diff --git a/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml b/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml
index d952226..9418587 100644
--- a/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml
+++ b/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml
@@ -27,6 +27,19 @@ spec:
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
+metadata:
+  name: kube-prometheus
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./gitops/home-kubernetes/kube-prometheus
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
 metadata:
   name: ingress-nginx
   namespace: flux-system
diff --git a/gitops/home-kubernetes/kube-prometheus/helmrelease.yaml b/gitops/home-kubernetes/kube-prometheus/helmrelease.yaml
new file mode 100644
index 0000000..d3e99b8
--- /dev/null
+++ b/gitops/home-kubernetes/kube-prometheus/helmrelease.yaml
@@ -0,0 +1,81 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: kube-prometheus-stack
+  namespace: monitoring
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: kube-prometheus-stack
+      sourceRef:
+        kind: HelmRepository
+        name: prometheus-community
+        namespace: flux-system
+  install:
+    createNamespace: true
+    crds: CreateReplace
+    remediation:
+      retries: 3
+  upgrade:
+    crds: CreateReplace
+    remediation:
+      retries: 3
+  values:
+    prometheus:
+      prometheusSpec:
+        retention: 60d
+        storageSpec:
+          volumeClaimTemplate:
+            spec:
+              accessModes: ["ReadWriteOnce"]
+              resources:
+                requests:
+                  storage: 20Gi
+        resources:
+          requests:
+            memory: 0.5Gi
+            cpu: 500m
+          limits:
+            memory: 4Gi
+            cpu: 2
+        serviceMonitorSelectorNilUsesHelmValues: false
+        podMonitorSelectorNilUsesHelmValues: false
+        ruleSelectorNilUsesHelmValues: false
+
+    alertmanager:
+      alertmanagerSpec:
+        storage:
+          volumeClaimTemplate:
+            spec:
+              accessModes: ["ReadWriteOnce"]
+              resources:
+                requests:
+                  storage: 3Gi
+
+    grafana:
+      persistence:
+        enabled: true
+        size: 10Gi
+      adminPassword: admin
+      ingress:
+        enabled: true
+        ingressClassName: nginx  # adjust if using traefik/contour/etc
+        hosts:
+          - grafana.lab.home.hrajfrisbee.cz
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+          nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,Authorization
+          nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.lab.home.hrajfrisbee.cz
+            /oauth2/start?rd=$scheme://$host$escaped_request_uri
+          nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.lab.home.hrajfrisbee.cz
+            /oauth2/auth          
+        tls:
+          - secretName: grafana-tls
+            hosts:
+              - grafana.lab.home.hrajfrisbee.cz      
+
+    prometheusOperator:
+      admissionWebhooks:
+        certManager:
+          enabled: false
\ No newline at end of file
diff --git a/gitops/home-kubernetes/kube-prometheus/helmrepository.yaml b/gitops/home-kubernetes/kube-prometheus/helmrepository.yaml
new file mode 100644
index 0000000..1f87738
--- /dev/null
+++ b/gitops/home-kubernetes/kube-prometheus/helmrepository.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: prometheus-community
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://prometheus-community.github.io/helm-charts
\ No newline at end of file
diff --git a/gitops/home-kubernetes/kube-prometheus/namespace.yaml b/gitops/home-kubernetes/kube-prometheus/namespace.yaml
new file mode 100644
index 0000000..3335b6a
--- /dev/null
+++ b/gitops/home-kubernetes/kube-prometheus/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
\ No newline at end of file
diff --git a/gitops/home-kubernetes/oauth-proxy/helmrelease.yaml b/gitops/home-kubernetes/oauth-proxy/helmrelease.yaml
index fde01d2..e27d8e7 100644
--- a/gitops/home-kubernetes/oauth-proxy/helmrelease.yaml
+++ b/gitops/home-kubernetes/oauth-proxy/helmrelease.yaml
@@ -31,6 +31,7 @@ spec:
         pass_access_token = true
         skip_provider_button = true
         upstreams = ["static://202"]
+        skip_auth_routes = ["PUT=^/uploads/.*", "POST=^/uploads/.*"]
 
     extraArgs:
       - --reverse-proxy=true
@@ -38,6 +39,8 @@ spec:
     ingress:
       enabled: true
       className: nginx
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-prod
       hosts:
         - oauth2-proxy.lab.home.hrajfrisbee.cz
       tls:
diff --git a/gitops/home-kubernetes/oauth-proxy/readme.md b/gitops/home-kubernetes/oauth-proxy/readme.md
new file mode 100644
index 0000000..5c0b77f
--- /dev/null
+++ b/gitops/home-kubernetes/oauth-proxy/readme.md
@@ -0,0 +1,8 @@
+```bash
+
+annotations:
+  nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy.oauth2-proxy.svc.cluster.local:4180/oauth2/auth"
+  nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/start?rd=$scheme://$host$escaped_request_uri"
+  nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,Authorization"
+
+```
\ No newline at end of file
diff --git a/gitops/home-kubernetes/oauth-proxy/secret.yaml b/gitops/home-kubernetes/oauth-proxy/secret.yaml
index 04a547f..c923bf1 100644
--- a/gitops/home-kubernetes/oauth-proxy/secret.yaml
+++ b/gitops/home-kubernetes/oauth-proxy/secret.yaml
@@ -8,4 +8,4 @@ metadata:
 stringData:
   client-id: oauth2-proxy
   client-secret: <REPLACE_WITH_KANIDM_SECRET>
-  cookie-secret: <REPLACE_WITH_OPENSSL_RAND_BASE64_32>
\ No newline at end of file
+  cookie-secret: a1f522c2394696c76e88eea54769d9e1
\ No newline at end of file
diff --git a/gitops/home-kubernetes/plane/helmrelease.yaml b/gitops/home-kubernetes/plane/helmrelease.yaml
index 7bf0941..485c6b9 100644
--- a/gitops/home-kubernetes/plane/helmrelease.yaml
+++ b/gitops/home-kubernetes/plane/helmrelease.yaml
@@ -34,6 +34,13 @@ spec:
       ingressClass: nginx
       ingress_annotations:
         cert-manager.io/cluster-issuer: letsencrypt-production
+        nginx.ingress.kubernetes.io/auth-url: "https://oauth2-proxy.lab.home.hrajfrisbee.cz /oauth2/auth"
+        nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy.lab.home.hrajfrisbee.cz /oauth2/start?rd=$scheme://$host$escaped_request_uri"
+        nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,Authorization"
+        nginx.ingress.kubernetes.io/configuration-snippet: |
+          if ($request_uri ~* "^/uploads/") {
+            set $auth_request_uri "";
+          }        
       #   nginx.ingress.kubernetes.io/proxy-body-size: "10m"
 
     # PostgreSQL - local stateful or external