diff --git a/bootstrap/argo-cd/cluster.k8s-home.enc.yaml b/bootstrap/argo-cd/cluster.k8s-home.enc.yaml
new file mode 100644
index 0000000..1bf5fb7
--- /dev/null
+++ b/bootstrap/argo-cd/cluster.k8s-home.enc.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: k8s-home
+    namespace: argocd
+    labels:
+        argocd.argoproj.io/secret-type: cluster
+type: Opaque
+data:
+    name: ENC[AES256_GCM,data:S3ToIR8J7ic=,iv:pWxJZGp1KizHKM8TaPnyOR4jhygQqheyqadsxtC4dhU=,tag:JM8gFXpykAPHZTzG054TPQ==,type:str]
+    server: ENC[AES256_GCM,data:yjTC5eVq43k0jt6U2k+41MhfdFh3e6wcSa+CFjSlqkfR7vHkelugNHlCLOfgS1P2ny6wuTmOG0APvQJkJU2D1sqhD3ixzqhnTpITGQ==,iv:Glvasq6e6mr9qRyWDG1G3jIPIr/IOhEYmfYyDwUN72U=,tag:/oZywDV6guHNTD5xE8LLaw==,type:str]
+    config: ENC[AES256_GCM,data:W/ho5c1X+67mqGrcw7i7Hey01e1YXMEk+4IIw7DZ4xqxYJmHsPGF9vwqc60hj1GHHoH+ebIAbjnCpNPFWq2ntTk+Jk/k1zu3liGiFIAyg2jBfO5ibcKyR0bOdhD7vCjhyCFASuUrnNhXfcHS0H+KIuPemZ1gvcGzom0l8q3dfqnUOlZDOGHBIAdW25tlqjQk6yA4L+lJgfjqScYRRn0nhF3TyaBY4HglX8NfVPWXStO8wlzPbsNH1fgTd6PJsOzhkY4QHphr7gWVwv8dFaUaz3+XXY90UcclAtwT4Q==,iv:5Xnb2drPCzEAzNt5Srz+twOoNNTHiCs/xyz6IhsXkdY=,tag:ACciPP1mnYl4DsTyQpcABg==,type:str]
+sops:
+    age:
+        - recipient: age1y26vr5qt6th3wu92rnsgkqcpxxah3pqkqa4khcjjycm3kg40aqyqjgfzx9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSeW1QQWZ3dTFRUnIvanZs
+            TFBaSGM4S0ZteEZib014MlBRMUZIMFdHeXpvClFmUklKOVkyQXgyZFRxZ2JmSGk0
+            YUtvaTliUWw2Vkp0cWFzK3oxQVgyeFUKLS0tIEhtRk0wMWdsRUVDMEZNVGlNV3ZF
+            aTRBb3dnWUdQdmZ0ZFlNSmkrUkJialUKrt9XcW1w3Jg/CTmiUAZ6R+6qMv4yjMg2
+            vyUC0BTbJZsBgfIJ6WZ8GlBQ4Zuzviho1cWjitJxNrXvdnvTVlE1PA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-13T01:16:58Z"
+    mac: ENC[AES256_GCM,data:zSpeGLZCnZQfxdw4tM/TRNjsGaNShznOQP93lx/ariw+9XtcDdGg9708RKmbAb+G6Qk5lV9zZ6SZcrq/61aWxfXtEum/hbOBRdbItn9sRrsLKWK9kPCR5Fwe+XYqqJsC4cuwSCwdrWGx32IGbrsm0JowGn7v5QESqGNQponvsu8=,iv:aKpKwsg3OC3zkvI2tnI2z1tcXcTD9iXv7ao2MIBi90g=,tag:dOTIc2Q74XpdWLGkTxnvYw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
diff --git a/bootstrap/argo-cd/secret-generator.yaml b/bootstrap/argo-cd/secret-generator.yaml
new file mode 100644
index 0000000..32b2848
--- /dev/null
+++ b/bootstrap/argo-cd/secret-generator.yaml
@@ -0,0 +1,14 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  # Specify a name
+  name: cluster-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        # if the binary is in your PATH, you can do
+        path: ksops
+        # otherwise, path should be relative to manifest files, like
+        # path: ../../../ksops
+files:
+  - ./cluster.k8s-home.enc.yaml