diff --git a/k8s/home-assistant/README.md b/k8s/home-assistant/README.md
new file mode 100644
index 0000000..1778c86
--- /dev/null
+++ b/k8s/home-assistant/README.md
@@ -0,0 +1,27 @@
+# Home Assistant
+
+Deployment for Home Assistant via the `pajikos` Helm chart.
+
+## Deployment
+
+1. Ensure the Helm repository is added and updated:
+```bash
+helm repo add pajikos https://pajikos.github.io/home-assistant-helm-chart/
+helm repo update
+```
+
+2. Apply the raw secrets (if they haven't been applied yet):
+```bash
+kubectl apply -f hass-code-auth.secret.yml
+```
+
+3. Upgrade/Install the Helm release:
+```bash
+helm upgrade --install home-assistant pajikos/home-assistant -n home-assistant -f home-assistant.secret.yaml
+```
+
+## Architecture & Configuration
+This setup perfectly balances **Infrastructure as Code (IaC)** with **Dynamic UI Configuration**:
+- **Core Settings:** Network proxies, InfluxDB tokens, and Ingress routing are strictly enforced via `home-assistant.secret.yaml`.
+- **Dynamic Config:** The helm chart utilizes an init-script to inject `!include` directives for `automations.yaml`, `scripts.yaml`, and `scenes.yaml` into the main config. This allows the Home Assistant UI to write dynamic automations without violating the IaC principles!
+- **Code Server Addon:** For advanced manual tweaks, a VS Code instance (`hass-coder.moritzgraf.de`) runs alongside the pod, allowing direct manipulation of the `/config` directory.
diff --git a/k8s/home-assistant/home-assistant.secret.yaml b/k8s/home-assistant/home-assistant.secret.yaml
new file mode 100644
index 0000000..cdff5dc
Binary files /dev/null and b/k8s/home-assistant/home-assistant.secret.yaml differ
diff --git a/k8s/home-assistant/home-assistant.yaml b/k8s/home-assistant/home-assistant.yaml
deleted file mode 100644
index 971f3aa..0000000
--- a/k8s/home-assistant/home-assistant.yaml
+++ /dev/null
@@ -1,229 +0,0 @@
-# # helm show values pajikos/home-assistant | less
-
-
-# Environment variables
-env:
-- name: TZ
-  value: Europe/Berlin
-# - name: SOME_VAR_FROM_CONFIG_MAP
-#   valueFrom:
-#     configMapRef:
-#       name: configmap-name
-#       key: config-key
-# - name: SOME_SECRET
-#   valueFrom:
-#     secretKeyRef:
-#       name: secret-name
-#       key: secret-key
-
-# Ingress settings
-ingress:
-  # Enable ingress for home assistant
-  enabled: true
-  className: "nginx"
-  annotations:
-    kubernetes.io/ingress.class: "nginx"    
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    kubernetes.io/tls-acme: "true"   
-  hosts:
-    - host: hass.moritzgraf.de
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-  - hosts:
-    - "hass.moritzgraf.de"
-    secretName: hass-moritzgraf-de
-
-# Persistence values for the Home Assistant instance
-persistence:
-  # Enable or disable persistence
-  enabled: true
-  # Access mode for the persistent volume claim
-  accessMode: ReadWriteOnce
-  # Size of the persistent volume claim
-  size: 10Gi
-  # Storage class for the persistent volume claim
-  storageClass: ""
-
-configuration:
-  # Enable or disable the configuration setup for Home Assistant
-  enabled: true
-  # Force init will merge the current configuration file with the default configuration on every start
-  # This is useful when you want to ensure that the configuration file is always up to date
-  forceInit: true
-  # List of trusted proxies in the format of CIDR notation in a case of using a reverse proxy
-  # Here is the list of the most common private IP ranges, use your list of possible trusted proxies, usually, it's the IP of the reverse proxy
-  trusted_proxies:
-    - 10.233.0.0/16
-  # Template for the configuration.yaml file
-  # Used the `tpl` function to render the template, so you can use Go template functions
-  templateConfig: |-
-    # Loads default set of integrations. Do not remove.
-    default_config:
-
-    {{- if .Values.ingress.enabled }}
-    http:
-      use_x_forwarded_for: true
-      trusted_proxies:
-        {{- range .Values.configuration.trusted_proxies }}
-        - {{ . }}
-        {{- end }}
-    {{- end}}
-    # Load frontend themes from the themes folder
-    frontend:
-      themes: !include_dir_merge_named themes
-
-    automation: !include automations.yaml
-    script: !include scripts.yaml
-    scene: !include scenes.yaml
-    # # moritz custom config
-    influxdb:
-      host: influxdb-influxdb2.influxdb.svc.cluster.local
-      port: 80
-      api_version: 2
-      bucket: default
-      organization: influxdata
-      token: enaiY9yaiWi6ahv0phoph3FaiphoGh
-      ssl: false
-      verify_ssl: false
-      max_retries: 3
-
-  # Init script for the Home Assistant initialization, you can use Go template functions
-  # Script is executed before the Home Assistant container starts and is used to prepare the configuration
-  # Will be executed only if the configuration.enabled is set to true
-  initScript: |-
-    #!/bin/bash
-    set -e
-
-    # Check if the configuration file exists
-    if [ ! -f /config/configuration.yaml ]; then
-      echo "Configuration file not found, creating a new one"
-      cp /config-templates/configuration.yaml /config/configuration.yaml
-    fi
-
-    # Check if the force init is enabled
-    forceInit="{{ .Values.configuration.forceInit }}"
-    if [ "$forceInit" = "true" ]; then
-      echo "Force init is enabled, overwriting the configuration file"
-      current_time=$(date +%Y%m%d_%H%M%S)
-      echo "Backup the current configuration file to configuration.yaml.$current_time"
-      cp /config/configuration.yaml /config/configuration.yaml.$current_time
-      echo "The current configuration file will be merged with the default configuration file with this content:"
-      cat /config-templates/configuration.yaml
-      if [[ ! -s /config/configuration.yaml ]]; then
-        # If /config/configuration.yaml is empty, use the content of /config-templates/configuration.yaml
-        cat /config-templates/configuration.yaml > /config/configuration.yaml
-      else
-        # Perform the merge operation if /config/configuration.yaml is not empty
-        yq eval-all --inplace 'select(fileIndex == 0) *d select(fileIndex == 1)' /config/configuration.yaml /config-templates/configuration.yaml
-      fi
-    fi
-
-    # Check if the automations file exists
-    if [ ! -f /config/automations.yaml ]; then
-      echo "Automations file not found, creating a new one"
-      touch /config/automations.yaml
-      echo "[]" >> /config/automations.yaml
-    fi
-
-    # Check if the scripts file exists
-    if [ ! -f /config/scripts.yaml ]; then
-      echo "Scripts file not found, creating a new one"
-      touch /config/scripts.yaml
-    fi
-
-    # Check if the scenes file exists
-    if [ ! -f /config/scenes.yaml ]; then
-      echo "Scenes file not found, creating a new one"
-      touch /config/scenes.yaml
-    fi
-
-    # install hacs - see https://www.hacs.xyz/docs/use/download/download/#to-download-hacs
-    apk add --no-cache bash
-    wget -O - https://get.hacs.xyz | bash -
-
-  initContainer:
-    name: setup-config
-    image: mikefarah/yq:4
-    securityContext:
-      runAsUser: 0
-    command: ["/bin/sh", "-c"]
-    args:
-    - /bin/sh /mnt/init/init.sh
-    # env:
-    # - name: FORCE_INIT
-    #   valueFrom:
-    #     configMapKeyRef:
-    #       name: init-script
-    #       key: forceInit
-    # Home Assistant configuration volume will be mounted to /config automatically
-    volumeMounts:
-      - name: init-volume
-        mountPath: /mnt/init/init.sh
-        subPath: init.sh
-      - name: config-volume
-        mountPath: /config-templates
-
-serviceMonitor:
-  # requires HA integration:  https://www.home-assistant.io/integrations/prometheus/
-  enabled: false
-  scrapeInterval: 30s
-  labels:
-    prometheus: haumdaucher
-
-# Addons configuration for additional services
-addons:
-  # Code-server addon configuration
-  codeserver:
-    # Enable or disable the code-server addon
-    enabled: true
-    # # Resource settings for the code-server container
-    # resources: {}
-    # # Image settings for the code-server addon
-    # image:
-    #   # Repository for the code-server image
-    #   repository: ghcr.io/coder/code-server
-    #   # Image pull policy for the code-server image
-    #   pullPolicy: IfNotPresent
-    #   # Tag for the code-server image
-    #   tag: "4.92.2"
-    # Service settings
-    service:
-      # Service type (ClusterIP, NodePort, LoadBalancer, or ExternalName)
-      type: ClusterIP
-      # Service port
-      port: 12321
-    # Ingress settings for the code-server addon
-    ingress:
-      # Enable or disable the ingress for the code-server addon
-      enabled: true
-      # Ingress class name
-      className: "nginx"
-      # Ingress annotations
-      annotations:
-        kubernetes.io/ingress.class: "nginx"    
-        nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-        nginx.ingress.kubernetes.io/ssl-redirect: "true"
-        cert-manager.io/cluster-issuer: "letsencrypt-prod"
-        kubernetes.io/tls-acme: "true"
-        nginx.ingress.kubernetes.io/auth-type: basic
-        nginx.ingress.kubernetes.io/auth-secret: hass-coder-auth
-        nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - HASS Coder'
-      # Ingress hosts configuration
-      hosts:
-      - host: hass-coder.moritzgraf.de
-        paths:
-          - path: /
-            pathType: ImplementationSpecific
-      # Ingress TLS configuration
-      tls:
-        - hosts:
-          - "hass-coder.moritzgraf.de"
-          secretName: hass-coder-moritzgraf-de
-    # if you need any additional volume mounts, you can define them here
-    additionalMounts: []
-      # - mountPath: /home/coder/.ssh/id_rsa
-      #   name: id-rsa