diff --git a/kubernetes/apps/default/kustomization.yaml b/kubernetes/apps/default/kustomization.yaml
index 063eada1..cb92476a 100644
--- a/kubernetes/apps/default/kustomization.yaml
+++ b/kubernetes/apps/default/kustomization.yaml
@@ -12,6 +12,7 @@ resources:
   - ./qbittorrent/ks.yaml
   - ./radarr/ks.yaml
   - ./recyclarr/ks.yaml
+  - ./registry/ks.yaml
   - ./sabnzbd/ks.yaml
   - ./sonarr/ks.yaml
   - ./stash/ks.yaml
diff --git a/kubernetes/apps/default/registry/app/helmrelease.yaml b/kubernetes/apps/default/registry/app/helmrelease.yaml
new file mode 100644
index 00000000..159f1d3e
--- /dev/null
+++ b/kubernetes/apps/default/registry/app/helmrelease.yaml
@@ -0,0 +1,117 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: registry
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.3.2
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  driftDetection:
+    mode: enabled
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        seccompProfile: { type: RuntimeDefault }
+    controllers:
+      registry:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        containers:
+          registry:
+            image: &image
+              repository: registry
+              tag: 3.0.0-beta.1
+            command:
+              - /bin/registry
+              - serve
+              - /etc/distribution/config.yml
+            env:
+              TZ: America/Los_Angeles
+            securityContext: &securityContext
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+            resources:
+              limits:
+                memory: 256Mi
+      gc:
+        type: cronjob
+        annotations:
+          reloader.stakater.com/auto: "true"
+        cronjob:
+          schedule: "0 4 * * *"
+        containers:
+          gc:
+            image: *image
+            command:
+              - /bin/registry
+              - garbage-collect
+              - /etc/distribution/config.yml
+            env:
+              TZ: America/Los_Angeles
+            securityContext: *securityContext
+    service:
+      registry:
+        controller: registry
+        type: ClusterIP
+        ports:
+          http:
+            port: 5000
+          metrics:
+            port: 5001
+    ingress:
+      registry:
+        className: internal
+        hosts:
+          - host: ${APP_SUBDOMAIN:-${APP}}.${PUBLIC_DOMAIN0}
+            paths:
+              - path: /
+                service:
+                  identifier: registry
+                  port: http
+    serviceMonitor:
+      registry:
+        enabled: true
+        serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
+        endpoints:
+          - port: metrics
+            scheme: http
+            path: /metrics
+            interval: 1m
+            scrapeTimeout: 10s
+    persistence:
+      config:
+        type: configMap
+        name: registry-config
+        globalMounts:
+          - path: /etc/distribution
+            readOnly: true
+      storage:
+        type: persistentVolumeClaim
+        storageClass: ceph-block
+        accessMode: ReadWriteOnce
+        retain: true
+        size: 200Gi
+        globalMounts:
+          - path: /var/lib/registry
diff --git a/kubernetes/apps/default/registry/app/kustomization.yaml b/kubernetes/apps/default/registry/app/kustomization.yaml
new file mode 100644
index 00000000..0a03c0a5
--- /dev/null
+++ b/kubernetes/apps/default/registry/app/kustomization.yaml
@@ -0,0 +1,12 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
+configMapGenerator:
+  - name: registry-config
+    files:
+      - ./resources/config.yml
+generatorOptions:
+  disableNameSuffixHash: true
diff --git a/kubernetes/apps/default/registry/app/resources/config.yml b/kubernetes/apps/default/registry/app/resources/config.yml
new file mode 100644
index 00000000..03370faa
--- /dev/null
+++ b/kubernetes/apps/default/registry/app/resources/config.yml
@@ -0,0 +1,27 @@
+version: 0.1
+log:
+  fields:
+    service: registry
+storage:
+  delete:
+    enabled: true
+  cache:
+    blobdescriptor: inmemory
+  filesystem:
+    rootdirectory: /var/lib/registry
+  tag:
+    concurrencylimit: 5
+http:
+  addr: :5000
+  headers:
+    X-Content-Type-Options: [nosniff]
+  debug:
+    addr: :5001
+    prometheus:
+      enabled: true
+      path: /metrics
+health:
+  storagedriver:
+    enabled: true
+    interval: 10s
+    threshold: 3
diff --git a/kubernetes/apps/default/registry/ks.yaml b/kubernetes/apps/default/registry/ks.yaml
new file mode 100644
index 00000000..12970da8
--- /dev/null
+++ b/kubernetes/apps/default/registry/ks.yaml
@@ -0,0 +1,24 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app registry
+  namespace: flux-system
+spec:
+  targetNamespace: default
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/default/registry/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+  postBuild:
+    substitute:
+      APP: *app