diff --git a/state/gullfaxi/system/cilium/application.yaml b/state/gullfaxi/system/cilium/application.yaml
new file mode 100644
index 0000000..f12c1da
--- /dev/null
+++ b/state/gullfaxi/system/cilium/application.yaml
@@ -0,0 +1,47 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cilium
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kube-system
+  project: system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  source:
+    repoURL: https://helm.cilium.io/
+    chart: cilium
+    targetRevision: 1.14.1
+    helm:
+      values: |
+        # https://github.com/cilium/cilium/blob/main/install/kubernetes/cilium/values.yaml
+        kubeProxyReplacement: strict
+        k8sServiceHost: 192.168.1.8
+        k8sServicePort: 6443
+        operator:
+          replicas: 1
+        bpf:
+          masquerade: true
+        hubble:
+          relay:
+            enabled: true
+          ui:
+            enabled: true
+            ingress:
+              enabled: true
+              className: nginx
+              annotations:
+                cert-manager.io/cluster-issuer: letsencrypt
+                nginx.ingress.kubernetes.io/auth-url: "https://oauth2.ioot.xyz/oauth2/auth"
+                nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.ioot.xyz/oauth2/start?rd=$scheme://$host$request_uri"
+              hosts:
+                - hubble.ioot.xyz
+              tls:
+                - hosts:
+                    - hubble.ioot.xyz
+                  secretName: hubble-tls