diff --git a/.sops.yaml b/.sops.yaml
index de19ae7..dcdd6f6 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,4 +1,5 @@
 creation_rules:
   - age: "age1y26vr5qt6th3wu92rnsgkqcpxxah3pqkqa4khcjjycm3kg40aqyqjgfzx9"
     encrypted_regex: "^(data|stringData)$"
-    path_regex: .*\.enc\.ya?ml
+    path_regex: .*\.ya?ml
+  - age: "age1y26vr5qt6th3wu92rnsgkqcpxxah3pqkqa4khcjjycm3kg40aqyqjgfzx9"
diff --git a/apps/syncthing/overlays/media/deployment-patch.yaml b/apps/syncthing/overlays/media/deployment-patch.yaml
index a2461ef..01f7d27 100644
--- a/apps/syncthing/overlays/media/deployment-patch.yaml
+++ b/apps/syncthing/overlays/media/deployment-patch.yaml
@@ -17,6 +17,11 @@ spec:
               readOnly: true
               subPath: key.pem
       volumes:
+        - name: sync-data
+          persistentVolumeClaim: null
+          nfs:
+            server: 192.168.1.215
+            path: /export/sync
         - name: sync-keys
           secret:
             secretName: sync-secret
diff --git a/apps/test/overlays/media/kustomization.yaml b/apps/test/overlays/media/kustomization.yaml
index 13bb01b..b683f85 100644
--- a/apps/test/overlays/media/kustomization.yaml
+++ b/apps/test/overlays/media/kustomization.yaml
@@ -1,5 +1,21 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+# secretGenerator:
+#   - name: mysecret
+#     files:
+#       - ./test-secret-generator.yaml
+
 generators:
-  - ./test-secret-generator.yaml
+  - name: test-secret
+    |-
+    apiVersion: viaduct.ai/v1
+    kind: ksops
+    metadata:
+      name: test-secret
+      annotations:
+        config.kubernetes.io/function: |
+          exec:
+            path: ksops
+    files:
+      - ./test-ksops-secret.enc.yaml