diff --git a/flux/cluster/apps/asraphiel/kustomization.yaml b/flux/cluster/apps/asraphiel/kustomization.yaml
new file mode 100644
index 0000000..33549f1
--- /dev/null
+++ b/flux/cluster/apps/asraphiel/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - umami
diff --git a/flux/cluster/apps/asraphiel/umami/deployment.yaml b/flux/cluster/apps/asraphiel/umami/deployment.yaml
new file mode 100644
index 0000000..1a613a8
--- /dev/null
+++ b/flux/cluster/apps/asraphiel/umami/deployment.yaml
@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: umami-deployment
+  namespace: asraphiel
+  labels:
+    app: umami-deployment
+    keel.sh/policy: poll
+    keel.sh/match-tag: "true"
+    keel.sh/pollSchedule: "@weekly"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: umami-deployment
+  template:
+    metadata:
+      labels:
+        app: umami-deployment
+    spec:
+      containers:
+        - name: umami-deployment
+          imagePullPolicy: Always
+          image: ghcr.io/mikecao/umami:postgresql-latest
+          ports:
+            - containerPort: 3000
+          env:
+            - name: DATABASE_TYPE
+              value: postgres
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: umami-secrets
+                  key: db-url
+            - name: HASH_SALT
+              valueFrom:
+                secretKeyRef:
+                  name: umami-secrets
+                  key: salt
diff --git a/flux/cluster/apps/asraphiel/umami/ingress.yaml b/flux/cluster/apps/asraphiel/umami/ingress.yaml
new file mode 100644
index 0000000..16cde88
--- /dev/null
+++ b/flux/cluster/apps/asraphiel/umami/ingress.yaml
@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: umami-deployment-ingress
+  namespace: asraphiel
+spec:
+  rules:
+  - host: "analytics.asraphiel.dev"
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service: 
+            name: umami-deployment-service
+            port: 
+              number: 80
\ No newline at end of file
diff --git a/flux/cluster/apps/misc/cdn-control/kustomization.yaml b/flux/cluster/apps/asraphiel/umami/kustomization.yaml
similarity index 88%
rename from flux/cluster/apps/misc/cdn-control/kustomization.yaml
rename to flux/cluster/apps/asraphiel/umami/kustomization.yaml
index 0169223..fca7dad 100644
--- a/flux/cluster/apps/misc/cdn-control/kustomization.yaml
+++ b/flux/cluster/apps/asraphiel/umami/kustomization.yaml
@@ -4,4 +4,4 @@ resources:
   - deployment.yaml
   - ingress.yaml
   - service.yaml
-  - secret.yaml
+  - secret.yaml
\ No newline at end of file
diff --git a/flux/cluster/apps/asraphiel/umami/secret.yaml b/flux/cluster/apps/asraphiel/umami/secret.yaml
new file mode 100644
index 0000000..b09449a
--- /dev/null
+++ b/flux/cluster/apps/asraphiel/umami/secret.yaml
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: umami-secrets
+  namespace: asraphiel
+spec:
+  refreshInterval: "15s"
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: umami-secrets
+  data:
+    - secretKey: db-url
+      remoteRef:
+        key: k8s/umami
+        property: db-url
+    - secretKey: salt
+      remoteRef:
+        key: k8s/umami
+        property: salt
diff --git a/flux/cluster/apps/asraphiel/umami/service.yaml b/flux/cluster/apps/asraphiel/umami/service.yaml
new file mode 100644
index 0000000..58f9e2d
--- /dev/null
+++ b/flux/cluster/apps/asraphiel/umami/service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: umami-deployment-service
+  namespace: asraphiel
+spec:
+  selector:
+    app: umami-deployment
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 3000
\ No newline at end of file
diff --git a/flux/cluster/apps/kustomization.yaml b/flux/cluster/apps/kustomization.yaml
index f414f65..d84997c 100644
--- a/flux/cluster/apps/kustomization.yaml
+++ b/flux/cluster/apps/kustomization.yaml
@@ -7,3 +7,4 @@ resources:
   - drone
   - keel
   - family
+  - asraphiel
diff --git a/flux/cluster/apps/misc/cdn-control/deployment.yaml b/flux/cluster/apps/misc/cdn-control/deployment.yaml
deleted file mode 100644
index b940e8e..0000000
--- a/flux/cluster/apps/misc/cdn-control/deployment.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: cdn-deployment
-  namespace: misc
-  labels:
-    app: cdn-deployment
-    keel.sh/policy: force
-    keel.sh/match-tag: "true"
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: cdn-deployment
-  template:
-    metadata:
-      labels:
-        app: cdn-deployment
-    spec:
-      containers:
-        - name: cdn-deployment
-          imagePullPolicy: Always
-          image: registry.asraphiel.dev/library/cdn-control:main
-          ports:
-            - containerPort: 8080
-          env:
-            - name: CDN_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: cdn-secrets
-                  key: access-key
-            - name: CDN_SECRET_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: cdn-secrets
-                  key: secret-key
-            - name: CDN_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: cdn-secrets
-                  key: endpoint
-            - name: CDN_BASE_PATH
-              valueFrom:
-                secretKeyRef:
-                  name: cdn-secrets
-                  key: base-path
-            - name: CDN_BUCKET
-              valueFrom:
-                secretKeyRef:
-                  name: cdn-secrets
-                  key: bucket
-      imagePullSecrets:
-        - name: registry-creds
diff --git a/flux/cluster/apps/misc/cdn-control/ingress.yaml b/flux/cluster/apps/misc/cdn-control/ingress.yaml
deleted file mode 100644
index a318d42..0000000
--- a/flux/cluster/apps/misc/cdn-control/ingress.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: cdn-deployment-ingress
-  namespace: misc
-spec:
-  rules:
-    - host: "cdn.asraphiel.dev"
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: cdn-deployment-service
-                port:
-                  number: 80
-    - host: "cdn.voidcorp.nl"
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: cdn-deployment-service
-                port:
-                  number: 80
diff --git a/flux/cluster/apps/misc/cdn-control/secret.yaml b/flux/cluster/apps/misc/cdn-control/secret.yaml
deleted file mode 100644
index 2a49b7c..0000000
--- a/flux/cluster/apps/misc/cdn-control/secret.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: cdn-secrets
-  namespace: misc
-spec:
-  refreshInterval: "15s"
-  secretStoreRef:
-    name: vault
-    kind: ClusterSecretStore
-  target:
-    name: cdn-secrets
-  data:
-    - secretKey: access-key
-      remoteRef:
-        key: k8s/cdn
-        property: access-key
-    - secretKey: secret-key
-      remoteRef:
-        key: k8s/cdn
-        property: secret-key
-    - secretKey: endpoint
-      remoteRef:
-        key: k8s/cdn
-        property: endpoint
-    - secretKey: base-path
-      remoteRef:
-        key: k8s/cdn
-        property: base-path
-    - secretKey: bucket
-      remoteRef:
-        key: k8s/cdn
-        property: bucket
diff --git a/flux/cluster/apps/misc/cdn-control/service.yaml b/flux/cluster/apps/misc/cdn-control/service.yaml
deleted file mode 100644
index 7d2b4ee..0000000
--- a/flux/cluster/apps/misc/cdn-control/service.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: cdn-deployment-service
-  namespace: misc
-spec:
-  selector:
-    app: cdn-deployment
-  ports:
-    - protocol: TCP
-      port: 80
-      targetPort: 8080
diff --git a/flux/cluster/apps/misc/kustomization.yaml b/flux/cluster/apps/misc/kustomization.yaml
index 049965f..0e250b8 100644
--- a/flux/cluster/apps/misc/kustomization.yaml
+++ b/flux/cluster/apps/misc/kustomization.yaml
@@ -3,4 +3,3 @@ kind: Kustomization
 resources:
   - pinbot
   - registry-creds.yaml
-  - cdn-control
diff --git a/flux/cluster/core/namespaces/asraphiel.yaml b/flux/cluster/core/namespaces/asraphiel.yaml
new file mode 100644
index 0000000..de55dd8
--- /dev/null
+++ b/flux/cluster/core/namespaces/asraphiel.yaml
@@ -0,0 +1,6 @@
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: asraphiel
+  labels:
+    name: asraphiel
\ No newline at end of file
diff --git a/flux/cluster/core/namespaces/kustomization.yaml b/flux/cluster/core/namespaces/kustomization.yaml
index 6af1302..969dacc 100644
--- a/flux/cluster/core/namespaces/kustomization.yaml
+++ b/flux/cluster/core/namespaces/kustomization.yaml
@@ -9,3 +9,4 @@ resources:
   - keel.yaml
   - family.yaml
   - misc.yaml
+  - asraphiel.yaml
diff --git a/nixos/machines/nginx/default.nix b/nixos/machines/nginx/default.nix
index fabf522..b8d0afa 100644
--- a/nixos/machines/nginx/default.nix
+++ b/nixos/machines/nginx/default.nix
@@ -63,6 +63,7 @@ in {
     virtualHosts."registry.asraphiel.dev" = proxy "http://registry.lxd:5000/";
     virtualHosts."vaultwarden.asraphiel.dev" =
       proxy "http://vaultwarden.lxd:8000/";
+    virtualHosts."analytics.asraphiel.dev" = k8sProxy;
 
     virtualHosts."groenehartansichtkaarten.nl" = k8sProxy;
     virtualHosts."ansichtkaarten.asraphiel.dev" = k8sProxy;
@@ -77,6 +78,7 @@ in {
       http2 = true;
       globalRedirect = "galerievanslagmaat.nl";
     };
+
   };
 
   security.acme.email = "acme@voidcorp.nl";
diff --git a/nixos/machines/postgres/default.nix b/nixos/machines/postgres/default.nix
index bb627c0..d8694f4 100644
--- a/nixos/machines/postgres/default.nix
+++ b/nixos/machines/postgres/default.nix
@@ -1,4 +1,10 @@
-{ config, pkgs, ... }: {
+{ config, pkgs, ... }:
+let
+  user = name: {
+    name = name;
+    ensurePermissions = { "DATABASE \"${name}\"" = "ALL PRIVILEGES"; };
+  };
+in {
   imports = [ ../../common ../../common/lxc.nix ];
   networking.hostName = "postgres";
   system.stateVersion = "21.11";
@@ -17,13 +23,12 @@
       host all all 10.0.0.0/8 trust
       host all all fd42:8db7:2e6b:8e9b:216:3eff::/96 trust
     '';
-    ensureDatabases = [ "gitea" "vault" "vaultwarden" "authentik" ];
+    ensureDatabases = [ "gitea" "vault" "vaultwarden" "authentik" "umami" ];
     ensureUsers = [
       {
         name = "gitea";
         ensurePermissions = { "DATABASE \"gitea\"" = "ALL PRIVILEGES"; };
       }
-
       {
         name = "vault";
         ensurePermissions = { "DATABASE \"vault\"" = "ALL PRIVILEGES"; };
@@ -36,6 +41,7 @@
         name = "authentik";
         ensurePermissions = { "DATABASE \"authentik\"" = "ALL PRIVILEGES"; };
       }
+      (user "umami")
     ];
 
     enableTCPIP = true;
diff --git a/s3-policy.json b/s3-policy.json
new file mode 100644
index 0000000..bdeef16
--- /dev/null
+++ b/s3-policy.json
@@ -0,0 +1,39 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": [
+                    "*"
+                ]
+            },
+            "Action": [
+                "s3:GetBucketLocation",
+                "s3:ListBucket",
+                "s3:ListBucketMultipartUploads"
+            ],
+            "Resource": [
+                "arn:aws:s3:::galerie"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": [
+                    "*"
+                ]
+            },
+            "Action": [
+                "s3:PutObject",
+                "s3:AbortMultipartUpload",
+                "s3:DeleteObject",
+                "s3:GetObject",
+                "s3:ListMultipartUploadParts"
+            ],
+            "Resource": [
+                "arn:aws:s3:::galerie/*"
+            ]
+        }
+    ]
+}
\ No newline at end of file