diff --git a/modules/kubernetes/actualbudget/factory/main.tf b/modules/kubernetes/actualbudget/factory/main.tf
index fc615705..b19f1f06 100644
--- a/modules/kubernetes/actualbudget/factory/main.tf
+++ b/modules/kubernetes/actualbudget/factory/main.tf
@@ -3,13 +3,15 @@ variable "name" {}
 variable "tag" {
   default = "latest"
 }
+variable "tier" { type = string }
 
 resource "kubernetes_deployment" "actualbudget" {
   metadata {
     name      = "actualbudget-${var.name}"
     namespace = "actualbudget"
     labels = {
-      app = "actualbudget-${var.name}"
+      app  = "actualbudget-${var.name}"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/actualbudget/main.tf b/modules/kubernetes/actualbudget/main.tf
index 4bf5380a..fa5259ae 100644
--- a/modules/kubernetes/actualbudget/main.tf
+++ b/modules/kubernetes/actualbudget/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 # To create a new deployment:
 /**
@@ -30,6 +31,7 @@ module "viktor" {
   tag             = "edge"
   tls_secret_name = var.tls_secret_name
   depends_on      = [kubernetes_namespace.actualbudget]
+  tier            = var.tier
 }
 
 # https://budget-anca.viktorbarzin.me/
@@ -39,4 +41,5 @@ module "anca" {
   tag             = "edge"
   tls_secret_name = var.tls_secret_name
   depends_on      = [kubernetes_namespace.actualbudget]
+  tier            = var.tier
 }
diff --git a/modules/kubernetes/audiobookshelf/main.tf b/modules/kubernetes/audiobookshelf/main.tf
index b8098003..62d1207b 100644
--- a/modules/kubernetes/audiobookshelf/main.tf
+++ b/modules/kubernetes/audiobookshelf/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "audiobookshelf" {
   metadata {
@@ -20,7 +21,8 @@ resource "kubernetes_deployment" "audiobookshelf" {
     name      = "audiobookshelf"
     namespace = kubernetes_namespace.audiobookshelf.metadata[0].name
     labels = {
-      app = "audiobookshelf"
+      app  = "audiobookshelf"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/authentik/main.tf b/modules/kubernetes/authentik/main.tf
index f5df26e1..483e3ef0 100644
--- a/modules/kubernetes/authentik/main.tf
+++ b/modules/kubernetes/authentik/main.tf
@@ -1,6 +1,7 @@
 variable "tls_secret_name" {}
 variable "secret_key" {}
 variable "postgres_password" {}
+variable "tier" { type = string }
 
 
 module "tls_secret" {
@@ -12,6 +13,9 @@ module "tls_secret" {
 resource "kubernetes_namespace" "authentik" {
   metadata {
     name = "authentik"
+    labels = {
+      tier = var.tier
+    }
   }
 }
 
diff --git a/modules/kubernetes/authentik/pgbouncer.tf b/modules/kubernetes/authentik/pgbouncer.tf
index f9c83fd9..d6d24a8b 100644
--- a/modules/kubernetes/authentik/pgbouncer.tf
+++ b/modules/kubernetes/authentik/pgbouncer.tf
@@ -29,7 +29,8 @@ resource "kubernetes_deployment" "pgbouncer" {
     name      = "pgbouncer"
     namespace = "authentik"
     labels = {
-      app = "pgbouncer"
+      app  = "pgbouncer"
+      tier = var.tier
     }
   }
 
diff --git a/modules/kubernetes/blog/main.tf b/modules/kubernetes/blog/main.tf
index 91cf4fed..eef7860e 100644
--- a/modules/kubernetes/blog/main.tf
+++ b/modules/kubernetes/blog/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 # variable "dockerhub_password" {}
 
 resource "kubernetes_namespace" "website" {
@@ -27,7 +28,8 @@ resource "kubernetes_deployment" "blog" {
     name      = "blog"
     namespace = kubernetes_namespace.website.metadata[0].name
     labels = {
-      run = "blog"
+      run  = "blog"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/calibre/main.tf b/modules/kubernetes/calibre/main.tf
index 040374bf..32594172 100644
--- a/modules/kubernetes/calibre/main.tf
+++ b/modules/kubernetes/calibre/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "homepage_username" {
   default = ""
 }
@@ -99,7 +100,8 @@ resource "kubernetes_deployment" "calibre-web-automated" {
     name      = "calibre-web-automated"
     namespace = kubernetes_namespace.calibre.metadata[0].name
     labels = {
-      app = "calibre-web-automated"
+      app  = "calibre-web-automated"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
@@ -250,7 +252,8 @@ resource "kubernetes_deployment" "annas-archive-stacks" {
     name      = "annas-archive-stacks"
     namespace = kubernetes_namespace.calibre.metadata[0].name
     labels = {
-      app = "annas-archive-stacks"
+      app  = "annas-archive-stacks"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/changedetection/main.tf b/modules/kubernetes/changedetection/main.tf
index c7154e72..06f16212 100644
--- a/modules/kubernetes/changedetection/main.tf
+++ b/modules/kubernetes/changedetection/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "changedetection" {
   metadata {
@@ -20,7 +21,8 @@ resource "kubernetes_deployment" "changedetection" {
     name      = "changedetection"
     namespace = kubernetes_namespace.changedetection.metadata[0].name
     labels = {
-      app = "changedetection"
+      app  = "changedetection"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/city-guesser/main.tf b/modules/kubernetes/city-guesser/main.tf
index 72fbd7e0..e6f8bac1 100644
--- a/modules/kubernetes/city-guesser/main.tf
+++ b/modules/kubernetes/city-guesser/main.tf
@@ -1,5 +1,5 @@
 variable "tls_secret_name" {}
-# variable "dockerhub_password" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "city-guesser" {
   metadata {
@@ -16,18 +16,13 @@ module "tls_secret" {
   tls_secret_name = var.tls_secret_name
 }
 
-# module "dockerhub_creds" {
-#   source    = "../dockerhub_secret"
-#   namespace = "website"
-#   password  = var.dockerhub_password
-# }
-
 resource "kubernetes_deployment" "city-guesser" {
   metadata {
     name      = "city-guesser"
     namespace = "city-guesser"
     labels = {
-      run = "city-guesser"
+      run  = "city-guesser"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/cloudflared/main.tf b/modules/kubernetes/cloudflared/main.tf
index bbd33b47..e5c63b45 100644
--- a/modules/kubernetes/cloudflared/main.tf
+++ b/modules/kubernetes/cloudflared/main.tf
@@ -7,6 +7,7 @@ resource "kubernetes_namespace" "cloudflared" {
     name = "cloudflared"
   }
 }
+variable "tier" { type = string }
 
 module "tls_secret" {
   source          = "../setup_tls_secret"
@@ -19,7 +20,8 @@ resource "kubernetes_deployment" "cloudflared" {
     name      = "cloudflared"
     namespace = kubernetes_namespace.cloudflared.metadata[0].name
     labels = {
-      app = "cloudflared"
+      app  = "cloudflared"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/crowdsec/main.tf b/modules/kubernetes/crowdsec/main.tf
index ec61a073..a06fa429 100644
--- a/modules/kubernetes/crowdsec/main.tf
+++ b/modules/kubernetes/crowdsec/main.tf
@@ -6,6 +6,7 @@ variable "enroll_key" {}
 variable "crowdsec_dash_api_key" { type = string }          # used for web dash
 variable "crowdsec_dash_machine_id" { type = string }       # used for web dash
 variable "crowdsec_dash_machine_password" { type = string } # used for web dash
+variable "tier" { type = string }
 
 module "tls_secret" {
   source          = "../setup_tls_secret"
@@ -16,6 +17,9 @@ module "tls_secret" {
 resource "kubernetes_namespace" "crowdsec" {
   metadata {
     name = "crowdsec"
+    labels = {
+      tier = var.tier
+    }
   }
 }
 
@@ -84,6 +88,7 @@ resource "kubernetes_deployment" "crowdsec-web" {
     labels = {
       app                             = "crowdsec_web"
       "kubernetes.io/cluster-service" = "true"
+      tier                            = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/cyberchef/main.tf b/modules/kubernetes/cyberchef/main.tf
index 8049635e..b8f4041c 100644
--- a/modules/kubernetes/cyberchef/main.tf
+++ b/modules/kubernetes/cyberchef/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 resource "kubernetes_namespace" "cyberchef" {
   metadata {
     name = "cyberchef"
@@ -16,7 +17,8 @@ resource "kubernetes_deployment" "cyberchef" {
     name      = "cyberchef"
     namespace = kubernetes_namespace.cyberchef.metadata[0].name
     labels = {
-      app = "cyberchef"
+      app  = "cyberchef"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/dashy/main.tf b/modules/kubernetes/dashy/main.tf
index 1fb34fb9..67d839b7 100644
--- a/modules/kubernetes/dashy/main.tf
+++ b/modules/kubernetes/dashy/main.tf
@@ -1,5 +1,6 @@
 
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 module "tls_secret" {
   source          = "../setup_tls_secret"
@@ -36,7 +37,8 @@ resource "kubernetes_deployment" "dashy" {
     name      = "dashy"
     namespace = kubernetes_namespace.dashy.metadata[0].name
     labels = {
-      app = "dashy"
+      app  = "dashy"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/dawarich/main.tf b/modules/kubernetes/dawarich/main.tf
index 751a566e..215b18ef 100644
--- a/modules/kubernetes/dawarich/main.tf
+++ b/modules/kubernetes/dawarich/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "database_password" {}
 variable "geoapify_api_key" {}
 variable "image_version" {
@@ -26,7 +27,8 @@ resource "kubernetes_deployment" "dawarich" {
     name      = "dawarich"
     namespace = kubernetes_namespace.dawarich.metadata[0].name
     labels = {
-      app = "dawarich"
+      app  = "dawarich"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/dbaas/main.tf b/modules/kubernetes/dbaas/main.tf
index 5d3a9d8f..0ec05257 100644
--- a/modules/kubernetes/dbaas/main.tf
+++ b/modules/kubernetes/dbaas/main.tf
@@ -1,5 +1,6 @@
 # DB as a service. Installs MySQL operator
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "dbaas_root_password" {}
 variable "cluster_master_service" {
   default = "mysql"
@@ -99,6 +100,9 @@ resource "kubernetes_deployment" "mysql" {
     annotations = {
       "reloader.stakater.com/search" = "true"
     }
+    labels = {
+      tier = var.tier
+    }
   }
   spec {
     replicas = 1
@@ -358,6 +362,7 @@ resource "kubernetes_deployment" "phpmyadmin" {
     namespace = kubernetes_namespace.dbaas.metadata[0].name
     labels = {
       "app" = "phpmyadmin"
+      tier  = var.tier
 
     }
     annotations = {
@@ -684,6 +689,9 @@ resource "kubernetes_deployment" "postgres" {
     annotations = {
       "reloader.stakater.com/search" = "true"
     }
+    labels = {
+      tier = var.tier
+    }
   }
   spec {
     selector {
@@ -777,6 +785,9 @@ resource "kubernetes_deployment" "pgadmin" {
     annotations = {
       "reloader.stakater.com/search" = "true"
     }
+    labels = {
+      tier = var.tier
+    }
   }
   spec {
     selector {
diff --git a/modules/kubernetes/descheduler/main.tf b/modules/kubernetes/descheduler/main.tf
index 4d49240a..e7fed580 100644
--- a/modules/kubernetes/descheduler/main.tf
+++ b/modules/kubernetes/descheduler/main.tf
@@ -74,7 +74,7 @@ resource "kubernetes_cluster_role_binding" "descheduler" {
   }
 }
 
-resource "helm_release" "prometheus" {
+resource "helm_release" "descheduler" { # rename me
   namespace = kubernetes_namespace.descheduler.metadata[0].name
   name      = "descheduler"
 
diff --git a/modules/kubernetes/diun/main.tf b/modules/kubernetes/diun/main.tf
index 3a075d4d..46aec4ca 100644
--- a/modules/kubernetes/diun/main.tf
+++ b/modules/kubernetes/diun/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "diun_nfty_token" {}
 variable "diun_slack_url" {}
 
@@ -56,7 +57,8 @@ resource "kubernetes_deployment" "diun" {
     name      = "diun"
     namespace = kubernetes_namespace.diun.metadata[0].name
     labels = {
-      app = "diun"
+      app  = "diun"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/drone/main.tf b/modules/kubernetes/drone/main.tf
index de9c02a6..eb730be6 100644
--- a/modules/kubernetes/drone/main.tf
+++ b/modules/kubernetes/drone/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "github_client_id" {}
 variable "github_client_secret" {}
 variable "rpc_secret" {}
@@ -43,7 +44,8 @@ resource "kubernetes_deployment" "drone_server" {
     name      = "drone-server"
     namespace = kubernetes_namespace.drone.metadata[0].name
     labels = {
-      app = "drone"
+      app  = "drone"
+      tier = var.tier
     }
   }
   spec {
@@ -211,7 +213,8 @@ resource "kubernetes_deployment" "drone_runner" {
     name      = "drone-runner"
     namespace = kubernetes_namespace.drone.metadata[0].name
     labels = {
-      app = "drone-runner"
+      app  = "drone-runner"
+      tier = var.tier
     }
   }
   spec {
@@ -286,7 +289,8 @@ resource "kubernetes_deployment" "drone_runner_secret" {
     name      = "drone-runner-secret"
     namespace = kubernetes_namespace.drone.metadata[0].name
     labels = {
-      app = "drone-runner-secret"
+      app  = "drone-runner-secret"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/ebook2audiobook/main.tf b/modules/kubernetes/ebook2audiobook/main.tf
index a469569e..0e1801cc 100644
--- a/modules/kubernetes/ebook2audiobook/main.tf
+++ b/modules/kubernetes/ebook2audiobook/main.tf
@@ -1,5 +1,6 @@
 
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 module "tls_secret" {
   source          = "../setup_tls_secret"
@@ -235,7 +236,8 @@ resource "kubernetes_deployment" "audiblez" {
     name      = "audiblez"
     namespace = kubernetes_namespace.ebook2audiobook.metadata[0].name
     labels = {
-      app = "audiblez"
+      app  = "audiblez"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/echo/main.tf b/modules/kubernetes/echo/main.tf
index e668d87c..724e07d4 100644
--- a/modules/kubernetes/echo/main.tf
+++ b/modules/kubernetes/echo/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "echo" {
   metadata {
@@ -20,7 +21,8 @@ resource "kubernetes_deployment" "echo" {
     name      = "echo"
     namespace = kubernetes_namespace.echo.metadata[0].name
     labels = {
-      app = "echo"
+      app  = "echo"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/excalidraw/main.tf b/modules/kubernetes/excalidraw/main.tf
index 206f8879..2df6db3a 100644
--- a/modules/kubernetes/excalidraw/main.tf
+++ b/modules/kubernetes/excalidraw/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "excalidraw" {
   metadata {
@@ -21,7 +22,8 @@ resource "kubernetes_deployment" "excalidraw" {
     name      = "excalidraw"
     namespace = kubernetes_namespace.excalidraw.metadata[0].name
     labels = {
-      app = "excalidraw"
+      app  = "excalidraw"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/f1-stream/main.tf b/modules/kubernetes/f1-stream/main.tf
index bb0569bb..24caf9da 100644
--- a/modules/kubernetes/f1-stream/main.tf
+++ b/modules/kubernetes/f1-stream/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "f1-stream" {
   metadata {
@@ -14,7 +15,8 @@ resource "kubernetes_deployment" "f1-stream" {
     name      = "f1-stream"
     namespace = kubernetes_namespace.f1-stream.metadata[0].name
     labels = {
-      app = "f1-stream"
+      app  = "f1-stream"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/forgejo/main.tf b/modules/kubernetes/forgejo/main.tf
index e495b8a6..b1960ff0 100644
--- a/modules/kubernetes/forgejo/main.tf
+++ b/modules/kubernetes/forgejo/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "forgejo" {
   metadata {
@@ -20,7 +21,8 @@ resource "kubernetes_deployment" "forgejo" {
     name      = "forgejo"
     namespace = kubernetes_namespace.forgejo.metadata[0].name
     labels = {
-      app = "forgejo"
+      app  = "forgejo"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/freshrss/main.tf b/modules/kubernetes/freshrss/main.tf
index 545ba50f..5972e2a2 100644
--- a/modules/kubernetes/freshrss/main.tf
+++ b/modules/kubernetes/freshrss/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 module "tls_secret" {
   source          = "../setup_tls_secret"
@@ -20,6 +21,7 @@ resource "kubernetes_deployment" "freshrss" {
     labels = {
       app                             = "freshrss"
       "kubernetes.io/cluster-service" = "true"
+      tier                            = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/frigate/main.tf b/modules/kubernetes/frigate/main.tf
index 261b75bb..215836a4 100644
--- a/modules/kubernetes/frigate/main.tf
+++ b/modules/kubernetes/frigate/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "frigate" {
   metadata {
@@ -20,7 +21,8 @@ resource "kubernetes_deployment" "frigate" {
     name      = "frigate"
     namespace = kubernetes_namespace.frigate.metadata[0].name
     labels = {
-      app = "frigate"
+      app  = "frigate"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/hackmd/main.tf b/modules/kubernetes/hackmd/main.tf
index 0d3d6490..e8bbdaed 100644
--- a/modules/kubernetes/hackmd/main.tf
+++ b/modules/kubernetes/hackmd/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "hackmd_db_password" {}
 
 resource "kubernetes_namespace" "hackmd" {
@@ -23,6 +24,7 @@ resource "kubernetes_deployment" "hackmd" {
     labels = {
       app                             = "hackmd"
       "kubernetes.io/cluster-service" = "true"
+      tier                            = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/headscale/main.tf b/modules/kubernetes/headscale/main.tf
index 9ffac4e9..61ad739c 100644
--- a/modules/kubernetes/headscale/main.tf
+++ b/modules/kubernetes/headscale/main.tf
@@ -1,5 +1,6 @@
 
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "headscale_config" {}
 variable "headscale_acl" {}
 
@@ -20,7 +21,8 @@ resource "kubernetes_deployment" "headscale" {
     name      = "headscale"
     namespace = kubernetes_namespace.headscale.metadata[0].name
     labels = {
-      app = "headscale"
+      app  = "headscale"
+      tier = var.tier
       # scare to try but probably non-http will fail
       # "istio-injection" : "enabled"
     }
diff --git a/modules/kubernetes/homepage/main.tf b/modules/kubernetes/homepage/main.tf
index ecdc421a..9f8f0d31 100644
--- a/modules/kubernetes/homepage/main.tf
+++ b/modules/kubernetes/homepage/main.tf
@@ -1,5 +1,5 @@
-
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 module "tls_secret" {
   source          = "../setup_tls_secret"
@@ -12,6 +12,7 @@ resource "kubernetes_namespace" "homepage" {
     name = "homepage"
     labels = {
       "istio-injection" : "disabled"
+      tier = var.tier
     }
   }
 }
diff --git a/modules/kubernetes/immich/frame.tf b/modules/kubernetes/immich/frame.tf
index b81d29c5..3d07176d 100644
--- a/modules/kubernetes/immich/frame.tf
+++ b/modules/kubernetes/immich/frame.tf
@@ -41,6 +41,9 @@ resource "kubernetes_deployment" "immich-frame" {
     annotations = {
       "reloader.stakater.com/search" = "true"
     }
+    labels = {
+      tier = var.tier
+    }
   }
 
   spec {
diff --git a/modules/kubernetes/immich/main.tf b/modules/kubernetes/immich/main.tf
index 19522715..aca51fe6 100644
--- a/modules/kubernetes/immich/main.tf
+++ b/modules/kubernetes/immich/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "postgresql_password" {}
 variable "homepage_token" {}
 variable "immich_version" {
@@ -26,7 +27,8 @@ resource "kubernetes_deployment" "immich_server" {
     namespace = kubernetes_namespace.immich.metadata[0].name
 
     labels = {
-      app = "immich-server"
+      app  = "immich-server"
+      tier = var.tier
     }
   }
 
@@ -235,6 +237,9 @@ resource "kubernetes_deployment" "immich-postgres" {
   metadata {
     name      = "immich-postgresql"
     namespace = kubernetes_namespace.immich.metadata[0].name
+    labels = {
+      tier = var.tier
+    }
   }
   spec {
     replicas = 1
@@ -334,6 +339,9 @@ resource "kubernetes_deployment" "immich-machine-learning" {
   metadata {
     name      = "immich-machine-learning"
     namespace = kubernetes_namespace.immich.metadata[0].name
+    labels = {
+      tier = var.tier
+    }
   }
   spec {
     replicas = 1
diff --git a/modules/kubernetes/isponsorblocktv/main.tf b/modules/kubernetes/isponsorblocktv/main.tf
index 40773697..e7b452be 100644
--- a/modules/kubernetes/isponsorblocktv/main.tf
+++ b/modules/kubernetes/isponsorblocktv/main.tf
@@ -1,4 +1,5 @@
 # https://github.com/dmunozv04/iSponsorBlockTV
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "isponsorblocktv" {
   metadata {
@@ -17,7 +18,8 @@ resource "kubernetes_deployment" "isponsorblocktv-vermont" {
     name      = "isponsorblocktv-vermont"
     namespace = kubernetes_namespace.isponsorblocktv.metadata[0].name
     labels = {
-      app = "isponsorblocktv-vermont"
+      app  = "isponsorblocktv-vermont"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/jsoncrack/main.tf b/modules/kubernetes/jsoncrack/main.tf
index db5d8df3..bfa02284 100644
--- a/modules/kubernetes/jsoncrack/main.tf
+++ b/modules/kubernetes/jsoncrack/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "jsoncrack" {
   metadata {
@@ -19,7 +20,8 @@ resource "kubernetes_deployment" "jsoncrack" {
     name      = "jsoncrack"
     namespace = kubernetes_namespace.jsoncrack.metadata[0].name
     labels = {
-      app = "jsoncrack"
+      app  = "jsoncrack"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/k8s-dashboard/main.tf b/modules/kubernetes/k8s-dashboard/main.tf
index ac815daf..20ded87d 100644
--- a/modules/kubernetes/k8s-dashboard/main.tf
+++ b/modules/kubernetes/k8s-dashboard/main.tf
@@ -1,5 +1,6 @@
 variable "tls_secret_name" {}
 variable "client_certificate_secret_name" {}
+variable "tier" { type = string }
 
 resource "random_password" "csrf_token" {
   length           = 16
@@ -25,6 +26,7 @@ resource "kubernetes_namespace" "k8s-dashboard" {
     name = "kubernetes-dashboard"
     labels = {
       "istio-injection" : "disabled"
+      tier = var.tier
     }
   }
 }
diff --git a/modules/kubernetes/keyserver/deploy_keyserver.yaml b/modules/kubernetes/keyserver/deploy_keyserver.yaml
new file mode 100644
index 00000000..2a5b5291
--- /dev/null
+++ b/modules/kubernetes/keyserver/deploy_keyserver.yaml
@@ -0,0 +1,155 @@
+# @nocommit: job to periodically update the certs
+---
+- name: Deploy Nginx-based key server for TrueNAS unlock
+  hosts: keyserver
+  become: true
+  vars:
+    server_name: "keyserver.viktorbarzin.me"
+    key_filename: "truenas.key"
+    htpasswd_user: "truenas"
+    htpasswd_password: "3RgTvqHWeiae7drCUBGyj6XZSIP" # replace with vault
+    ssl_cert_path: "/etc/ssl/certs/keyserver.crt"
+    ssl_key_path: "/etc/ssl/private/keyserver.key"
+    local_ssl_cert: "../../../secrets/fullchain.pem"        # LOCAL path
+    local_ssl_key: "../../../secrets/privkey.pem"         # LOCAL path
+
+  tasks:
+
+    - name: Install packages
+      apt:
+        name:
+          - nginx
+          - apache2-utils
+          - python3-passlib
+        state: present
+        update_cache: yes
+
+    - name: Create basic-auth file
+      community.general.htpasswd:
+        path: /etc/nginx/.htpasswd
+        name: "{{ htpasswd_user }}"
+        password: "{{ htpasswd_password }}"
+        crypt_scheme: bcrypt
+
+    - name: Create key directory
+      file:
+        path: /srv/keys
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'
+
+    - name: Create key file if it doesn't exist
+      command: "head -c 128 /dev/urandom > /srv/keys/{{ key_filename }}"
+      args:
+        creates: "/srv/keys/{{ key_filename }}"
+
+    - name: Set key file permissions
+      file:
+        path: "/srv/keys/{{ key_filename }}"
+        owner: www-data
+        group: www-data
+        mode: '0640'
+
+    - name: Enable info logging in nginx.conf
+      lineinfile:
+        path: /etc/nginx/nginx.conf
+        regexp: '^(\s*)error_log'
+        line: '    error_log /var/log/nginx/error.log info;'
+        insertafter: 'http {'
+      notify: reload nginx
+
+    - name: Ensure rate limit config exists
+      copy:
+        dest: /etc/nginx/conf.d/ratelimit.conf
+        content: |
+          limit_req_zone $binary_remote_addr zone=authfail:10m rate=5r/m;
+      notify: reload nginx
+
+    - name: Deploy keyserver nginx site
+      copy:
+        dest: /etc/nginx/sites-available/keyserver.conf
+        content: |
+          server {
+              listen 443 ssl;
+              server_name {{ server_name }};
+
+              ssl_certificate     {{ ssl_cert_path }};
+              ssl_certificate_key {{ ssl_key_path }};
+
+              ssl_protocols TLSv1.2 TLSv1.3;
+              ssl_prefer_server_ciphers on;
+
+              limit_req zone=authfail burst=2 nodelay;
+
+              location /keys/ {
+                  alias /srv/keys/;
+
+                  auth_basic "Restricted";
+                  auth_basic_user_file /etc/nginx/.htpasswd;
+
+                  autoindex off;
+
+                  add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
+              }
+          }
+      notify: reload nginx
+
+    - name: Enable keyserver site
+      file:
+        src: /etc/nginx/sites-available/keyserver.conf
+        dest: /etc/nginx/sites-enabled/keyserver.conf
+        state: link
+      notify: reload nginx
+
+    - name: Remove default site
+      file:
+        path: /etc/nginx/sites-enabled/default
+        state: absent
+      notify: reload nginx
+
+    - name: Copy SSL certificate to server
+      copy:
+        src: "{{ local_ssl_cert }}"
+        dest: "{{ ssl_cert_path }}"
+        owner: root
+        group: root
+        mode: '0644'
+      notify: reload nginx
+
+    - name: Copy SSL private key to server
+      copy:
+        src: "{{ local_ssl_key }}"
+        dest: "{{ ssl_key_path }}"
+        owner: root
+        group: root
+        mode: '0644'
+      notify: reload nginx
+
+    # - name: Create self-signed SSL certificate if missing
+    #   command: >
+    #     openssl req -x509 -newkey rsa:2048 -nodes
+    #     -keyout {{ ssl_key_path }}
+    #     -out {{ ssl_cert_path }}
+    #     -days 365
+    #     -subj "/CN={{ server_name }}"
+    #   args:
+    #     creates: "{{ ssl_cert_path }}"
+      notify: reload nginx
+
+    - name: Test nginx config
+      command: nginx -t
+      register: nginx_test
+      failed_when: "'successful' not in nginx_test.stderr"
+
+    - name: Ensure nginx is running
+      service:
+        name: nginx
+        state: started
+        enabled: true
+
+  handlers:
+    - name: reload nginx
+      service:
+        name: nginx
+        state: reloaded
diff --git a/modules/kubernetes/kms/main.tf b/modules/kubernetes/kms/main.tf
index 4d6d703b..955a9b38 100644
--- a/modules/kubernetes/kms/main.tf
+++ b/modules/kubernetes/kms/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "kms" {
   metadata {
@@ -32,6 +33,7 @@ resource "kubernetes_deployment" "kms-web-page" {
     labels = {
       "app"                           = "kms-web-page"
       "kubernetes.io/cluster-service" = "true"
+      tier                            = var.tier
     }
   }
   spec {
@@ -121,7 +123,8 @@ resource "kubernetes_deployment" "windows_kms" {
     name      = "kms"
     namespace = kubernetes_namespace.kms.metadata[0].name
     labels = {
-      app = "kms-service"
+      app  = "kms-service"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/kyverno/main.tf b/modules/kubernetes/kyverno/main.tf
new file mode 100644
index 00000000..eb50274b
--- /dev/null
+++ b/modules/kubernetes/kyverno/main.tf
@@ -0,0 +1,120 @@
+
+resource "kubernetes_namespace" "kyverno" {
+  metadata {
+    name = "kyverno"
+    labels = {
+      "istio-injection" : "disabled"
+    }
+  }
+}
+
+resource "helm_release" "kyverno" {
+  namespace        = kubernetes_namespace.kyverno.metadata[0].name
+  create_namespace = false
+  name             = "kyverno"
+  atomic           = true
+
+  repository = "https://kyverno.github.io/kyverno/"
+  chart      = "kyverno"
+
+  #   values = [templatefile("${path.module}/grafana_chart_values.yaml", { db_password = var.grafana_db_password })]
+}
+
+# To unlabel all:
+# kubectl label deployment,statefulset,daemonset --all-namespaces -l tier tier-
+resource "kubernetes_manifest" "mutate_tier_from_namespace" {
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "sync-tier-label-from-namespace"
+    }
+    spec = {
+      rules = [
+        {
+          name = "lookup-and-add-tier"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Deployment", "StatefulSet", "DaemonSet"]
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  namespaces = ["kube-system", "metallb-system", "n8n"]
+                }
+              }
+            ]
+          }
+          # Context allows us to perform an API call to get Namespace metadata
+          context = [
+            {
+              name = "namespaceLabel"
+              apiCall = {
+                urlPath  = "/api/v1/namespaces/{{request.namespace}}"
+                jmesPath = "metadata.labels.tier || 'default'"
+              }
+            }
+          ]
+          mutate = {
+            patchStrategicMerge = {
+              metadata = {
+                labels = {
+                  # Injects the variable discovered in the context above
+                  "+(tier)" = "{{namespaceLabel}}"
+                }
+              }
+            }
+          }
+        }
+      ]
+    }
+  }
+}
+
+# resource "kubernetes_manifest" "enforce_pod_tier_label" {
+#   manifest = {
+#     apiVersion = "kyverno.io/v1"
+#     kind       = "ClusterPolicy"
+#     metadata = {
+#       name = "enforce-pod-tier-label"
+#       annotations = {
+#         "policies.kyverno.io/description" = "Rejects any pod that does not have a tier label."
+#       }
+#     }
+#     spec = {
+#       # 'Enforce' blocks the creation. 'Audit' just reports it.
+#       validationFailureAction = "Enforce"
+#       background              = true
+#       rules = [
+#         {
+#           name = "check-for-tier-label"
+#           match = {
+#             any = [
+#               {
+#                 resources = {
+#                   kinds = ["Pod"]
+#                 }
+#               }
+#             ]
+#           }
+#           validate = {
+#             message = "The label 'tier' is required for all pods in this cluster."
+#             pattern = {
+#               metadata = {
+#                 labels = {
+#                   "tier" = "?*" # The "?*" syntax means the value must not be empty
+#                 }
+#               }
+#             }
+#           }
+#         }
+#       ]
+#     }
+#   }
+# }
diff --git a/modules/kubernetes/linkwarden/main.tf b/modules/kubernetes/linkwarden/main.tf
index b16a3fff..a1d1ea66 100644
--- a/modules/kubernetes/linkwarden/main.tf
+++ b/modules/kubernetes/linkwarden/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "postgresql_password" {}
 variable "authentik_client_id" {}
 variable "authentik_client_secret" {}
@@ -26,7 +27,8 @@ resource "kubernetes_deployment" "linkwarden" {
     name      = "linkwarden"
     namespace = kubernetes_namespace.linkwarden.metadata[0].name
     labels = {
-      app = "linkwarden"
+      app  = "linkwarden"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/mailserver/main.tf b/modules/kubernetes/mailserver/main.tf
index 2e1b3805..bd30225b 100644
--- a/modules/kubernetes/mailserver/main.tf
+++ b/modules/kubernetes/mailserver/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "mailserver_accounts" {}
 variable "postfix_account_aliases" {}
 variable "opendkim_key" {}
@@ -134,6 +135,7 @@ resource "kubernetes_deployment" "mailserver" {
     namespace = kubernetes_namespace.mailserver.metadata[0].name
     labels = {
       "app" = "mailserver"
+      tier  = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
@@ -157,7 +159,6 @@ resource "kubernetes_deployment" "mailserver" {
         labels = {
           "app"  = "mailserver"
           "role" = "mail"
-          "tier" = "backend"
         }
       }
       spec {
diff --git a/modules/kubernetes/mailserver/roundcubemail.tf b/modules/kubernetes/mailserver/roundcubemail.tf
index d1217db8..1eb4902d 100644
--- a/modules/kubernetes/mailserver/roundcubemail.tf
+++ b/modules/kubernetes/mailserver/roundcubemail.tf
@@ -32,6 +32,7 @@ resource "kubernetes_deployment" "roundcubemail" {
     namespace = "mailserver"
     labels = {
       "app" = "roundcubemail"
+      tier  = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf
index 890f9914..3e6ebb82 100644
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@@ -124,7 +124,7 @@ variable "defcon_level" {
 locals {
   defcon_modules = {
     1 : ["wireguard", "technitium", "headscale", "nginx-ingress", "xray", "authentik", "cloudflare", "authelia", "monitoring"], # Critical connectivity services
-    2 : ["vaultwarden", "redis", "immich", "nvidia", "metrics-server", "uptime-kuma", "crowdsec"],                              # Storage and other db services
+    2 : ["vaultwarden", "redis", "immich", "nvidia", "metrics-server", "uptime-kuma", "crowdsec", "kyverno"],                   # Storage and other db services
     3 : ["k8s-dashboard", "reverse-proxy"],                                                                                     # Cluster admin services
     4 : [
       "mailserver", "shadowsocks", "webhook_handler", "tuya-bridge", "dawarich", "owntracks", "nextcloud",
@@ -143,6 +143,14 @@ locals {
     for level in range(1, var.defcon_level + 1) : # From current level to 5
     lookup(local.defcon_modules, level, [])
   ]))
+
+  tiers = {
+    core    = "0-core"    # Bare minimum cluster primitives
+    cluster = "1-cluster" # All cluster primitives
+    gpu     = "2-gpu"     # GPU services
+    edge    = "3-edge"    # Critical user services
+    aux     = "4-aux"     # Optional user services
+  }
 }
 
 resource "null_resource" "core_services" {
@@ -159,6 +167,7 @@ module "blog" {
   source          = "./blog"
   tls_secret_name = var.tls_secret_name
   # dockerhub_password = var.dockerhub_password
+  tier = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -177,6 +186,7 @@ module "dbaas" {
   dbaas_root_password      = var.dbaas_root_password
   postgresql_root_password = var.dbaas_postgresql_root_password
   pgadmin_password         = var.dbaas_pgadmin_password
+  tier                     = local.tiers.core
 }
 
 module "descheduler" {
@@ -200,6 +210,7 @@ module "drone" {
   rpc_secret           = var.drone_rpc_secret
   server_host          = "drone.viktorbarzin.me"
   server_proto         = "https"
+  tier                 = local.tiers.edge
 
   depends_on = [null_resource.core_services]
 }
@@ -208,6 +219,7 @@ module "f1-stream" {
   source          = "./f1-stream"
   for_each        = contains(local.active_modules, "f1-stream") ? { f1-stream = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -217,6 +229,7 @@ module "hackmd" {
   for_each           = contains(local.active_modules, "hackmd") ? { hackmd = true } : {}
   hackmd_db_password = var.hackmd_db_password
   tls_secret_name    = var.tls_secret_name
+  tier               = local.tiers.edge
 
   depends_on = [null_resource.core_services]
 }
@@ -231,12 +244,14 @@ module "kms" {
   source          = "./kms"
   for_each        = contains(local.active_modules, "kms") ? { kms = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
 
 module "k8s-dashboard" {
   source                         = "./k8s-dashboard"
+  tier                           = local.tiers.cluster
   for_each                       = contains(local.active_modules, "k8s-dashboard") ? { k8s-dashboard = true } : {}
   tls_secret_name                = var.tls_secret_name
   client_certificate_secret_name = var.client_certificate_secret_name
@@ -253,12 +268,14 @@ module "mailserver" {
   opendkim_key            = var.mailserver_opendkim_key
   sasl_passwd             = var.mailserver_sasl_passwd
   roundcube_db_password   = var.mailserver_roundcubemail_db_password
+  tier                    = local.tiers.edge
 
   depends_on = [null_resource.core_services]
 }
 
 module "metallb" {
   source = "./metallb"
+  tier   = local.tiers.core
 }
 
 module "monitoring" {
@@ -273,6 +290,7 @@ module "monitoring" {
   haos_api_token                = var.haos_api_token
   pve_password                  = var.pve_password
   grafana_db_password           = var.grafana_db_password
+  tier                          = local.tiers.cluster
 }
 
 # module "oauth" {
@@ -305,21 +323,24 @@ module "privatebin" {
   source          = "./privatebin"
   for_each        = contains(local.active_modules, "privatebin") ? { privatebin = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.edge
 
   depends_on = [null_resource.core_services]
 }
 
-module "vault" {
-  source          = "./vault"
-  for_each        = contains(local.active_modules, "vault") ? { vault = true } : {}
-  tls_secret_name = var.tls_secret_name
+# module "vault" {
+#   source          = "./vault"
+#   tier            = local.tiers.edge
+#   for_each        = contains(local.active_modules, "vault") ? { vault = true } : {}
+#   tls_secret_name = var.tls_secret_name
 
-  depends_on = [null_resource.core_services]
-}
+#   depends_on = [null_resource.core_services]
+# }
 
 module "reloader" {
   source   = "./reloader"
   for_each = contains(local.active_modules, "reloader") ? { reloader = true } : {}
+  tier     = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -328,6 +349,7 @@ module "shadowsocks" {
   source   = "./shadowsocks"
   for_each = contains(local.active_modules, "shadowsocks") ? { shadowsocks = true } : {}
   password = var.shadowsocks_password
+  tier     = local.tiers.edge
 
   depends_on = [null_resource.core_services]
 }
@@ -336,6 +358,7 @@ module "city-guesser" {
   source          = "./city-guesser"
   for_each        = contains(local.active_modules, "city-guesser") ? { city-guesser = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
   depends_on      = [null_resource.core_services]
 }
 
@@ -344,6 +367,7 @@ module "echo" {
   for_each        = contains(local.active_modules, "echo") ? { echo = true } : {}
   tls_secret_name = var.tls_secret_name
   depends_on      = [null_resource.core_services]
+  tier            = local.tiers.edge
 }
 
 module "url" {
@@ -353,6 +377,7 @@ module "url" {
   geolite_license_key = var.url_shortener_geolite_license_key
   api_key             = var.url_shortener_api_key
   mysql_password      = var.url_shortener_mysql_password
+  tier                = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -368,6 +393,7 @@ module "webhook_handler" {
   git_user        = var.webhook_handler_git_user
   git_token       = var.webhook_handler_git_token
   ssh_key         = var.webhook_handler_ssh_key
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -379,6 +405,7 @@ module "wireguard" {
   wg_0_conf       = var.wireguard_wg_0_conf
   wg_0_key        = var.wireguard_wg_0_key
   firewall_sh     = var.wireguard_firewall_sh
+  tier            = local.tiers.cluster
 
   depends_on = [null_resource.core_services]
 }
@@ -404,6 +431,7 @@ module "excalidraw" {
   source          = "./excalidraw"
   for_each        = contains(local.active_modules, "excalidraw") ? { excalidraw = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -420,6 +448,7 @@ module "travel_blog" {
   source          = "./travel_blog"
   for_each        = contains(local.active_modules, "travel_blog") ? { travel_blog = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -429,6 +458,7 @@ module "technitium" {
   for_each        = contains(local.active_modules, "technitium") ? { technitium = true } : {}
   tls_secret_name = var.tls_secret_name
   homepage_token  = var.homepage_credentials["technitium"]["token"]
+  tier            = local.tiers.core
 }
 
 module "headscale" {
@@ -437,6 +467,7 @@ module "headscale" {
   tls_secret_name  = var.tls_secret_name
   headscale_config = var.headscale_config
   headscale_acl    = var.headscale_acl
+  tier             = local.tiers.core
 
   depends_on = [null_resource.core_services]
 }
@@ -445,6 +476,7 @@ module "dashy" {
   source          = "./dashy"
   for_each        = contains(local.active_modules, "dashy") ? { dashy = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -459,6 +491,7 @@ module "vaultwarden" {
   for_each        = contains(local.active_modules, "vaultwarden") ? { vaultwarden = true } : {}
   tls_secret_name = var.tls_secret_name
   smtp_password   = var.vaultwarden_smtp_password
+  tier            = local.tiers.edge
 }
 
 module "reverse-proxy" {
@@ -474,6 +507,7 @@ module "send" {
   source          = "./send"
   for_each        = contains(local.active_modules, "send") ? { send = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -482,12 +516,14 @@ module "redis" {
   source          = "./redis"
   for_each        = contains(local.active_modules, "redis") ? { redis = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.core
 }
 
 module "ytdlp" {
   source          = "./youtube_dl"
   for_each        = contains(local.active_modules, "ytdlp") ? { ytdlp = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -499,12 +535,14 @@ module "immich" {
   postgresql_password = var.immich_postgresql_password
   frame_api_key       = var.immich_frame_api_key
   homepage_token      = var.homepage_credentials["immich"]["token"]
+  tier                = local.tiers.gpu
 
   depends_on = [null_resource.core_services]
 }
 
 module "nginx-ingress" {
   source                      = "./nginx-ingress"
+  tier                        = local.tiers.core
   for_each                    = contains(local.active_modules, "nginx-ingress") ? { nginx-ingress = true } : {}
   honeypotapikey              = var.ingress_honeypotapikey
   crowdsec_api_key            = var.ingress_crowdsec_api_key
@@ -514,6 +552,7 @@ module "nginx-ingress" {
 
 module "crowdsec" {
   source                         = "./crowdsec"
+  tier                           = local.tiers.cluster
   for_each                       = contains(local.active_modules, "crowdsec") ? { crowdsec = true } : {}
   tls_secret_name                = var.tls_secret_name
   homepage_username              = var.homepage_credentials["crowdsec"]["username"]
@@ -537,6 +576,7 @@ module "uptime-kuma" {
   source          = "./uptime-kuma"
   for_each        = contains(local.active_modules, "uptime-kuma") ? { uptime-kuma = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.cluster
 
   depends_on = [null_resource.core_services]
 }
@@ -547,6 +587,7 @@ module "calibre" {
   tls_secret_name   = var.tls_secret_name
   homepage_username = var.homepage_credentials["calibre-web"]["username"]
   homepage_password = var.homepage_credentials["calibre-web"]["password"]
+  tier              = local.tiers.edge
 
   depends_on = [null_resource.core_services]
 }
@@ -561,6 +602,7 @@ module "audiobookshelf" {
   source          = "./audiobookshelf"
   for_each        = contains(local.active_modules, "audiobookshelf") ? { audiobookshelf = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -569,6 +611,7 @@ module "frigate" {
   source          = "./frigate"
   for_each        = contains(local.active_modules, "frigate") ? { frigate = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.gpu
 
   depends_on = [null_resource.core_services]
 }
@@ -582,6 +625,7 @@ module "frigate" {
 
 module "cloudflared" {
   source = "./cloudflared"
+  tier   = local.tiers.core
   # for_each        = contains(local.active_modules, "cloudflared") ? { cloudflared = true } : {}
   tls_secret_name = var.tls_secret_name
 
@@ -616,6 +660,7 @@ module "cloudflared" {
 
 module "metrics-server" {
   source          = "./metrics-server"
+  tier            = local.tiers.cluster
   for_each        = contains(local.active_modules, "metrics-server") ? { metrics-server = true } : {}
   tls_secret_name = var.tls_secret_name
 }
@@ -628,6 +673,7 @@ module "paperless-ngx" {
   # homepage_token  = var.homepage_credentials["paperless-ngx"]["token"]
   homepage_username = var.homepage_credentials["paperless-ngx"]["username"]
   homepage_password = var.homepage_credentials["paperless-ngx"]["password"]
+  tier              = local.tiers.edge
 
   depends_on = [null_resource.core_services]
 }
@@ -636,6 +682,7 @@ module "jsoncrack" {
   source          = "./jsoncrack"
   for_each        = contains(local.active_modules, "jsoncrack") ? { jsoncrack = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -644,6 +691,7 @@ module "servarr" {
   source          = "./servarr"
   for_each        = contains(local.active_modules, "servarr") ? { servarr = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on                            = [null_resource.core_services]
   aiostreams_database_connection_string = var.aiostreams_database_connection_string
@@ -658,6 +706,7 @@ module "ollama" { # Disabled as it requires too much resources...
   source          = "./ollama"
   for_each        = contains(local.active_modules, "ollama") ? { ollama = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.gpu
 
   depends_on = [null_resource.core_services]
 }
@@ -666,6 +715,7 @@ module "ntfy" {
   source          = "./ntfy"
   for_each        = contains(local.active_modules, "ntfy") ? { ntfy = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -674,6 +724,7 @@ module "cyberchef" {
   source          = "./cyberchef"
   for_each        = contains(local.active_modules, "cyberchef") ? { cyberchef = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -684,6 +735,7 @@ module "diun" {
   tls_secret_name = var.tls_secret_name
   diun_nfty_token = var.diun_nfty_token
   diun_slack_url  = var.diun_slack_url
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -692,6 +744,7 @@ module "meshcentral" {
   source          = "./meshcentral"
   for_each        = contains(local.active_modules, "meshcentral") ? { meshcentral = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -699,6 +752,7 @@ module "netbox" {
   source          = "./netbox"
   for_each        = contains(local.active_modules, "netbox") ? { netbox = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 }
 
 module "nextcloud" {
@@ -706,12 +760,14 @@ module "nextcloud" {
   for_each        = contains(local.active_modules, "nextcloud") ? { nextcloud = true } : {}
   tls_secret_name = var.tls_secret_name
   db_password     = var.nextcloud_db_password
+  tier            = local.tiers.edge
 
   depends_on = [null_resource.core_services]
 }
 
 module "homepage" {
   source          = "./homepage"
+  tier            = local.tiers.aux
   for_each        = contains(local.active_modules, "homepage") ? { homepage = true } : {}
   tls_secret_name = var.tls_secret_name
 
@@ -722,12 +778,14 @@ module "matrix" {
   source          = "./matrix"
   for_each        = contains(local.active_modules, "matrix") ? { matrix = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
 
 module "authentik" {
   source            = "./authentik"
+  tier              = local.tiers.core
   for_each          = contains(local.active_modules, "authentik") ? { authentik = true } : {}
   tls_secret_name   = var.tls_secret_name
   secret_key        = var.authentik_secret_key
@@ -741,6 +799,7 @@ module "linkwarden" {
   postgresql_password     = var.linkwarden_postgresql_password
   authentik_client_id     = var.linkwarden_authentik_client_id
   authentik_client_secret = var.linkwarden_authentik_client_secret
+  tier                    = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -749,6 +808,7 @@ module "actualbudget" {
   source          = "./actualbudget"
   for_each        = contains(local.active_modules, "actualbudget") ? { actualbudget = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.edge
 
   depends_on = [null_resource.core_services]
 }
@@ -758,6 +818,7 @@ module "owntracks" {
   for_each              = contains(local.active_modules, "owntracks") ? { owntracks = true } : {}
   tls_secret_name       = var.tls_secret_name
   owntracks_credentials = var.owntracks_credentials
+  tier                  = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -768,6 +829,7 @@ module "dawarich" {
   tls_secret_name   = var.tls_secret_name
   database_password = var.dawarich_database_password
   geoapify_api_key  = var.geoapify_api_key
+  tier              = local.tiers.edge
 
   depends_on = [null_resource.core_services]
 }
@@ -776,6 +838,7 @@ module "changedetection" {
   source          = "./changedetection"
   for_each        = contains(local.active_modules, "changedetection") ? { changedetection = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -785,6 +848,7 @@ module "tandoor" {
   tls_secret_name           = var.tls_secret_name
   tandoor_database_password = var.tandoor_database_password
   tandoor_email_password    = var.tandoor_email_password
+  tier                      = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -794,6 +858,7 @@ module "n8n" {
   for_each            = contains(local.active_modules, "n8n") ? { n8n = true } : {}
   tls_secret_name     = var.tls_secret_name
   postgresql_password = var.n8n_postgresql_password
+  tier                = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -804,6 +869,7 @@ module "real-estate-crawler" {
   tls_secret_name       = var.tls_secret_name
   db_password           = var.realestate_crawler_db_password
   notification_settings = var.realestate_crawler_notification_settings
+  tier                  = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -812,6 +878,7 @@ module "tor-proxy" {
   source          = "./tor-proxy"
   for_each        = contains(local.active_modules, "tor-proxy") ? { tor-proxy = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -828,6 +895,7 @@ module "onlyoffice" {
   tls_secret_name = var.tls_secret_name
   db_password     = var.onlyoffice_db_password
   jwt_token       = var.onlyoffice_jwt_token
+  tier            = local.tiers.edge
 
   depends_on = [null_resource.core_services]
 }
@@ -837,6 +905,7 @@ module "forgejo" {
   source          = "./forgejo"
   for_each        = contains(local.active_modules, "forgejo") ? { forgejo = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.edge
 
   depends_on = [null_resource.core_services]
 }
@@ -845,6 +914,7 @@ module "xray" {
   source          = "./xray"
   for_each        = contains(local.active_modules, "xray") ? { xray = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   xray_reality_clients     = var.xray_reality_clients
   xray_reality_private_key = var.xray_reality_private_key
@@ -857,6 +927,7 @@ module "freshrss" {
   source          = "./freshrss"
   for_each        = contains(local.active_modules, "freshrss") ? { freshrss = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -865,6 +936,7 @@ module "navidrome" {
   source          = "./navidrome"
   for_each        = contains(local.active_modules, "navidrome") ? { navidrome = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -873,6 +945,7 @@ module "networking-toolbox" {
   source          = "./networking-toolbox"
   for_each        = contains(local.active_modules, "networking-toolbox") ? { networking-toolbox = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -881,6 +954,7 @@ module "tuya-bridge" {
   source          = "./tuya-bridge"
   for_each        = contains(local.active_modules, "tuya-bridge") ? { tuya-bridge = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.cluster
 
   tiny_tuya_api_key        = var.tiny_tuya_api_key
   tiny_tuya_api_secret     = var.tiny_tuya_api_secret
@@ -895,6 +969,7 @@ module "stirling-pdf" {
   source          = "./stirling-pdf"
   for_each        = contains(local.active_modules, "stirling-pdf") ? { stirling-pdf = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -902,6 +977,7 @@ module "stirling-pdf" {
 module "isponsorblocktv" {
   source   = "./isponsorblocktv"
   for_each = contains(local.active_modules, "isponsorblocktv") ? { isponsorblocktv = true } : {}
+  tier     = local.tiers.edge
 
   depends_on = [null_resource.core_services]
 }
@@ -910,12 +986,14 @@ module "nvidia" {
   source          = "./nvidia"
   for_each        = contains(local.active_modules, "nvidia") ? { nvidia = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.gpu
 }
 
 module "ebook2audiobook" {
   source          = "./ebook2audiobook"
   for_each        = contains(local.active_modules, "ebook2audiobook") ? { ebook2audiobook = true } : {}
   tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.gpu
 }
 
 module "rybbit" {
@@ -924,6 +1002,7 @@ module "rybbit" {
   tls_secret_name     = var.tls_secret_name
   clickhouse_password = var.clickhouse_password
   postgres_password   = var.clickhouse_postgres_password
+  tier                = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
@@ -933,6 +1012,13 @@ module "wealthfolio" {
   for_each                  = contains(local.active_modules, "wealthfolio") ? { wealthfolio = true } : {}
   tls_secret_name           = var.tls_secret_name
   wealthfolio_password_hash = var.wealthfolio_password_hash
+  tier                      = local.tiers.aux
 
   depends_on = [null_resource.core_services]
 }
+
+module "kyverno" {
+  source     = "./kyverno"
+  for_each   = contains(local.active_modules, "kyverno") ? { kyverno = true } : {}
+  depends_on = [null_resource.core_services]
+}
diff --git a/modules/kubernetes/matrix/main.tf b/modules/kubernetes/matrix/main.tf
index bd025f73..12a069af 100644
--- a/modules/kubernetes/matrix/main.tf
+++ b/modules/kubernetes/matrix/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "matrix" {
   metadata {
@@ -20,7 +21,8 @@ resource "kubernetes_deployment" "matrix" {
     name      = "matrix"
     namespace = kubernetes_namespace.matrix.metadata[0].name
     labels = {
-      app = "matrix"
+      app  = "matrix"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/meshcentral/main.tf b/modules/kubernetes/meshcentral/main.tf
index 12609f05..563d53dc 100644
--- a/modules/kubernetes/meshcentral/main.tf
+++ b/modules/kubernetes/meshcentral/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "meshcentral" {
   metadata {
@@ -20,7 +21,8 @@ resource "kubernetes_deployment" "meshcentral" {
     name      = "meshcentral"
     namespace = kubernetes_namespace.meshcentral.metadata[0].name
     labels = {
-      app = "meshcentral"
+      app  = "meshcentral"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/metallb/main.tf b/modules/kubernetes/metallb/main.tf
index 374f377c..1659f08e 100644
--- a/modules/kubernetes/metallb/main.tf
+++ b/modules/kubernetes/metallb/main.tf
@@ -4,16 +4,29 @@
 #   source  = "colinwilson/metallb/kubernetes"
 #   version = "0.1.7"
 # }
+variable "tier" { type = string }
+
+resource "kubernetes_namespace" "metallb" {
+  metadata {
+    name = "metallb-system"
+    labels = {
+      app = "metallb"
+      # "istio-injection" : "disabled"
+      # tier = var.tier
+    }
+  }
+}
 
 module "metallb" {
-  source  = "ViktorBarzin/metallb/kubernetes"
-  version = "0.1.5"
+  source     = "ViktorBarzin/metallb/kubernetes"
+  version    = "0.1.5"
+  depends_on = [kubernetes_namespace.metallb]
 }
 
 resource "kubernetes_config_map" "config" {
   metadata {
     name      = "config"
-    namespace = "metallb-system"
+    namespace = kubernetes_namespace.metallb.metadata[0].name
   }
   data = {
     config = <<EOT
diff --git a/modules/kubernetes/metrics-server/main.tf b/modules/kubernetes/metrics-server/main.tf
index 8e1d0257..c72267b5 100644
--- a/modules/kubernetes/metrics-server/main.tf
+++ b/modules/kubernetes/metrics-server/main.tf
@@ -1,11 +1,12 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "metrics-server" {
   metadata {
     name = "metrics-server"
-    # labels = {
-    #   "istio-injection" : "enabled"
-    # }
+    labels = {
+      tier = var.tier
+    }
   }
 }
 
diff --git a/modules/kubernetes/monitoring/idrac.tf b/modules/kubernetes/monitoring/idrac.tf
index b539a863..b966824f 100644
--- a/modules/kubernetes/monitoring/idrac.tf
+++ b/modules/kubernetes/monitoring/idrac.tf
@@ -30,7 +30,8 @@ resource "kubernetes_deployment" "idrac-redfish" {
     name      = "idrac-redfish-exporter"
     namespace = kubernetes_namespace.monitoring.metadata[0].name
     labels = {
-      app = "idrac-redfish-exporter"
+      app  = "idrac-redfish-exporter"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/monitoring/main.tf b/modules/kubernetes/monitoring/main.tf
index af3d253b..12fadc03 100644
--- a/modules/kubernetes/monitoring/main.tf
+++ b/modules/kubernetes/monitoring/main.tf
@@ -14,12 +14,14 @@ variable "tiny_tuya_service_secret" { type = string }
 variable "haos_api_token" { type = string }
 variable "pve_password" { type = string }
 variable "grafana_db_password" { type = string }
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "monitoring" {
   metadata {
     name = "monitoring"
     labels = {
       "istio-injection" : "disabled"
+      tier = var.tier
     }
   }
 }
diff --git a/modules/kubernetes/monitoring/pve_exporter.tf b/modules/kubernetes/monitoring/pve_exporter.tf
index af20cd19..74937a05 100644
--- a/modules/kubernetes/monitoring/pve_exporter.tf
+++ b/modules/kubernetes/monitoring/pve_exporter.tf
@@ -20,6 +20,9 @@ resource "kubernetes_deployment" "pve_exporter" {
   metadata {
     name      = "proxmox-exporter"
     namespace = kubernetes_namespace.monitoring.metadata[0].name
+    labels = {
+      tier = var.tier
+    }
   }
 
   spec {
diff --git a/modules/kubernetes/monitoring/snmp_exporter.tf b/modules/kubernetes/monitoring/snmp_exporter.tf
index f8c3eeb3..9f97bda8 100644
--- a/modules/kubernetes/monitoring/snmp_exporter.tf
+++ b/modules/kubernetes/monitoring/snmp_exporter.tf
@@ -29,7 +29,8 @@ resource "kubernetes_deployment" "snmp-exporter" {
     name      = "snmp-exporter"
     namespace = kubernetes_namespace.monitoring.metadata[0].name
     labels = {
-      app = "snmp-exporter"
+      app  = "snmp-exporter"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/n8n/main.tf b/modules/kubernetes/n8n/main.tf
index 29cd54d0..77c06fe4 100644
--- a/modules/kubernetes/n8n/main.tf
+++ b/modules/kubernetes/n8n/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "postgresql_password" {}
 
 module "tls_secret" {
@@ -18,7 +19,8 @@ resource "kubernetes_deployment" "n8n" {
     name      = "n8n"
     namespace = kubernetes_namespace.n8n.metadata[0].name
     labels = {
-      app = "n8n"
+      app  = "n8n"
+      tier = var.tier
     }
   }
   spec {
@@ -31,8 +33,7 @@ resource "kubernetes_deployment" "n8n" {
     template {
       metadata {
         labels = {
-          app                             = "n8n"
-          "kubernetes.io/cluster-service" = "true"
+          app = "n8n"
         }
       }
       spec {
diff --git a/modules/kubernetes/navidrome/main.tf b/modules/kubernetes/navidrome/main.tf
index b1597eaa..12d21684 100644
--- a/modules/kubernetes/navidrome/main.tf
+++ b/modules/kubernetes/navidrome/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "navidrome" {
   metadata {
@@ -20,8 +21,8 @@ resource "kubernetes_deployment" "navidrome" {
     name      = "navidrome"
     namespace = kubernetes_namespace.navidrome.metadata[0].name
     labels = {
-      app                             = "navidrome"
-      "kubernetes.io/cluster-service" = "true"
+      app  = "navidrome"
+      tier = var.tier
     }
   }
   spec {
@@ -37,8 +38,7 @@ resource "kubernetes_deployment" "navidrome" {
     template {
       metadata {
         labels = {
-          app                             = "navidrome"
-          "kubernetes.io/cluster-service" = "true"
+          app = "navidrome"
         }
       }
       spec {
diff --git a/modules/kubernetes/netbox/main.tf b/modules/kubernetes/netbox/main.tf
index 6584cf36..21ee2c51 100644
--- a/modules/kubernetes/netbox/main.tf
+++ b/modules/kubernetes/netbox/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "netbox" {
   metadata {
@@ -26,7 +27,8 @@ resource "kubernetes_deployment" "netbox" {
     name      = "netbox"
     namespace = kubernetes_namespace.netbox.metadata[0].name
     labels = {
-      app = "netbox"
+      app  = "netbox"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/networking-toolbox/main.tf b/modules/kubernetes/networking-toolbox/main.tf
index 56abc187..df8ab459 100644
--- a/modules/kubernetes/networking-toolbox/main.tf
+++ b/modules/kubernetes/networking-toolbox/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "networking-toolbox" {
   metadata {
@@ -20,7 +21,8 @@ resource "kubernetes_deployment" "networking-toolbox" {
     name      = "networking-toolbox"
     namespace = kubernetes_namespace.networking-toolbox.metadata[0].name
     labels = {
-      app = "networking-toolbox"
+      app  = "networking-toolbox"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/nextcloud/main.tf b/modules/kubernetes/nextcloud/main.tf
index e33fef1a..b76bb7bd 100644
--- a/modules/kubernetes/nextcloud/main.tf
+++ b/modules/kubernetes/nextcloud/main.tf
@@ -1,5 +1,6 @@
 variable "tls_secret_name" {}
 variable "db_password" {}
+variable "tier" { type = string }
 
 module "tls_secret" {
   source          = "../setup_tls_secret"
@@ -12,6 +13,7 @@ resource "kubernetes_namespace" "nextcloud" {
     name = "nextcloud"
     labels = {
       "istio-injection" : "disabled"
+      tier = var.tier
     }
   }
 }
@@ -49,7 +51,8 @@ resource "kubernetes_deployment" "whiteboard" {
     name      = "whiteboard"
     namespace = kubernetes_namespace.nextcloud.metadata[0].name
     labels = {
-      app = "whiteboard"
+      app  = "whiteboard"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/nginx-ingress/main.tf b/modules/kubernetes/nginx-ingress/main.tf
index 27e5f6ee..8ba56189 100644
--- a/modules/kubernetes/nginx-ingress/main.tf
+++ b/modules/kubernetes/nginx-ingress/main.tf
@@ -12,6 +12,8 @@ variable "honeypotapikey" {
 variable "crowdsec_api_key" {}
 variable "crowdsec_captcha_secret_key" {}
 variable "crowdsec_captcha_site_key" {}
+variable "tier" { type = string }
+
 resource "kubernetes_namespace" "ingress_nginx" {
   metadata {
     name = "ingress-nginx"
@@ -469,6 +471,7 @@ resource "kubernetes_deployment" "ingress_nginx_controller" {
       "app.kubernetes.io/name"      = "ingress-nginx"
       "app.kubernetes.io/part-of"   = "ingress-nginx"
       "app.kubernetes.io/version"   = "1.13.1"
+      tier                          = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/ntfy/main.tf b/modules/kubernetes/ntfy/main.tf
index 7a7d9a5d..dafdbd5b 100644
--- a/modules/kubernetes/ntfy/main.tf
+++ b/modules/kubernetes/ntfy/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 resource "kubernetes_namespace" "ntfy" {
   metadata {
     name = "ntfy"
@@ -16,7 +17,8 @@ resource "kubernetes_deployment" "ntfy" {
     name      = "ntfy"
     namespace = kubernetes_namespace.ntfy.metadata[0].name
     labels = {
-      app = "ntfy"
+      app  = "ntfy"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/nvidia/Dockerfile b/modules/kubernetes/nvidia/Dockerfile
new file mode 100644
index 00000000..aba73858
--- /dev/null
+++ b/modules/kubernetes/nvidia/Dockerfile
@@ -0,0 +1,27 @@
+# GPU container
+
+FROM ubuntu
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install Python and pip
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        python3 \
+        python3-pip \
+        python3-venv
+
+# Deps
+RUN apt-get install -y ffmpeg espeak-ng
+
+# Set a working directory
+WORKDIR /app
+
+RUN python3 -m venv audiblez && ./audiblez/bin/pip install audiblez
+# RUN python3 -m venv audiblez 
+
+CMD ["/usr/bin/sleep", "86400"]
+# RUN pip install audiblez
+
+# # Default command
+# CMD ["/usr/bin/sleep", "86400"]
diff --git a/modules/kubernetes/nvidia/main.tf b/modules/kubernetes/nvidia/main.tf
index 1948e58e..70f294cb 100644
--- a/modules/kubernetes/nvidia/main.tf
+++ b/modules/kubernetes/nvidia/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 module "tls_secret" {
   source          = "../setup_tls_secret"
@@ -11,6 +12,7 @@ resource "kubernetes_namespace" "nvidia" {
     name = "nvidia"
     labels = {
       "istio-injection" : "disabled"
+      tier = var.tier
     }
   }
 }
@@ -59,7 +61,8 @@ resource "kubernetes_deployment" "nvidia-exporter" {
     name      = "nvidia-exporter"
     namespace = kubernetes_namespace.nvidia.metadata[0].name
     labels = {
-      app = "nvidia-exporter"
+      app  = "nvidia-exporter"
+      tier = var.tier
     }
   }
   spec {
@@ -168,3 +171,51 @@ module "ingress" {
 #     }
 #   }
 # }
+
+
+# resource "kubernetes_deployment" "gpu-container" {
+#   metadata {
+#     name      = "gpu-container"
+#     namespace = kubernetes_namespace.nvidia.metadata[0].name
+#     labels = {
+#       app = "gpu-container"
+#     }
+#   }
+#   spec {
+#     replicas = 1
+#     selector {
+#       match_labels = {
+#         app = "gpu-container"
+#       }
+#     }
+#     template {
+#       metadata {
+#         labels = {
+#           app = "gpu-container"
+#         }
+#       }
+#       spec {
+#         node_selector = {
+#           "gpu" : "true"
+#         }
+#         container {
+#           image   = "ubuntu"
+#           name    = "gpu-container"
+#           command = ["/usr/bin/sleep", "3600"]
+#           # security_context {
+#           #   privileged = true
+#           #   capabilities {
+#           #     add = ["SYS_ADMIN"]
+#           #   }
+#           # }
+#           resources {
+#             limits = {
+#               "nvidia.com/gpu" = "1"
+#             }
+#           }
+#         }
+#       }
+#     }
+#   }
+#   depends_on = [helm_release.nvidia-gpu-operator]
+# }
diff --git a/modules/kubernetes/ollama/main.tf b/modules/kubernetes/ollama/main.tf
index 9a4de923..0ecf6063 100644
--- a/modules/kubernetes/ollama/main.tf
+++ b/modules/kubernetes/ollama/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "ollama" {
   metadata {
@@ -64,7 +65,8 @@ resource "kubernetes_deployment" "ollama" {
     name      = "ollama"
     namespace = kubernetes_namespace.ollama.metadata[0].name
     labels = {
-      app = "ollama"
+      app  = "ollama"
+      tier = var.tier
     }
   }
   spec {
@@ -162,7 +164,8 @@ resource "kubernetes_deployment" "ollama-ui" {
     name      = "ollama-ui"
     namespace = kubernetes_namespace.ollama.metadata[0].name
     labels = {
-      app = "ollama-ui"
+      app  = "ollama-ui"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/onlyoffice/main.tf b/modules/kubernetes/onlyoffice/main.tf
index c3c26811..df130db4 100644
--- a/modules/kubernetes/onlyoffice/main.tf
+++ b/modules/kubernetes/onlyoffice/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "db_password" { type = string }
 variable "jwt_token" { type = string }
 
@@ -22,7 +23,8 @@ resource "kubernetes_deployment" "onlyoffice-document-server" {
     name      = "onlyoffice-document-server"
     namespace = kubernetes_namespace.onlyoffice.metadata[0].name
     labels = {
-      app = "onlyoffice-document-server"
+      app  = "onlyoffice-document-server"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/owntracks/main.tf b/modules/kubernetes/owntracks/main.tf
index 6e9cce09..9a68196c 100644
--- a/modules/kubernetes/owntracks/main.tf
+++ b/modules/kubernetes/owntracks/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "owntracks_credentials" {
   type = map(string)
   default = {
@@ -47,7 +48,8 @@ resource "kubernetes_deployment" "owntracks" {
     name      = "owntracks"
     namespace = kubernetes_namespace.owntracks.metadata[0].name
     labels = {
-      app = "owntracks"
+      app  = "owntracks"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/paperless-ngx/main.tf b/modules/kubernetes/paperless-ngx/main.tf
index e847a4f4..e2bcce71 100644
--- a/modules/kubernetes/paperless-ngx/main.tf
+++ b/modules/kubernetes/paperless-ngx/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "db_password" {}
 # variable "homepage_token" {}
 variable "homepage_username" {}
@@ -25,7 +26,8 @@ resource "kubernetes_deployment" "paperless-ngx" {
     name      = "paperless-ngx"
     namespace = kubernetes_namespace.paperless-ngx.metadata[0].name
     labels = {
-      app = "paperless-ngx"
+      app  = "paperless-ngx"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/privatebin/main.tf b/modules/kubernetes/privatebin/main.tf
index 36f63c27..199fe729 100644
--- a/modules/kubernetes/privatebin/main.tf
+++ b/modules/kubernetes/privatebin/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "privatebin" {
   metadata {
@@ -20,8 +21,8 @@ resource "kubernetes_deployment" "privatebin" {
     name      = "privatebin"
     namespace = kubernetes_namespace.privatebin.metadata[0].name
     labels = {
-      app                             = "privatebin"
-      "kubernetes.io/cluster-service" = "true"
+      app  = "privatebin"
+      tier = var.tier
     }
   }
   spec {
@@ -37,8 +38,7 @@ resource "kubernetes_deployment" "privatebin" {
     template {
       metadata {
         labels = {
-          app                             = "privatebin"
-          "kubernetes.io/cluster-service" = "true"
+          app = "privatebin"
         }
       }
       spec {
diff --git a/modules/kubernetes/real-estate-crawler/main.tf b/modules/kubernetes/real-estate-crawler/main.tf
index 38d1d628..9bb495c0 100644
--- a/modules/kubernetes/real-estate-crawler/main.tf
+++ b/modules/kubernetes/real-estate-crawler/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "notification_settings" {
   type = map(string)
   default = {
@@ -26,7 +27,8 @@ resource "kubernetes_deployment" "realestate-crawler-ui" {
     name      = "realestate-crawler-ui"
     namespace = kubernetes_namespace.realestate-crawler.metadata[0].name
     labels = {
-      app = "realestate-crawler-ui"
+      app  = "realestate-crawler-ui"
+      tier = var.tier
     }
   }
   spec {
@@ -42,8 +44,7 @@ resource "kubernetes_deployment" "realestate-crawler-ui" {
     template {
       metadata {
         labels = {
-          app                             = "realestate-crawler-ui"
-          "kubernetes.io/cluster-service" = "true"
+          app = "realestate-crawler-ui"
         }
       }
       spec {
@@ -97,7 +98,8 @@ resource "kubernetes_deployment" "realestate-crawler-api" {
     name      = "realestate-crawler-api"
     namespace = kubernetes_namespace.realestate-crawler.metadata[0].name
     labels = {
-      app = "realestate-crawler-api"
+      app  = "realestate-crawler-api"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/redis/main.tf b/modules/kubernetes/redis/main.tf
index 7750d447..4271c99e 100644
--- a/modules/kubernetes/redis/main.tf
+++ b/modules/kubernetes/redis/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "redis" {
   metadata {
@@ -17,7 +18,8 @@ resource "kubernetes_deployment" "redis" {
     name      = "redis"
     namespace = kubernetes_namespace.redis.metadata[0].name
     labels = {
-      app = "redis"
+      app  = "redis"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/reloader/main.tf b/modules/kubernetes/reloader/main.tf
index 59971834..f220b799 100644
--- a/modules/kubernetes/reloader/main.tf
+++ b/modules/kubernetes/reloader/main.tf
@@ -1,7 +1,18 @@
+variable "tier" { type = string }
+
+resource "kubernetes_namespace" "crowdsec" {
+  metadata {
+    name = "reloader"
+    labels = {
+      tier = var.tier
+    }
+  }
+}
 resource "helm_release" "reloader" {
-  namespace        = "reloader"
-  create_namespace = true
+  namespace        = kubernetes_namespace.crowdsec.metadata[0].name
+  create_namespace = false
   name             = "reloader"
+  atomic           = true
 
   repository = "https://stakater.github.io/stakater-charts"
   chart      = "reloader"
diff --git a/modules/kubernetes/reverse_proxy/factory/main.tf b/modules/kubernetes/reverse_proxy/factory/main.tf
index 1c3c9af3..a80407f5 100644
--- a/modules/kubernetes/reverse_proxy/factory/main.tf
+++ b/modules/kubernetes/reverse_proxy/factory/main.tf
@@ -37,6 +37,10 @@ variable "rybbit_site_id" {
   default = null
   type    = string
 }
+variable "additional_configuration_snippet" {
+  default = ""
+  type    = string
+}
 
 
 resource "kubernetes_service" "proxied-service" {
@@ -90,6 +94,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
       "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
         limit_req_status 429;
         limit_conn_status 429;
+        ${var.additional_configuration_snippet}
         ${var.rybbit_site_id != null ? <<-JS
           # Rybbit Analytics
           # Only modify HTML
diff --git a/modules/kubernetes/reverse_proxy/main.tf b/modules/kubernetes/reverse_proxy/main.tf
index 9f459271..3ea44e12 100644
--- a/modules/kubernetes/reverse_proxy/main.tf
+++ b/modules/kubernetes/reverse_proxy/main.tf
@@ -96,6 +96,23 @@ module "tp-link-gateway" {
   backend_protocol = "HTTPS"
   depends_on       = [kubernetes_namespace.reverse-proxy]
   protected        = true
+  # Doesn't work due to 413 due to GA/authentik cookie
+  #   additional_configuration_snippet = <<-EOF
+  #       # 1. Try to extract the sysauth cookie and its value
+  #       # This regex looks for 'sysauth=' followed by everything until a semicolon or end of string
+  #       set $sysauth_only "";
+  #       if ($http_cookie ~* "sysauth=([^;]+)") {
+  #           set $sysauth_only "sysauth=$1";
+  #       }
+
+  #       # 2. Overwrite the Cookie header. 
+  #       # If sysauth was found, only it is sent. If not found, no cookies are sent.
+  #       proxy_set_header Cookie $sysauth_only;
+  # EOF
+  #   extra_annotations = {
+  #     client-header-buffer-size : "16k"
+  #     large-client-header-buffers : "4 16k"
+  #   }
 }
 
 # https://truenas.viktorbarzin.me/
diff --git a/modules/kubernetes/rybbit/main.tf b/modules/kubernetes/rybbit/main.tf
index 51d212a3..8e30f113 100644
--- a/modules/kubernetes/rybbit/main.tf
+++ b/modules/kubernetes/rybbit/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "clickhouse_password" { type = string }
 variable "postgres_password" { type = string }
 
@@ -29,7 +30,8 @@ resource "kubernetes_deployment" "clickhouse" {
     name      = "clickhouse"
     namespace = kubernetes_namespace.rybbit.metadata[0].name
     labels = {
-      app = "clickhouse"
+      app  = "clickhouse"
+      tier = var.tier
     }
   }
   spec {
@@ -110,7 +112,8 @@ resource "kubernetes_deployment" "rybbit" {
     name      = "rybbit"
     namespace = kubernetes_namespace.rybbit.metadata[0].name
     labels = {
-      app = "rybbit"
+      app  = "rybbit"
+      tier = var.tier
     }
   }
   spec {
@@ -222,7 +225,8 @@ resource "kubernetes_deployment" "rybbit-client" {
     name      = "rybbit-client"
     namespace = kubernetes_namespace.rybbit.metadata[0].name
     labels = {
-      app = "rybbit-client"
+      app  = "rybbit-client"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/send/main.tf b/modules/kubernetes/send/main.tf
index bf4773f9..6469688b 100644
--- a/modules/kubernetes/send/main.tf
+++ b/modules/kubernetes/send/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "send" {
   metadata {
@@ -20,7 +21,8 @@ resource "kubernetes_deployment" "send" {
     name      = "send"
     namespace = kubernetes_namespace.send.metadata[0].name
     labels = {
-      app = "send"
+      app  = "send"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/servarr/aiostreams/main.tf b/modules/kubernetes/servarr/aiostreams/main.tf
index 86ad357c..e5ec5ec6 100644
--- a/modules/kubernetes/servarr/aiostreams/main.tf
+++ b/modules/kubernetes/servarr/aiostreams/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "aiostreams_database_connection_string" { type = string }
 
 resource "kubernetes_namespace" "aiostreams" {
@@ -19,7 +20,8 @@ resource "kubernetes_deployment" "aiostreams" {
     name      = "aiostreams"
     namespace = kubernetes_namespace.aiostreams.metadata[0].name
     labels = {
-      app = "aiostreams"
+      app  = "aiostreams"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/servarr/flaresolverr/main.tf b/modules/kubernetes/servarr/flaresolverr/main.tf
index 6e8f7131..623685e6 100644
--- a/modules/kubernetes/servarr/flaresolverr/main.tf
+++ b/modules/kubernetes/servarr/flaresolverr/main.tf
@@ -1,11 +1,13 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_deployment" "flaresolverr" {
   metadata {
     name      = "flaresolverr"
     namespace = "servarr"
     labels = {
-      app = "flaresolverr"
+      app  = "flaresolverr"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/servarr/lidarr/main.tf b/modules/kubernetes/servarr/lidarr/main.tf
index 8166298b..7539754a 100644
--- a/modules/kubernetes/servarr/lidarr/main.tf
+++ b/modules/kubernetes/servarr/lidarr/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 
 resource "kubernetes_deployment" "lidarr" {
@@ -6,7 +7,8 @@ resource "kubernetes_deployment" "lidarr" {
     name      = "lidarr"
     namespace = "servarr"
     labels = {
-      app = "lidarr"
+      app  = "lidarr"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/servarr/listenarr/main.tf b/modules/kubernetes/servarr/listenarr/main.tf
index 127c329c..98651a12 100644
--- a/modules/kubernetes/servarr/listenarr/main.tf
+++ b/modules/kubernetes/servarr/listenarr/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 
 resource "kubernetes_deployment" "listenarr" {
@@ -6,7 +7,8 @@ resource "kubernetes_deployment" "listenarr" {
     name      = "listenarr"
     namespace = "servarr"
     labels = {
-      app = "listenarr"
+      app  = "listenarr"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/servarr/main.tf b/modules/kubernetes/servarr/main.tf
index eaf5a0d1..e55e8da0 100644
--- a/modules/kubernetes/servarr/main.tf
+++ b/modules/kubernetes/servarr/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "aiostreams_database_connection_string" { type = string }
 
 resource "kubernetes_namespace" "servarr" {
@@ -17,40 +18,48 @@ module "tls_secret" {
 # module "readarr" {
 #   source          = "./readarr"
 #   tls_secret_name = var.tls_secret_name
+#   tier = var.tier
 # }
 
 module "prowlarr" {
   source          = "./prowlarr"
   tls_secret_name = var.tls_secret_name
+  tier            = var.tier
 }
 
 module "qbittorrent" {
   source          = "./qbittorrent"
   tls_secret_name = var.tls_secret_name
+  tier            = var.tier
 }
 
 module "flaresolverr" {
   source          = "./flaresolverr"
   tls_secret_name = var.tls_secret_name
+  tier            = var.tier
 }
 
 # module "lidarr" {
 #   source          = "./lidarr"
 #   tls_secret_name = var.tls_secret_name
+# tier            = var.tier
 # }
 
 # module "soulseek" {
 #   source          = "./soulseek"
 #   tls_secret_name = var.tls_secret_name
+# tier            = var.tier
 # }
 
 module "listenarr" {
   source          = "./listenarr"
   tls_secret_name = var.tls_secret_name
+  tier            = var.tier
 }
 
 module "aiostreams" {
   source                                = "./aiostreams"
   tls_secret_name                       = var.tls_secret_name
   aiostreams_database_connection_string = var.aiostreams_database_connection_string
+  tier                                  = var.tier
 }
diff --git a/modules/kubernetes/servarr/prowlarr/main.tf b/modules/kubernetes/servarr/prowlarr/main.tf
index 44350de9..82204bec 100644
--- a/modules/kubernetes/servarr/prowlarr/main.tf
+++ b/modules/kubernetes/servarr/prowlarr/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 
 resource "kubernetes_deployment" "prowlarr" {
@@ -6,7 +7,8 @@ resource "kubernetes_deployment" "prowlarr" {
     name      = "prowlarr"
     namespace = "servarr"
     labels = {
-      app = "prowlarr"
+      app  = "prowlarr"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/servarr/qbittorrent/main.tf b/modules/kubernetes/servarr/qbittorrent/main.tf
index ecb858a8..2a473a3e 100644
--- a/modules/kubernetes/servarr/qbittorrent/main.tf
+++ b/modules/kubernetes/servarr/qbittorrent/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 
 resource "kubernetes_deployment" "qbittorrent" {
@@ -6,7 +7,8 @@ resource "kubernetes_deployment" "qbittorrent" {
     name      = "qbittorrent"
     namespace = "servarr"
     labels = {
-      app = "qbittorrent"
+      app  = "qbittorrent"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/servarr/readarr/main.tf b/modules/kubernetes/servarr/readarr/main.tf
index b612b762..68369b06 100644
--- a/modules/kubernetes/servarr/readarr/main.tf
+++ b/modules/kubernetes/servarr/readarr/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 resource "kubernetes_namespace" "readarr" {
   metadata {
     name = "readarr"
@@ -20,7 +21,8 @@ resource "kubernetes_deployment" "readarr" {
     name      = "readarr"
     namespace = "readarr"
     labels = {
-      app = "readarr"
+      app  = "readarr"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/servarr/soulseek/main.tf b/modules/kubernetes/servarr/soulseek/main.tf
index 2ca68c32..446ba8c6 100644
--- a/modules/kubernetes/servarr/soulseek/main.tf
+++ b/modules/kubernetes/servarr/soulseek/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 
 resource "kubernetes_deployment" "soulseek" {
@@ -6,7 +7,8 @@ resource "kubernetes_deployment" "soulseek" {
     name      = "soulseek"
     namespace = "servarr"
     labels = {
-      app = "soulseek"
+      app  = "soulseek"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/shadowsocks/main.tf b/modules/kubernetes/shadowsocks/main.tf
index 6dd980e9..acb5ea9b 100644
--- a/modules/kubernetes/shadowsocks/main.tf
+++ b/modules/kubernetes/shadowsocks/main.tf
@@ -1,4 +1,5 @@
 variable "password" {}
+variable "tier" { type = string }
 variable "method" {
   default = "chacha20-ietf-poly1305"
 }
@@ -19,6 +20,7 @@ resource "kubernetes_deployment" "shadowsocks" {
     namespace = kubernetes_namespace.shadowsocks.metadata[0].name
     labels = {
       "app" = "shadowsocks"
+      tier  = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
@@ -64,7 +66,7 @@ resource "kubernetes_deployment" "shadowsocks" {
   }
 }
 
-resource "kubernetes_service" "mailserver" {
+resource "kubernetes_service" "mailserver" { # rename me
   metadata {
     name      = "shadowsocks"
     namespace = kubernetes_namespace.shadowsocks.metadata[0].name
diff --git a/modules/kubernetes/stirling-pdf/main.tf b/modules/kubernetes/stirling-pdf/main.tf
index 319285e9..25b29ee4 100644
--- a/modules/kubernetes/stirling-pdf/main.tf
+++ b/modules/kubernetes/stirling-pdf/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "stirling-pdf" {
   metadata {
@@ -20,7 +21,8 @@ resource "kubernetes_deployment" "stirling-pdf" {
     name      = "stirling-pdf"
     namespace = kubernetes_namespace.stirling-pdf.metadata[0].name
     labels = {
-      app = "stirling-pdf"
+      app  = "stirling-pdf"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/tandoor/main.tf b/modules/kubernetes/tandoor/main.tf
index d1aa6c5e..b395890c 100644
--- a/modules/kubernetes/tandoor/main.tf
+++ b/modules/kubernetes/tandoor/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "tandoor_database_password" {}
 variable "tandoor_email_password" {}
 
@@ -26,7 +27,8 @@ resource "kubernetes_deployment" "tandoor" {
     name      = "tandoor"
     namespace = kubernetes_namespace.tandoor.metadata[0].name
     labels = {
-      app = "tandoor"
+      app  = "tandoor"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/technitium/main.tf b/modules/kubernetes/technitium/main.tf
index b3376443..57b37d5e 100644
--- a/modules/kubernetes/technitium/main.tf
+++ b/modules/kubernetes/technitium/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "homepage_token" {}
 
 resource "kubernetes_namespace" "technitium" {
@@ -23,7 +24,8 @@ resource "kubernetes_deployment" "technitium" {
     name      = "technitium"
     namespace = kubernetes_namespace.technitium.metadata[0].name
     labels = {
-      app = "technitium"
+      app  = "technitium"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/tor-proxy/main.tf b/modules/kubernetes/tor-proxy/main.tf
index b13b0c4e..6994393d 100644
--- a/modules/kubernetes/tor-proxy/main.tf
+++ b/modules/kubernetes/tor-proxy/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "tor-proxy" {
   metadata {
@@ -34,7 +35,8 @@ resource "kubernetes_deployment" "tor-proxy" {
     name      = "tor-proxy"
     namespace = "tor-proxy"
     labels = {
-      app = "tor-proxy"
+      app  = "tor-proxy"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/travel_blog/main.tf b/modules/kubernetes/travel_blog/main.tf
index 067838c4..15b29720 100644
--- a/modules/kubernetes/travel_blog/main.tf
+++ b/modules/kubernetes/travel_blog/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "travel-blog" {
   metadata {
@@ -26,20 +27,21 @@ resource "kubernetes_deployment" "blog" {
     name      = "travel-blog"
     namespace = kubernetes_namespace.travel-blog.metadata[0].name
     labels = {
-      run = "travel-blog"
+      app  = "travel-blog"
+      tier = var.tier
     }
   }
   spec {
     replicas = 3
     selector {
       match_labels = {
-        run = "travel-blog"
+        app = "travel-blog"
       }
     }
     template {
       metadata {
         labels = {
-          run = "travel-blog"
+          app = "travel-blog"
         }
       }
       spec {
@@ -79,7 +81,7 @@ resource "kubernetes_service" "travel-blog" {
     name      = "travel-blog"
     namespace = kubernetes_namespace.travel-blog.metadata[0].name
     labels = {
-      "run" = "travel-blog"
+      app = "travel-blog"
     }
     annotations = {
       "prometheus.io/scrape" = "true"
@@ -90,7 +92,7 @@ resource "kubernetes_service" "travel-blog" {
 
   spec {
     selector = {
-      run = "travel-blog"
+      app = "travel-blog"
     }
     port {
       name        = "http"
diff --git a/modules/kubernetes/tuya-bridge/main.tf b/modules/kubernetes/tuya-bridge/main.tf
index 9545ebf7..e685c59a 100644
--- a/modules/kubernetes/tuya-bridge/main.tf
+++ b/modules/kubernetes/tuya-bridge/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "tiny_tuya_api_key" { type = string }
 variable "tiny_tuya_api_secret" { type = string }
 variable "tiny_tuya_service_secret" { type = string }
@@ -24,7 +25,8 @@ resource "kubernetes_deployment" "tuya-bridge" {
     name      = "tuya-bridge"
     namespace = kubernetes_namespace.tuya-bridge.metadata[0].name
     labels = {
-      app = "tuya-bridge"
+      app  = "tuya-bridge"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/uptime-kuma/main.tf b/modules/kubernetes/uptime-kuma/main.tf
index 19641350..2c5e410b 100644
--- a/modules/kubernetes/uptime-kuma/main.tf
+++ b/modules/kubernetes/uptime-kuma/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "uptime-kuma" {
   metadata {
@@ -20,7 +21,8 @@ resource "kubernetes_deployment" "uptime-kuma" {
     name      = "uptime-kuma"
     namespace = kubernetes_namespace.uptime-kuma.metadata[0].name
     labels = {
-      app = "uptime-kuma"
+      app  = "uptime-kuma"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/url-shortener/main.tf b/modules/kubernetes/url-shortener/main.tf
index 157844e8..caaeb0f3 100644
--- a/modules/kubernetes/url-shortener/main.tf
+++ b/modules/kubernetes/url-shortener/main.tf
@@ -5,6 +5,7 @@
 ## to the mysql tier
 
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "geolite_license_key" {}
 variable "api_key" {}
 variable "mysql_password" {}
@@ -76,7 +77,8 @@ resource "kubernetes_deployment" "shlink" {
     name      = "shlink"
     namespace = kubernetes_namespace.shlink.metadata[0].name
     labels = {
-      run = "shlink"
+      run  = "shlink"
+      tier = var.tier
     }
   }
   spec {
@@ -213,7 +215,8 @@ resource "kubernetes_deployment" "shlink-web" {
     name      = "shlink-web"
     namespace = kubernetes_namespace.shlink.metadata[0].name
     labels = {
-      run = "shlink-web"
+      run  = "shlink-web"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/vault/main.tf b/modules/kubernetes/vault/main.tf
index 99c6ccf2..8d4d4ded 100644
--- a/modules/kubernetes/vault/main.tf
+++ b/modules/kubernetes/vault/main.tf
@@ -2,10 +2,14 @@ variable "tls_secret_name" {}
 variable "host" {
   default = "vault.viktorbarzin.me"
 }
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "vault" {
   metadata {
     name = "vault"
+    labels = {
+      tier = var.tier
+    }
   }
 }
 
@@ -34,9 +38,9 @@ resource "kubernetes_persistent_volume" "vault_data" {
 }
 
 resource "helm_release" "vault" {
-  namespace        = kubernetes_namespace.vault.metadata[0].name
-  name             = "vault"
-  atomic           = true
+  namespace = kubernetes_namespace.vault.metadata[0].name
+  name      = "vault"
+  atomic    = true
 
   repository = "https://helm.releases.hashicorp.com"
   chart      = "vault"
diff --git a/modules/kubernetes/vaultwarden/main.tf b/modules/kubernetes/vaultwarden/main.tf
index 62214392..11cfb4bd 100644
--- a/modules/kubernetes/vaultwarden/main.tf
+++ b/modules/kubernetes/vaultwarden/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "smtp_password" {}
 
 resource "kubernetes_namespace" "vaultwarden" {
@@ -21,7 +22,8 @@ resource "kubernetes_deployment" "vaultwarden" {
     name      = "vaultwarden"
     namespace = kubernetes_namespace.vaultwarden.metadata[0].name
     labels = {
-      app = "vaultwarden"
+      app  = "vaultwarden"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/wealthfolio/main.tf b/modules/kubernetes/wealthfolio/main.tf
index 30c146d0..f9733332 100644
--- a/modules/kubernetes/wealthfolio/main.tf
+++ b/modules/kubernetes/wealthfolio/main.tf
@@ -6,6 +6,7 @@
 # Note that currently wealthfolio doesn't dedup (https://github.com/afadil/wealthfolio/issues/476)
 
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "wealthfolio_password_hash" {}
 
 resource "kubernetes_namespace" "wealthfolio" {
@@ -33,7 +34,8 @@ resource "kubernetes_deployment" "wealthfolio" {
     name      = "wealthfolio"
     namespace = kubernetes_namespace.wealthfolio.metadata[0].name
     labels = {
-      app = "wealthfolio"
+      app  = "wealthfolio"
+      tier = var.tier
     }
   }
   spec {
diff --git a/modules/kubernetes/webhook_handler/main.tf b/modules/kubernetes/webhook_handler/main.tf
index b670285f..fc33c938 100644
--- a/modules/kubernetes/webhook_handler/main.tf
+++ b/modules/kubernetes/webhook_handler/main.tf
@@ -1,5 +1,6 @@
 
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "webhook_secret" {}
 variable "fb_verify_token" {}
 variable "fb_page_token" {}
@@ -70,7 +71,8 @@ resource "kubernetes_deployment" "webhook_handler" {
     name      = "webhook-handler"
     namespace = kubernetes_namespace.webhook-handler.metadata[0].name
     labels = {
-      app = "webhook-handler"
+      app  = "webhook-handler"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/wireguard/main.tf b/modules/kubernetes/wireguard/main.tf
index 8b3c577a..32d1a7d9 100644
--- a/modules/kubernetes/wireguard/main.tf
+++ b/modules/kubernetes/wireguard/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "wg_0_conf" {}
 variable "firewall_sh" {}
 variable "wg_0_key" {}
@@ -56,7 +57,8 @@ resource "kubernetes_deployment" "wireguard" {
     name      = "wireguard"
     namespace = kubernetes_namespace.wireguard.metadata[0].name
     labels = {
-      app = "wireguard"
+      app  = "wireguard"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/xray/main.tf b/modules/kubernetes/xray/main.tf
index 1234c0bf..b2538ddc 100644
--- a/modules/kubernetes/xray/main.tf
+++ b/modules/kubernetes/xray/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 variable "xray_reality_clients" { type = list(map(string)) }
 variable "xray_reality_private_key" { type = string }
 variable "xray_reality_short_ids" { type = list(string) }
@@ -48,7 +49,8 @@ resource "kubernetes_deployment" "xray" {
     name      = "xray"
     namespace = kubernetes_namespace.xray.metadata[0].name
     labels = {
-      app = "xray"
+      app  = "xray"
+      tier = var.tier
     }
     annotations = {
       "reloader.stakater.com/search" = "true"
diff --git a/modules/kubernetes/youtube_dl/main.tf b/modules/kubernetes/youtube_dl/main.tf
index 0693de7f..71523195 100644
--- a/modules/kubernetes/youtube_dl/main.tf
+++ b/modules/kubernetes/youtube_dl/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "tier" { type = string }
 
 resource "kubernetes_namespace" "ytdlp" {
   metadata {
@@ -21,7 +22,8 @@ resource "kubernetes_deployment" "ytdlp" {
     name      = "ytdlp"
     namespace = kubernetes_namespace.ytdlp.metadata[0].name
     labels = {
-      app = "ytdlp"
+      app  = "ytdlp"
+      tier = var.tier
     }
     annotations = {
       "diun.enable" = "true"
diff --git a/terraform.tfstate b/terraform.tfstate
index b10db9e8..bcb43bcf 100644
Binary files a/terraform.tfstate and b/terraform.tfstate differ