kubernetes/kube-nas/apps/default/echo-server/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops
+  wait: true
diff --git a/kubernetes/kube-nas/apps/default/kustomization.yaml b/kubernetes/kube-nas/apps/default/kustomization.yaml
new file mode 100644
index 000000000..adf33b9de
--- /dev/null
+++ b/kubernetes/kube-nas/apps/default/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  - ./echo-server/flux-sync.yaml
diff --git a/kubernetes/kube-nas/apps/default/namespace.yaml b/kubernetes/kube-nas/apps/default/namespace.yaml
new file mode 100644
index 000000000..f659b055d
--- /dev/null
+++ b/kubernetes/kube-nas/apps/default/namespace.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: default
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled