diff --git a/TODO b/TODO
deleted file mode 100644
index 9a6bc91..0000000
--- a/TODO
+++ /dev/null
@@ -1,8 +0,0 @@
-- /etc/lvm/lvm.conf -> issue_discards = 1
-- deploy hashicorp/vault to store encrypted files:
-    - user SSH keys
-    - user passwords
-    - secure files
-- setup fstab with sshfs, noatime
-- add smartmontools & conf
-- auto-add ssh hosts to known_hosts
diff --git a/ansible_galaxy-requirements.yml b/ansible_galaxy-requirements.yml
index 1e535cf..36b686b 100644
--- a/ansible_galaxy-requirements.yml
+++ b/ansible_galaxy-requirements.yml
@@ -2,3 +2,5 @@
 collections:
   - name: kubernetes.core
     version: 3.0.0
+  - name: community.general
+    version: 9.0.0
diff --git a/collections/ansible_collections/nullified/infrastructure/roles/k3s/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/k3s/defaults/main.yml
index b70e4fe..2aa199a 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/k3s/defaults/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/k3s/defaults/main.yml
@@ -6,3 +6,4 @@ k3s_extra_args: ''
 k3s_operator_ips: []
 k3s_cluster_cidr: '10.42.0.0/16'
 k3s_service_cidr: '10.43.0.0/16'
+k3s_cluster_additional_helm_charts: []
diff --git a/collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/opentofu.yml b/collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/opentofu.yml
new file mode 100644
index 0000000..b1556fb
--- /dev/null
+++ b/collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/opentofu.yml
@@ -0,0 +1,75 @@
+- name: deploy OpenTofu resource
+  connection: local
+  block:
+    - name: find terraform binary
+      ansible.builtin.command:
+        cmd: bash -c 'command -v terraform || command -v tofu || echo /usr/local/bin/terraform'
+      register: located_tf_binary
+      when: terraform_binary_path is undefined
+      changed_when: false
+
+    - name: set terraform binary
+      ansible.builtin.set_fact:
+        terraform_binary_path: '{{ terraform_binary_path | default(located_tf_binary.stdout, true) }}'
+      when: terraform_binary_path is undefined
+
+    - name: create temp directory
+      ansible.builtin.tempfile:
+        state: directory
+      register: tmp_file
+      changed_when: false
+      when: item.storage_dir is not defined
+
+    - name: set target directory for git repository
+      ansible.builtin.set_fact:
+        git_clone_dir: '{{ item.storage_dir | default(tmp_file.path, true) }}'
+
+    - name: fetch git repository
+      ansible.builtin.git:
+        repo: '{{ item.git_repository }}'
+        dest: '{{ git_clone_dir }}'
+        version: '{{ item.git_revision }}'
+        force: true
+
+    - name: prepare variables file
+      ansible.builtin.copy:
+        content: '{{ item.tfvars_content }}'
+        dest: '{{ git_clone_dir }}/{{ item.terraform_dir }}/terraform.tfvars'
+        mode: '0500'
+        force: true
+
+    - name: prepare tfstate file
+      ansible.builtin.copy:
+        src: '{{ item.tfstate_path }}'
+        dest: '{{ git_clone_dir }}/{{ item.terraform_dir }}/terraform.tfstate'
+        force: true
+        mode: '0600'
+      when: git_clone_dir not in item.tfstate_path
+
+    - name: deploy k8s resources
+      community.general.terraform:
+        binary_path: "{{ terraform_binary_path }}"
+        project_path: '{{ git_clone_dir }}/{{ item.terraform_dir}}'
+        provider_upgrade: true
+        force_init: true
+
+    - name: backup source stored state
+      ansible.builtin.copy:
+        src: '{{ item.tfstate_path }}'
+        dest: '{{ item.tfstate_path }}.ansible.backup'
+        force: true
+        mode: '0600'
+
+    - name: update source tfstate file
+      ansible.builtin.copy:
+        src: '{{ git_clone_dir }}/{{ item.terraform_dir}}/terraform.tfstate'
+        dest: '{{ item.tfstate_path }}'
+        force: true
+        mode: '0600'
+      when: git_clone_dir not in item.tfstate_path
+
+    - name: cleanup
+      ansible.builtin.file:
+        path: '{{ tmp_file.path }}'
+        state: absent
+      when: item.storage_dir is not defined
diff --git a/collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/server.yml b/collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/server.yml
index e6221b1..1291412 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/server.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/server.yml
@@ -42,3 +42,16 @@
   debug: msg="Not supported yet"
   when: k3s_cluster_type is match("ha")
   failed_when: true
+
+- name: install Helm charts
+  connection: local
+  kubernetes.core.helm: '{{ item }}'
+  loop: '{{ k3s_cluster_additional_helm_charts }}'
+  loop_control:
+    label: '{{ item.release_name }}'
+
+- name: install OpenTofu resources
+  include_tasks: opentofu.yml
+  loop: '{{ k3s_cluster_additional_tf_resources }}'
+  loop_control:
+    label: '{{ item.name }}'
diff --git a/inventory/host_vars/actinium/vars.yml b/inventory/host_vars/actinium/vars.yml
index 36a667b..3005e56 100644
--- a/inventory/host_vars/actinium/vars.yml
+++ b/inventory/host_vars/actinium/vars.yml
@@ -4,6 +4,7 @@ ansible_user: "{{ vault_ssh_user }}"
 
 security_firewall_mangle_drop_privatenets: false
 security_firewall_mangle_policy_forward: accept
+security_firewall_filter_policy_forward: accept
 
 k3s_cluster_name: internal
 k3s_cluster_role: server
@@ -12,3 +13,20 @@ k3s_cluster_ip: "{{ vault_cluster_ip }}"
 mariadb_server_root_password: "{{ vault_mariadb_server_root_password }}"
 mariadb_server_custom_sql: "{{ vault_mariadb_server_custom_sql }}"
 mariadb_server_bind_addresses: "{{ vault_mariadb_server_bind_addresses }}"
+
+k3s_cluster_additional_helm_charts:
+  - release_name: redis
+    release_namespace: default
+    chart_ref: 'oci://registry-1.docker.io/bitnamicharts/redis'
+    chart_version: '^18'
+    values:
+      replica:
+        replicaCount: 1
+k3s_cluster_additional_tf_resources:
+  - name: Invoice Ninja
+    git_repository: 'https://gitlab.0x2a.ninja/flowtech/oss/invoice-ninja.git'
+    git_revision: 0.0.3
+    terraform_dir: 'terraform'
+    tfvars_content: '{{ vault_invoice_ninja_tfvars }}'
+    tfstate_path: '{{ vault_invoice_ninja_tfstate_path }}'
+    # storage_dir:
diff --git a/inventory/host_vars/unobtainium/vars.yml b/inventory/host_vars/unobtainium/vars.yml
index b195a7d..3a6b272 100644
--- a/inventory/host_vars/unobtainium/vars.yml
+++ b/inventory/host_vars/unobtainium/vars.yml
@@ -21,3 +21,6 @@ common_sysctl_configuration:
 security_firewall_filter_policy_output: accept
 security_firewall_filter_policy_forward: accept
 security_firewall_mangle_policy_forward: accept
+
+# provisioner role
+terraform_binary_path: '/usr/bin/tofu'