diff --git a/zombi/cytube/Chart.yaml b/zombi/cytube/Chart.yaml
new file mode 100644
index 0000000..1f4defe
--- /dev/null
+++ b/zombi/cytube/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+name: cytube
+version: 0.1.0
+type: application
+description: Watch youtube videos together
+
+dependencies:
+- name: mariadb
+  version: "9.2.0"
+  repository: "https://charts.bitnami.com/bitnami"
diff --git a/zombi/cytube/templates/deployment.yaml b/zombi/cytube/templates/deployment.yaml
new file mode 100644
index 0000000..3e73994
--- /dev/null
+++ b/zombi/cytube/templates/deployment.yaml
@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+  labels:
+    app.kubernetes.io/name: cytube
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: cytube
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: cytube
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      containers:
+        - name: cytube
+          image: zombi/cytube
+          env:
+            - name: BASE_URL
+              value: {{ .Values.domain }}
+            - name: COOKIE_SECRET
+            {{- if .Values.cookieSecret.secretName }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.cookieSecret.secretName }}
+                  key: {{ .Values.cookieSecret.secretKey | default "key" | quote }}
+            {{- else }}
+              value: {{ .Values.cookieSecret.key }}
+            {{- end }}
+            - name: MYSQL_DATABASE
+              value: cytube
+            - name: MYSQL_HOST
+              value: {{ .Release.Name }}-mariadb
+            - name: MYSQL_PASSWORD
+              value: cytube
+            - name: MYSQL_PORT
+              value: "3306"
+            - name: MYSQL_USER
+              value: cytube
+            - name: YOUTUBE_API_KEY
+            {{- if .Values.youtube.secretName }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.youtube.secretName }}
+                  key: {{ .Values.youtube.secretKey | default "apiKey" | quote }}
+            {{- else }}
+              value: {{ .Values.youtube.apiKey }}
+            {{- end }}
+          ports:
+            - name: frontend-http
+              containerPort: 8080
+              protocol: TCP
+            - name: socket-http
+              containerPort: 443
+              protocol: TCP
+          resources:
+            requests:
+              cpu: 100m
+              memory: 150Mi
+            limits:
+              memory: 300Mi
diff --git a/zombi/cytube/templates/ingress.yaml b/zombi/cytube/templates/ingress.yaml
new file mode 100644
index 0000000..17a8300
--- /dev/null
+++ b/zombi/cytube/templates/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: cytube
+  labels:
+    app.kubernetes.io/name: cytube
+    app.kubernetes.io/instance: {{ .Release.Name }}
+  annotations:
+    cert-manager.io/issuer: "letsencrypt"
+spec:
+  tls:
+  - hosts:
+    - {{ .Values.domain }}
+    secretName: {{ .Values.domain }}-cert
+  rules:
+  - host: {{ .Values.domain }}
+    http:
+      paths:
+      - backend:
+          serviceName: {{ .Release.Name }}
+          servicePort: 8080
+      - path: /socket.io/
+        backend:
+          serviceName: {{ .Release.Name }}
+          servicePort: 8081
diff --git a/zombi/cytube/templates/svc.yaml b/zombi/cytube/templates/svc.yaml
new file mode 100644
index 0000000..d547cc0
--- /dev/null
+++ b/zombi/cytube/templates/svc.yaml
@@ -0,0 +1,18 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: {{ .Release.Name }}
+  labels:
+    app.kubernetes.io/name: cytube
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  ports:
+  - name: frontend
+    port: 8080
+  - name: socket
+    port: 8081  # this cannot be 443 since traefik will assume HTTPS
+    targetPort: 443
+  selector:
+    app.kubernetes.io/name: cytube
+    app.kubernetes.io/instance: {{ .Release.Name }}
+  type: ClusterIP
diff --git a/zombi/cytube/values.yaml b/zombi/cytube/values.yaml
new file mode 100644
index 0000000..65abbe3
--- /dev/null
+++ b/zombi/cytube/values.yaml
@@ -0,0 +1,20 @@
+
+domain: tube.zom.bi
+
+youtube:
+  secretName: ""
+  secretKey: "apiKey"
+  apiKey: ""  # ignored, if secretName is specified
+
+cookieSecret:
+  secretName: ""
+  secretKey: "cookieSecret"
+  key: ""  # ignored, if secretName is specified
+
+mariadb:
+  auth:
+    rootPassword: toor
+    username: cytube
+    database: cytube
+    password: cytube
+    replicationPassword: unused  # otherwise random, undeterministic.
diff --git a/zombi/mumble/Chart.yaml b/zombi/mumble/Chart.yaml
new file mode 100644
index 0000000..48e3849
--- /dev/null
+++ b/zombi/mumble/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: mumble
+version: 0.1.0
+type: application
+description: voice chat server
diff --git a/zombi/mumble/templates/certificate.yaml b/zombi/mumble/templates/certificate.yaml
new file mode 100644
index 0000000..2474cf0
--- /dev/null
+++ b/zombi/mumble/templates/certificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.domain }}-cert
+spec:
+  secretName: {{ .Values.domain }}-cert
+  dnsNames:
+  - {{ .Values.domain }}
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: letsencrypt
diff --git a/zombi/mumble/templates/configmap.yaml b/zombi/mumble/templates/configmap.yaml
new file mode 100644
index 0000000..83986cd
--- /dev/null
+++ b/zombi/mumble/templates/configmap.yaml
@@ -0,0 +1,85 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mumble-config
+data:
+  murmur.ini: |
+    database=/var/lib/mumble/murmur.sqlite
+
+    # enable ice
+    ice="tcp -h 127.0.0.1 -p 6502"
+    icesecret=notverysecret
+
+    # Use gRPC
+    grpc="0.0.0.0:50050"
+
+    # log to stdout
+    logfile=
+
+    pidfile=
+
+    welcometext="Welcome to the server."
+
+    port=64738
+
+    host=0.0.0.0
+
+    serverpassword=
+
+    bandwidth=256000
+
+    # CELT is dead, support only opus
+    opusthreshold=0
+
+    # Maximum number of concurrent clients allowed.
+    users=128
+
+    username=[^\\s<>](?:(?!\\s)\\s|[^<>])*[^\\s<>]
+    channelname=[^\\s<>](?:(?!\\s)\\s|[^<>])*[^\\s<>]
+
+    #textmessagelength=5000
+
+    #imagemessagelength=131072
+
+    # Allow clients to use HTML in messages, user comments and channel descriptions?
+    allowhtml=true
+
+    # Murmur retains the per-server log entries in an internal database which
+    # allows it to be accessed over D-Bus/ICE.
+    # How many days should such entries be kept?
+    logdays=2
+
+    # To enable public server registration, the serverpassword must be blank, and
+    # this must all be filled out.
+    # The password here is used to create a registry for the server name; subsequent
+    # updates will need the same password. Don't lose your password.
+    # The URL is your own website, and only set the registerHostname for static IP
+    # addresses.
+    #
+
+    ## UNCOMMENT FOR PRODUCTIVE
+    #
+    registerName={{ .Values.registerName }}
+    registerPassword={{ .Values.registerPassword }}
+    registerURL={{ .Values.registerURL }}
+    registerHostname={{ .Values.domain }}
+
+    #sslCA=/tls/ca.crt
+    sslCert=/tls/tls.crt
+    sslKey=/tls/tls.key
+
+    # If murmur is started as root, which user should it switch to?
+    # This option is ignored if murmur isn't started with root privileges.
+    uname=user
+
+    # If this options is enabled, only clients which have a certificate are allowed
+    # to connect.
+    #certrequired=False
+
+    # You can configure any of the configuration options for Ice here. We recommend
+    # leave the defaults as they are.
+    # Please note that this section has to be last in the configuration file.
+    #
+    [Ice]
+    Ice.Warn.UnknownProperties=1
+    Ice.MessageSizeMax=65536
diff --git a/zombi/mumble/templates/service.yaml b/zombi/mumble/templates/service.yaml
new file mode 100644
index 0000000..29a000b
--- /dev/null
+++ b/zombi/mumble/templates/service.yaml
@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}
+  labels:
+    app.kubernetes.io/name: mumble
+    app.kubernetes.io/instance: {{ .Release.Name }}
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: {{ .Values.domain }}
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  ports:
+  - port: {{ .Values.port }}
+    targetPort: 64738
+    protocol: TCP
+    name: control
+  selector:
+    app.kubernetes.io/name: mumble
+    app.kubernetes.io/instance: {{ .Release.Name }}
+---
+# We need a second load balancer, since a single load balancer cannot
+# handle multiple protocols at once (TCP/UDP).
+# since the services both point to the same node (thanks to Local policy),
+# we may only specify the annotation for external-dns ONCE.
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-voice
+  labels:
+    app.kubernetes.io/name: mumble
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  ports:
+  - port: {{ .Values.port }}
+    targetPort: 64738
+    protocol: UDP
+    name: voice
+  selector:
+    app.kubernetes.io/name: mumble
+    app.kubernetes.io/instance: {{ .Release.Name }}
diff --git a/zombi/mumble/templates/statefulset.yaml b/zombi/mumble/templates/statefulset.yaml
new file mode 100644
index 0000000..a4920d0
--- /dev/null
+++ b/zombi/mumble/templates/statefulset.yaml
@@ -0,0 +1,64 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: mumble
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  serviceName: "mumble"
+  replicas: 1 # default, but we want to be explicit.
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: mumble
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      terminationGracePeriodSeconds: 30
+      containers:
+      - name: murmur
+        image: zombi/murmur
+        imagePullPolicy: IfNotPresent
+        command:
+        - /usr/bin/murmurd
+        - -fg
+        - -ini
+        - /config/murmur.ini
+        ports:
+        - name: control
+          containerPort: 64738
+          protocol: TCP
+        - name: voice
+          containerPort: 64738
+          protocol: UDP
+        volumeMounts:
+        - name: {{ .Release.Name }}-mumble
+          mountPath: /var/lib/mumble
+        - name: tls
+          mountPath: /tls
+        - name: config
+          mountPath: /config
+        resources:
+          requests:
+            cpu: 100m
+            memory: 50Mi
+          limits:
+            memory: 100Mi
+      securityContext:
+        fsGroup: 2000
+      volumes:
+      - name: tls
+        secret:
+          secretName: {{ .Values.domain }}-cert
+      - name: config
+        configMap:
+          name: mumble-config
+  volumeClaimTemplates:
+  - metadata:
+      name: {{ .Release.Name }}-mumble
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      resources:
+        requests:
+          storage: 1Gi
diff --git a/zombi/mumble/values.yaml b/zombi/mumble/values.yaml
new file mode 100644
index 0000000..434edd8
--- /dev/null
+++ b/zombi/mumble/values.yaml
@@ -0,0 +1,7 @@
+domain: mumble.example.org
+
+registerName: Example server
+registerURL: https://example.org
+# set a short password here, so nobody can hijack your server registration.
+registerPassword: ""
+port: 64738