diff --git a/gitops/home-kubernetes/external-secrets/cloudsecretstore-vault.yaml b/gitops/home-kubernetes/external-secrets/cloudsecretstore-vault.yaml
index b80e6ee..32d9de3 100644
--- a/gitops/home-kubernetes/external-secrets/cloudsecretstore-vault.yaml
+++ b/gitops/home-kubernetes/external-secrets/cloudsecretstore-vault.yaml
@@ -6,13 +6,13 @@ metadata:
 spec:
   provider:
     vault:
-      server: "https://vault.hrajfrisbee.cz:8200"
+      server: "https://vault.hrajfrisbee.cz"
       path: "secret"
       version: "v2"
       auth:
         appRole:
           path: "approle"
-          roleId: "8833d0f8-d35d-d7ea-658b-c27837d121ab"  # or reference a secret
+          roleId: "864e352d-2064-2bf9-2c73-dbd676a95368"  # or reference a secret
           secretRef:
             name: vault-approle
             key: secret-id
diff --git a/gitops/home-kubernetes/external-secrets/secret-approle.yaml b/gitops/home-kubernetes/external-secrets/secret-approle.yaml
index c75d909..338bc7b 100644
--- a/gitops/home-kubernetes/external-secrets/secret-approle.yaml
+++ b/gitops/home-kubernetes/external-secrets/secret-approle.yaml
@@ -6,5 +6,5 @@ metadata:
   annotations:
     kustomize.toolkit.fluxcd.io/reconcile: disabled  
 type: Opaque
-data:
-  secret-id: # --- find me in keepass bro ---
\ No newline at end of file
+stringData:
+  secret-id: --- fill in the secret_id ---
diff --git a/gitops/home-kubernetes/kube-system-overrides/configmap_coredns.yaml b/gitops/home-kubernetes/kube-system-overrides/configmap_coredns.yaml
index feb3dda..ae5d7fb 100644
--- a/gitops/home-kubernetes/kube-system-overrides/configmap_coredns.yaml
+++ b/gitops/home-kubernetes/kube-system-overrides/configmap_coredns.yaml
@@ -17,7 +17,7 @@ data:
            ttl 30
         }
         hosts {
-           192.168.0.30 vault.hrajfrisbee.cz
+           # 192.168.0.30 vault.hrajfrisbee.cz
            fallthrough
         }        
         prometheus :9153
diff --git a/gitops/home-kubernetes/oauth-proxy/secret.yaml b/gitops/home-kubernetes/oauth-proxy/secret.yaml
index c923bf1..5ae8309 100644
--- a/gitops/home-kubernetes/oauth-proxy/secret.yaml
+++ b/gitops/home-kubernetes/oauth-proxy/secret.yaml
@@ -4,7 +4,7 @@ metadata:
   name: oauth2-proxy-secrets
   namespace: oauth2-proxy
   annotations:
-    kustomize.toolkit.fluxcd.io/reconcile: disabled  
+    kustomize.toolkit.fluxcd.io/reconcile: disabled
 stringData:
   client-id: oauth2-proxy
   client-secret: <REPLACE_WITH_KANIDM_SECRET>
diff --git a/gitops/home-kubernetes/tetragon/helmrelease.yaml b/gitops/home-kubernetes/tetragon/helmrelease.yaml
new file mode 100644
index 0000000..fca0f1a
--- /dev/null
+++ b/gitops/home-kubernetes/tetragon/helmrelease.yaml
@@ -0,0 +1,24 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: tetragon
+  namespace: kube-system
+spec:
+  interval: 1h
+  chart:
+    spec:
+      chart: tetragon
+      version: "1.6.0"
+      sourceRef:
+        kind: HelmRepository
+        name: cilium
+        namespace: flux-system
+  values:
+    export:
+      stdout:
+        enabledEvents:
+          - PROCESS_EXEC
+          - PROCESS_EXIT
+          - PROCESS_TRACEPOINT # required for oom tracepoint
+    tetragon:
+      btf: /sys/kernel/btf/vmlinux
\ No newline at end of file
diff --git a/gitops/home-kubernetes/tetragon/tracing_policy-oomkill.yaml b/gitops/home-kubernetes/tetragon/tracing_policy-oomkill.yaml
new file mode 100644
index 0000000..5a97442
--- /dev/null
+++ b/gitops/home-kubernetes/tetragon/tracing_policy-oomkill.yaml
@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: oom-kill
+spec:
+  tracepoints:
+    - subsystem: oom
+      # event: oom_kill
+      event: mark_victim
+      args:
+        - index: 4
+          type: int32
+          label: killed_pid
+        - index: 5
+          type: string
+          label: killed_comm
\ No newline at end of file