diff --git a/app/warpgate.yml b/app/warpgate.yml
new file mode 100644
index 000000000..5b17199c8
--- /dev/null
+++ b/app/warpgate.yml
@@ -0,0 +1,96 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: warpgate
+  labels:
+    app: warpgate
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate 
+  selector:
+    matchLabels:
+      app: warpgate
+  template:
+    metadata:
+      labels:
+        app: warpgate
+    spec:
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                - minio-48e6a175
+      containers:
+      - name: warpgate
+        image: ghcr.io/warp-tech/warpgate:v0.7.4
+        args:
+          - "-c"
+          - "/data/warpgate.yaml"
+          - "run"
+        env:
+        ports:
+        - containerPort: 2222
+        - containerPort: 8888
+        volumeMounts:
+        - name: db
+          mountPath: /data/
+      volumes:
+      - name: db
+        hostPath:
+          path: /opt/warpgate/
+          type: Directory
+      tolerations:
+      - key: "kubernetes.io/hostname"
+        operator: "Equal"
+        value: "minio"
+        effect: "NoSchedule"
+      - key: "node.kubernetes.io/unreachable"
+        operator: "Exists"
+        effect: "NoExecute"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: warpgate
+spec:
+  selector:
+    app: warpgate
+  ports:
+    - protocol: TCP
+      port: 8888
+      name: http
+    - protocol: TCP
+      port: 2222
+      name: ssh
+  clusterIP: None
+  type: ClusterIP
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: warpgate-ingress
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  tls:
+  - hosts:
+    - warp.erebe.eu
+    secretName: warpgate-tls
+  rules:
+  - host: warp.erebe.eu
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: warpgate
+          servicePort: 8888
diff --git a/config/nftables.rules b/config/nftables.rules
index 00e0e871f..5ce8dceb4 100755
--- a/config/nftables.rules
+++ b/config/nftables.rules
@@ -18,7 +18,7 @@ table inet SERVER_FIREWALL {
               meta l4proto ipv6-icmp accept comment "accept all ICMP types"
               udp dport 546 ip6 saddr { fc00::/7, fe80::/10, 2001:bc8:2::5:136:1 } accept comment "allow DHCPv6 client"
 
-              tcp dport 22 accept comment "accept SSH"
+              tcp dport { 22, 2222 } accept comment "accept local SSH & warpgate SSH"
 
               tcp dport { 80, 443 } accept comment "accept http"
 
@@ -30,6 +30,13 @@ table inet SERVER_FIREWALL {
               #tcp dport 6443 accept comment "accept kubernetes"
         }
 
+        chain nat_pretrouting {
+              type nat hook prerouting priority 0; policy accept;
+
+              iif enp1s0 tcp dport 2222 dnat ip to 10.200.200.6:2222 comment "forward to warpgate ssh connections"
+              iif enp1s0 tcp dport 2222 dnat ip6 to [fc00:cafe::6]:2222 comment "forward to warpgate ssh connections"
+        }
+
         chain forward {
               type filter hook forward priority 0; policy drop;
 
@@ -43,7 +50,10 @@ table inet SERVER_FIREWALL {
         chain nat_postrouting {
               type nat hook postrouting priority 0; policy accept;
 
-              iifname cni0 ip saddr 10.42.0.0/24 masquerade comment "NAT kube traffic to avoid leaking private network"
+              iif enp1s0 tcp dport 2222 ip daddr 10.200.200.6 masquerade comment "forward to warpgate ssh connections"
+              iif enp1s0 tcp dport 2222 ip6 daddr fc00:cafe::6 masquerade comment "forward to warpgate ssh connections"
+
+              oif enp1s0 ip saddr 10.42.0.0/24 masquerade comment "NAT kube traffic to avoid leaking private network"
 
               oif enp1s0 ip saddr 10.200.200.0/24 masquerade comment "Allow NATing IPv4 wireguard traffic"
               oif enp1s0 ip6 saddr fc00:cafe::/80 masquerade comment "Allow NATing IPv6 wireguard traffic"
diff --git a/dns/erebe.eu.zones b/dns/erebe.eu.zones
index d9fb54190..c150ab77b 100755
--- a/dns/erebe.eu.zones
+++ b/dns/erebe.eu.zones
@@ -51,4 +51,8 @@ blog 10800 IN A 195.154.119.61
 blog 10800 IN AAAA 2001:bc8:6005:136:208:a2ff:fe0c:634e
 bitwarden 10800 IN A 195.154.119.61
 bitwarden 10800 IN AAAA 2001:bc8:6005:136:208:a2ff:fe0c:634e
+warp 10800 IN A 195.154.119.61
+warp 10800 IN AAAA 2001:bc8:6005:136:208:a2ff:fe0c:634e
+*.warp 10800 IN A 195.154.119.61
+*.warp 10800 IN AAAA 2001:bc8:6005:136:208:a2ff:fe0c:634e
 cafe 10800 IN AAAA 2001:0bc8:3d8f:cafe::cafe