diff --git a/infra/gitea/vault/agent.hcl b/infra/gitea/vault/agent.hcl
new file mode 100644
index 00000000..1041b88d
--- /dev/null
+++ b/infra/gitea/vault/agent.hcl
@@ -0,0 +1,35 @@
+auto_auth {
+  method "approle" {
+    mount_path = "auth/approle"
+    config = {
+      role_id_file_path   = "/vault/secrets/role_id"
+      secret_id_file_path = "/vault/secrets/secret_id"
+    }
+  }
+  sink "file" { config = { path = "/vault/.token" } }
+}
+
+template {
+  source      = "/etc/vault/templates/gitea_db_pass.ctmpl"
+  destination = "/vault/secrets/gitea_db_pass"
+}
+
+template {
+  source      = "/etc/vault/templates/minio_access_key.ctmpl"
+  destination = "/vault/secrets/minio_access_key"
+}
+
+template {
+  source      = "/etc/vault/templates/minio_secret_key.ctmpl"
+  destination = "/vault/secrets/minio_secret_key"
+}
+
+template {
+  source      = "/etc/vault/templates/mail_account.ctmpl"
+  destination = "/vault/secrets/mail_account"
+}
+
+template {
+  source      = "/etc/vault/templates/mail_secret.ctmpl"
+  destination = "/vault/secrets/mail_secret"
+}
diff --git a/infra/gitea/vault/templates/gitea_db_pass.ctmpl b/infra/gitea/vault/templates/gitea_db_pass.ctmpl
new file mode 100644
index 00000000..2891b362
--- /dev/null
+++ b/infra/gitea/vault/templates/gitea_db_pass.ctmpl
@@ -0,0 +1 @@
+{{ with secret "kv/data/cicd/gitea" }}{{ .Data.data.gitea_db_pass }}{{- end -}}
diff --git a/infra/gitea/vault/templates/mail_account.ctmpl b/infra/gitea/vault/templates/mail_account.ctmpl
new file mode 100644
index 00000000..d951280d
--- /dev/null
+++ b/infra/gitea/vault/templates/mail_account.ctmpl
@@ -0,0 +1 @@
+{{ with secret "kv/data/cicd/gitea" }}{{ .Data.data.mail_account }}{{- end -}}
diff --git a/infra/gitea/vault/templates/mail_secret.ctmpl b/infra/gitea/vault/templates/mail_secret.ctmpl
new file mode 100644
index 00000000..a0cafcae
--- /dev/null
+++ b/infra/gitea/vault/templates/mail_secret.ctmpl
@@ -0,0 +1 @@
+{{ with secret "kv/data/cicd/gitea" }}{{ .Data.data.mail_secret }}{{- end -}}
diff --git a/infra/gitea/vault/templates/minio_access_key.ctmpl b/infra/gitea/vault/templates/minio_access_key.ctmpl
new file mode 100644
index 00000000..333129e2
--- /dev/null
+++ b/infra/gitea/vault/templates/minio_access_key.ctmpl
@@ -0,0 +1 @@
+{{ with secret "kv/data/s3/gitea" }}{{ .Data.data.access_key_id }}{{- end -}}
diff --git a/infra/gitea/vault/templates/minio_secret_key.ctmpl b/infra/gitea/vault/templates/minio_secret_key.ctmpl
new file mode 100644
index 00000000..13b9a10c
--- /dev/null
+++ b/infra/gitea/vault/templates/minio_secret_key.ctmpl
@@ -0,0 +1 @@
+{{ with secret "kv/data/s3/gitea" }}{{ .Data.data.secret_access_key }}{{- end -}}
\ No newline at end of file
diff --git a/infra/monitoring/vault-agent/agent.hcl b/infra/monitoring/vault-agent/agent.hcl
new file mode 100644
index 00000000..3b730237
--- /dev/null
+++ b/infra/monitoring/vault-agent/agent.hcl
@@ -0,0 +1,31 @@
+exit_after_auth = false
+pid_file        = "/tmp/vault-agent.pid"
+
+vault {
+  address = "http://vault:8200"
+}
+
+auto_auth {
+  method "approle" {
+    mount_path = "auth/approle"
+    config = {
+      role_id_file_path   = "/etc/vault/role_id"
+      secret_id_file_path = "/etc/vault/secret_id"
+      remove_secret_id_file_after_reading = false
+    }
+  }
+  sink "file" { config = { path = "/vault/secrets/.vault-token" } }
+}
+
+template {
+  source      = "/etc/vault/templates/grafana.env.ctmpl"
+  destination = "/vault/secrets/grafana.env"
+  perms       = "0644"
+  command     = "chown 472:472 /vault/secrets/grafana.env"
+}
+
+template {
+  source      = "/etc/vault/templates/alertmanager.yml.ctmpl"
+  destination = "/vault/alertmanager/alertmanager.yml"
+  perms       = "0644"
+}
diff --git a/infra/monitoring/vault-agent/templates/alertmanager.yml.ctmpl b/infra/monitoring/vault-agent/templates/alertmanager.yml.ctmpl
new file mode 100644
index 00000000..30c1cc3f
--- /dev/null
+++ b/infra/monitoring/vault-agent/templates/alertmanager.yml.ctmpl
@@ -0,0 +1,18 @@
+route:
+  receiver: 'telegram'
+  group_by: ['alertname', 'instance']
+  group_wait: 30s
+  group_interval: 5m
+  repeat_interval: 3h
+
+receivers:
+  - name: 'telegram'
+    telegram_configs:
+      - bot_token: '{{ with secret "kv/data/monitoring/telegram" }}{{ .Data.data.token }}{{ end }}'
+        chat_id: {{ with secret "kv/data/monitoring/telegram" }}{{ .Data.data.admin_chat_id }}{{ end }}   # put your numeric chat id here, or also render from Vault if you want
+        message: |
+          🚨 *{{ "{{ .Status | toUpper }}" }}* — {{ "{{ .CommonLabels.alertname }}" }}
+          *Instance:* {{ "{{ .CommonLabels.instance }}" }}
+          *Summary:* {{ "{{ .CommonAnnotations.summary }}" }}
+          *Description:* {{ "{{ .CommonAnnotations.description }}" }}
+        parse_mode: 'Markdown'
diff --git a/infra/monitoring/vault-agent/templates/grafana.env.ctmpl b/infra/monitoring/vault-agent/templates/grafana.env.ctmpl
new file mode 100644
index 00000000..84f1dc1a
--- /dev/null
+++ b/infra/monitoring/vault-agent/templates/grafana.env.ctmpl
@@ -0,0 +1,4 @@
+GF_SECURITY_ADMIN_USER="{{ with secret "kv/data/monitoring/grafana" }}{{ .Data.data.username }}{{ end }}"
+GF_SECURITY_ADMIN_PASSWORD="{{ with secret "kv/data/monitoring/grafana" }}{{ .Data.data.password }}{{ end }}"
+GF_AUTH_ANONYMOUS_ENABLED="false"
+GF_USERS_ALLOW_SIGN_UP="false"
\ No newline at end of file
diff --git a/infra/registry/vault/agent.hcl b/infra/registry/vault/agent.hcl
new file mode 100644
index 00000000..751ed6e4
--- /dev/null
+++ b/infra/registry/vault/agent.hcl
@@ -0,0 +1,22 @@
+auto_auth {
+  method "approle" {
+    mount_path = "auth/approle"
+    config = {
+      role_id_file_path   = "/vault/secrets/role_id"
+      secret_id_file_path = "/vault/secrets/secret_id"
+    }
+  }
+  sink "file" { config = { path = "/vault/.token" } }
+}
+
+template {
+  source      = "/etc/vault/templates/htpasswd.ctmpl"
+  destination = "/vault/secrets/htpasswd"
+  perms       = "0440"
+}
+
+template {
+  source      = "/etc/vault/templates/s3.env.ctmpl"
+  destination = "/vault/secrets/env"
+  perms       = "0440"
+}
diff --git a/infra/registry/vault/templates/htpasswd.ctmpl b/infra/registry/vault/templates/htpasswd.ctmpl
new file mode 100644
index 00000000..f889308c
--- /dev/null
+++ b/infra/registry/vault/templates/htpasswd.ctmpl
@@ -0,0 +1,3 @@
+{{- with secret "kv/data/registry" -}}
+{{ .Data.data.htpasswd }}
+{{- end -}}
\ No newline at end of file
diff --git a/infra/registry/vault/templates/s3.env.ctmpl b/infra/registry/vault/templates/s3.env.ctmpl
new file mode 100644
index 00000000..e782a611
--- /dev/null
+++ b/infra/registry/vault/templates/s3.env.ctmpl
@@ -0,0 +1,8 @@
+{{- with secret "kv/data/s3/registry" -}}
+REGISTRY_STORAGE_S3_ACCESSKEY={{ .Data.data.access_key_id }}
+REGISTRY_STORAGE_S3_SECRETKEY="{{ .Data.data.secret_access_key }}"
+{{ end }}
+
+{{- with secret "kv/data/registry" -}}
+REGISTRY_HTTP_SECRET="{{ .Data.data.http_secret }}"
+{{ end }}
\ No newline at end of file
diff --git a/infra/s3/minio-entrypoint.sh b/infra/s3/minio-entrypoint.sh
new file mode 100644
index 00000000..56d283bd
--- /dev/null
+++ b/infra/s3/minio-entrypoint.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+echo "Waiting for Vault Agent to render /vault/secrets/minio.env..."
+while [ ! -f /vault/secrets/minio.env ]; do
+  sleep 0.5
+done
+
+echo "Vault secrets ready, starting MinIO..."
+exec minio "$@"
\ No newline at end of file
diff --git a/infra/s3/minio-wait.sh b/infra/s3/minio-wait.sh
new file mode 100644
index 00000000..5a417506
--- /dev/null
+++ b/infra/s3/minio-wait.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -eu
+until [ -s /vault/secrets/MINIO_ROOT_USER ] && [ -s /vault/secrets/MINIO_ROOT_PASSWORD ]; do
+  echo "waiting for MINIO creds"; sleep 1
+done
+exec /usr/bin/minio "$@"
\ No newline at end of file
diff --git a/infra/s3/vault/agent.hcl b/infra/s3/vault/agent.hcl
new file mode 100644
index 00000000..0b783c37
--- /dev/null
+++ b/infra/s3/vault/agent.hcl
@@ -0,0 +1,29 @@
+auto_auth {
+  method "approle" {
+    mount_path = "auth/approle"
+    config = {
+      role_id_file_path   = "/vault/secrets/role_id"
+      secret_id_file_path = "/vault/secrets/secret_id"
+    }
+  }
+
+  sink "file" {
+    config = { path = "/vault/token" }
+  }
+}
+
+template {
+  source      = "/etc/vault/templates/user.ctmpl"
+  destination = "/vault/secrets/MINIO_ROOT_USER"
+  perms       = "0440"
+}
+
+template {
+  source      = "/etc/vault/templates/password.ctmpl"
+  destination = "/vault/secrets/MINIO_ROOT_PASSWORD"
+  perms       = "0440"
+}
+
+vault {
+  address = "http://vault_vault:8200"
+}
\ No newline at end of file
diff --git a/infra/s3/vault/templates/password.ctmpl b/infra/s3/vault/templates/password.ctmpl
new file mode 100644
index 00000000..73f44a3c
--- /dev/null
+++ b/infra/s3/vault/templates/password.ctmpl
@@ -0,0 +1 @@
+{{ with secret "kv/data/s3/minio" }}{{ .Data.data.password }}{{ end }}
diff --git a/infra/s3/vault/templates/user.ctmpl b/infra/s3/vault/templates/user.ctmpl
new file mode 100644
index 00000000..74f6acf0
--- /dev/null
+++ b/infra/s3/vault/templates/user.ctmpl
@@ -0,0 +1 @@
+{{ with secret "kv/data/s3/minio" }}{{ .Data.data.user }}{{ end }}
diff --git a/infra/woodpecker/vault/agent.hcl b/infra/woodpecker/vault/agent.hcl
new file mode 100644
index 00000000..149b7284
--- /dev/null
+++ b/infra/woodpecker/vault/agent.hcl
@@ -0,0 +1,38 @@
+exit_after_auth = false
+pid_file = "/vault/secrets/vault-agent.pid"
+
+auto_auth {
+  method "approle" {
+    mount_path = "auth/approle"
+    config = {
+      role_id_file_path   = "/vault/secrets/role_id"
+      secret_id_file_path = "/vault/secrets/secret_id"
+    }
+  }
+  sink "file" { config = { path = "/vault/secrets/.vault-token" } }
+}
+
+# Render secrets to lowercase files
+template {
+  source      = "/etc/vault/templates/agent_secret.ctmpl"
+  destination = "/vault/secrets/agent_secret"
+  perms       = "0440"
+}
+
+template {
+  source      = "/etc/vault/templates/gitea_client_id.ctmpl"
+  destination = "/vault/secrets/gitea_client_id"
+  perms       = "0440"
+}
+
+template {
+  source      = "/etc/vault/templates/gitea_client_secret.ctmpl"
+  destination = "/vault/secrets/gitea_client_secret"
+  perms       = "0440"
+}
+
+template {
+  source      = "/etc/vault/templates/pg_dsn.ctmpl"
+  destination = "/vault/secrets/pg_dsn"
+  perms       = "0644"
+}
diff --git a/infra/woodpecker/vault/templates/agent_secret.ctmpl b/infra/woodpecker/vault/templates/agent_secret.ctmpl
new file mode 100644
index 00000000..d5227c91
--- /dev/null
+++ b/infra/woodpecker/vault/templates/agent_secret.ctmpl
@@ -0,0 +1,3 @@
+{{ with secret "kv/data/cicd/woodpecker/agent" -}}
+{{ .Data.data.secret }}
+{{- end }}
\ No newline at end of file
diff --git a/infra/woodpecker/vault/templates/gitea_client_id.ctmpl b/infra/woodpecker/vault/templates/gitea_client_id.ctmpl
new file mode 100644
index 00000000..52d803c2
--- /dev/null
+++ b/infra/woodpecker/vault/templates/gitea_client_id.ctmpl
@@ -0,0 +1,3 @@
+{{ with secret "kv/data/cicd/woodpecker" -}}
+{{ .Data.data.gitea_client_id }}
+{{- end }}
\ No newline at end of file
diff --git a/infra/woodpecker/vault/templates/gitea_client_secret.ctmpl b/infra/woodpecker/vault/templates/gitea_client_secret.ctmpl
new file mode 100644
index 00000000..4e6b2c32
--- /dev/null
+++ b/infra/woodpecker/vault/templates/gitea_client_secret.ctmpl
@@ -0,0 +1,3 @@
+{{ with secret "kv/data/cicd/woodpecker" -}}
+{{ .Data.data.gitea_client_secret }}
+{{- end }}
\ No newline at end of file
diff --git a/infra/woodpecker/vault/templates/pg_dsn.ctmpl b/infra/woodpecker/vault/templates/pg_dsn.ctmpl
new file mode 100644
index 00000000..5c7cdaed
--- /dev/null
+++ b/infra/woodpecker/vault/templates/pg_dsn.ctmpl
@@ -0,0 +1 @@
+{{- with secret "kv/data/cicd/woodpecker" -}}{{ .Data.data.pg_dsn }}{{- end -}}