diff --git a/contexts/default/blueprint.yaml b/contexts/colima/blueprint.yaml
similarity index 71%
rename from contexts/default/blueprint.yaml
rename to contexts/colima/blueprint.yaml
index a7706160..bea08de9 100644
--- a/contexts/default/blueprint.yaml
+++ b/contexts/colima/blueprint.yaml
@@ -1,8 +1,8 @@
 kind: Blueprint
 apiVersion: blueprints.windsorcli.dev/v1alpha1
 metadata:
-  name: default
-  description: This blueprint outlines resources in the local context
+  name: colima
+  description: This blueprint configures core for running in a Colima managed VM
 repository:
   url: http://git.test/git/core
   ref:
@@ -29,6 +29,7 @@ kustomize:
   path: pki/base
   dependsOn:
   - policy-resources
+  force: true
   components:
   - cert-manager
   - trust-manager
@@ -36,36 +37,50 @@ kustomize:
   path: pki/resources
   dependsOn:
   - pki-base
-  - policy-resources
+  force: true
   components:
   - private-issuer/ca
   - public-issuer/selfsigned
+- name: dns
+  path: dns
+  dependsOn:
+  - pki-base
+  force: true
+  components:
+  - coredns
+  - coredns/etcd
+  - external-dns
+  - external-dns/coredns
+  - external-dns/ingress
 - name: lb-base
   path: lb/base
   dependsOn:
   - policy-resources
+  force: true
   components:
   - metallb
 - name: lb-resources
   path: lb/resources
   dependsOn:
   - lb-base
-  - policy-resources
+  force: true
   components:
   - metallb/layer2
 - name: ingress-base
   path: ingress/base
   dependsOn:
   - pki-resources
-  - policy-resources
+  force: true
   components:
   - nginx
-  - nginx/nodeport-web
-  - nginx/nodeport-flux-webhook
+  - nginx/loadbalancer
+  - nginx/coredns
+  - nginx/flux-webhook
+  - nginx/web
 - name: gitops
   path: gitops/flux
   dependsOn:
   - ingress-base
-  - policy-resources
+  force: true
   components:
   - webhook
diff --git a/contexts/colima/terraform/cluster/talos.tfvars b/contexts/colima/terraform/cluster/talos.tfvars
new file mode 100644
index 00000000..7d619af7
--- /dev/null
+++ b/contexts/colima/terraform/cluster/talos.tfvars
@@ -0,0 +1,25 @@
+// Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten.
+// Module source: github.com/windsorcli/core//terraform/cluster/talos?ref=main
+
+// The external controlplane API endpoint of the kubernetes API
+cluster_endpoint = "https://10.5.0.2:6443"
+
+// The name of the cluster
+cluster_name = "talos"
+
+// A YAML string of common config patches to apply
+common_config_patches = "\"cluster\":\n  \"apiServer\":\n    \"certSANs\":\n    - \"localhost\"\n    - \"10.5.0.2\"\n  \"extraManifests\":\n  - \"https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/v0.8.7/deploy/standalone-install.yaml\"\n\"machine\":\n  \"certSANs\":\n  - \"localhost\"\n  - \"10.5.0.2\"\n  \"features\":\n    \"hostDNS\":\n      \"forwardKubeDNSToHost\": true\n  \"kubelet\":\n    \"extraArgs\":\n      \"rotate-server-certificates\": \"true\"\n  \"network\":\n    \"interfaces\":\n    - \"ignore\": true\n      \"interface\": \"eth0\"\n  \"registries\":\n    \"mirrors\":\n      \"gcr.io\":\n        \"endpoints\":\n        - \"http://gcr.test:5000\"\n      \"ghcr.io\":\n        \"endpoints\":\n        - \"http://ghcr.test:5000\"\n      \"quay.io\":\n        \"endpoints\":\n        - \"http://quay.test:5000\"\n      \"registry-1.docker.io\":\n        \"endpoints\":\n        - \"http://registry-1.docker.test:5000\"\n      \"registry.k8s.io\":\n        \"endpoints\":\n        - \"http://registry.k8s.test:5000\"\n      \"registry.test\":\n        \"endpoints\":\n        - \"http://registry.test:5000\""
+
+// Machine config details for control planes
+controlplanes = [{
+  endpoint = "10.5.0.2:50000"
+  hostname = "controlplane-1.test"
+  node     = "10.5.0.2"
+}]
+
+// Machine config details for workers
+workers = [{
+  endpoint = "10.5.0.11:50000"
+  hostname = "worker-1.test"
+  node     = "10.5.0.11"
+}]
diff --git a/contexts/default/terraform/gitops/flux.tfvars b/contexts/colima/terraform/gitops/flux.tfvars
similarity index 100%
rename from contexts/default/terraform/gitops/flux.tfvars
rename to contexts/colima/terraform/gitops/flux.tfvars
diff --git a/contexts/default/terraform/cluster/talos.tfvars b/contexts/default/terraform/cluster/talos.tfvars
deleted file mode 100644
index 38591164..00000000
--- a/contexts/default/terraform/cluster/talos.tfvars
+++ /dev/null
@@ -1,67 +0,0 @@
-// Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten.
-// Module source: github.com/windsorcli/core//terraform/cluster/talos?ref=main
-
-// The external controlplane API endpoint of the kubernetes API
-cluster_endpoint = "https://127.0.0.1:6443"
-
-// The name of the cluster
-cluster_name = "talos"
-
-// A YAML string of common config patches to apply
-common_config_patches = <<EOF
-cluster:
-  apiServer:
-    certSANs:
-    - localhost
-    - 127.0.0.1
-  extraManifests:
-  - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/v0.8.7/deploy/standalone-install.yaml
-machine:
-  certSANs:
-  - localhost
-  - 127.0.0.1
-  features:
-    hostDNS:
-      forwardKubeDNSToHost: true
-  kubelet:
-    extraArgs:
-      rotate-server-certificates: "true"
-  network:
-    interfaces:
-    - ignore: true
-      interface: eth0
-  registries:
-    mirrors:
-      gcr.io:
-        endpoints:
-        - http://gcr.test:5000
-      ghcr.io:
-        endpoints:
-        - http://ghcr.test:5000
-      quay.io:
-        endpoints:
-        - http://quay.test:5000
-      registry-1.docker.io:
-        endpoints:
-        - http://registry-1.docker.test:5000
-      registry.k8s.io:
-        endpoints:
-        - http://registry.k8s.test:5000
-      registry.test:
-        endpoints:
-        - http://registry.test:5000
-EOF
-
-// Machine config details for control planes
-controlplanes = [{
-  endpoint = "127.0.0.1:50000"
-  hostname = "controlplane-1.test"
-  node     = "127.0.0.1"
-}]
-
-// Machine config details for workers
-workers = [{
-  endpoint = "127.0.0.1:50001"
-  hostname = "worker-1.test"
-  node     = "127.0.0.1"
-}]
diff --git a/contexts/docker-desktop/blueprint.yaml b/contexts/docker-desktop/blueprint.yaml
new file mode 100644
index 00000000..3e8651a1
--- /dev/null
+++ b/contexts/docker-desktop/blueprint.yaml
@@ -0,0 +1,60 @@
+kind: Blueprint
+apiVersion: blueprints.windsorcli.dev/v1alpha1
+metadata:
+  name: docker-desktop
+  description: This blueprint configures core for running on Docker Desktop
+repository:
+  url: http://git.test/git/core
+  ref:
+    branch: main
+  secretName: flux-system
+sources:
+- name: core
+  url: github.com/windsorcli/core
+  ref:
+    branch: main
+terraform:
+- path: cluster/talos
+- path: gitops/flux
+kustomize:
+- name: policy-base
+  path: policy/base
+  components:
+  - kyverno
+- name: policy-resources
+  path: policy/resources
+  dependsOn:
+  - policy-base
+- name: pki-base
+  path: pki/base
+  dependsOn:
+  - policy-resources
+  force: true
+  components:
+  - cert-manager
+  - trust-manager
+- name: pki-resources
+  path: pki/resources
+  dependsOn:
+  - pki-base
+  force: true
+  components:
+  - private-issuer/ca
+  - public-issuer/selfsigned
+- name: ingress-base
+  path: ingress/base
+  dependsOn:
+  - pki-resources
+  force: true
+  components:
+  - nginx
+  - nginx/nodeport
+  - nginx/flux-webhook
+  - nginx/web
+- name: gitops
+  path: gitops/flux
+  dependsOn:
+  - ingress-base
+  force: true
+  components:
+  - webhook
diff --git a/contexts/docker-desktop/terraform/cluster/talos.tfvars b/contexts/docker-desktop/terraform/cluster/talos.tfvars
new file mode 100644
index 00000000..c2530918
--- /dev/null
+++ b/contexts/docker-desktop/terraform/cluster/talos.tfvars
@@ -0,0 +1,25 @@
+// Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten.
+// Module source: github.com/windsorcli/core//terraform/cluster/talos?ref=main
+
+// The external controlplane API endpoint of the kubernetes API
+cluster_endpoint = "https://127.0.0.1:6443"
+
+// The name of the cluster
+cluster_name = "talos"
+
+// A YAML string of common config patches to apply
+common_config_patches = "\"cluster\":\n  \"apiServer\":\n    \"certSANs\":\n    - \"localhost\"\n    - \"127.0.0.1\"\n  \"extraManifests\":\n  - \"https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/v0.8.7/deploy/standalone-install.yaml\"\n\"machine\":\n  \"certSANs\":\n  - \"localhost\"\n  - \"127.0.0.1\"\n  \"features\":\n    \"hostDNS\":\n      \"forwardKubeDNSToHost\": true\n  \"kubelet\":\n    \"extraArgs\":\n      \"rotate-server-certificates\": \"true\"\n  \"network\":\n    \"interfaces\":\n    - \"ignore\": true\n      \"interface\": \"eth0\"\n  \"registries\":\n    \"mirrors\":\n      \"gcr.io\":\n        \"endpoints\":\n        - \"http://gcr.test:5000\"\n      \"ghcr.io\":\n        \"endpoints\":\n        - \"http://ghcr.test:5000\"\n      \"quay.io\":\n        \"endpoints\":\n        - \"http://quay.test:5000\"\n      \"registry-1.docker.io\":\n        \"endpoints\":\n        - \"http://registry-1.docker.test:5000\"\n      \"registry.k8s.io\":\n        \"endpoints\":\n        - \"http://registry.k8s.test:5000\"\n      \"registry.test\":\n        \"endpoints\":\n        - \"http://registry.test:5000\""
+
+// Machine config details for control planes
+controlplanes = [{
+  endpoint = "127.0.0.1:50000"
+  hostname = "controlplane-1.test"
+  node     = "127.0.0.1"
+}]
+
+// Machine config details for workers
+workers = [{
+  endpoint = "127.0.0.1:50001"
+  hostname = "worker-1.test"
+  node     = "127.0.0.1"
+}]
diff --git a/contexts/docker-desktop/terraform/gitops/flux.tfvars b/contexts/docker-desktop/terraform/gitops/flux.tfvars
new file mode 100644
index 00000000..578c5f9d
--- /dev/null
+++ b/contexts/docker-desktop/terraform/gitops/flux.tfvars
@@ -0,0 +1,11 @@
+// Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten.
+// Module source: github.com/windsorcli/core//terraform/gitops/flux?ref=main
+
+// The git password or PAT used to authenticate with the git provider
+git_password = "local"
+
+// The git user to use to authenticate with the git provider
+git_username = "local"
+
+// The token to use for the webhook
+webhook_token = "abcdef123456"
diff --git a/kustomize/dns/coredns/etcd/certificates.yaml b/kustomize/dns/coredns/etcd/certificates.yaml
new file mode 100644
index 00000000..87f93422
--- /dev/null
+++ b/kustomize/dns/coredns/etcd/certificates.yaml
@@ -0,0 +1,56 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-peer
+  namespace: system-dns
+spec:
+  secretName: etcd-peer-tls
+  issuerRef:
+    name: private
+    kind: ClusterIssuer
+  commonName: etcd-peer-coredns
+  dnsNames:
+    - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-server
+  namespace: system-dns
+spec:
+  secretName: etcd-server-tls
+  issuerRef:
+    name: private
+    kind: ClusterIssuer
+  commonName: etcd-coredns
+  dnsNames:
+    - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+  usages:
+    - server auth
+    - client auth
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-client
+  namespace: system-dns
+spec:
+  secretName: etcd-client-tls
+  issuerRef:
+    name: private
+    kind: ClusterIssuer
+  commonName: etcd-coredns
+  usages:
+    - client auth
diff --git a/kustomize/ingress/base/nginx/nodeport-flux-webhook/kustomization.yaml b/kustomize/dns/coredns/etcd/ha/kustomization.yaml
similarity index 100%
rename from kustomize/ingress/base/nginx/nodeport-flux-webhook/kustomization.yaml
rename to kustomize/dns/coredns/etcd/ha/kustomization.yaml
diff --git a/kustomize/dns/coredns/etcd/ha/patches/helm-release.yaml b/kustomize/dns/coredns/etcd/ha/patches/helm-release.yaml
new file mode 100644
index 00000000..d44aee22
--- /dev/null
+++ b/kustomize/dns/coredns/etcd/ha/patches/helm-release.yaml
@@ -0,0 +1,17 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: etcd-coredns
+  namespace: system-dns
+spec:
+  values:
+    affinity:
+      podAntiAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+        - labelSelector:
+            matchExpressions:
+            - key: "app.kubernetes.io/name"
+              operator: In
+              values:
+              - etcd
+          topologyKey: "kubernetes.io/hostname"
diff --git a/kustomize/dns/coredns/etcd/helm-release.yaml b/kustomize/dns/coredns/etcd/helm-release.yaml
new file mode 100644
index 00000000..bcec714c
--- /dev/null
+++ b/kustomize/dns/coredns/etcd/helm-release.yaml
@@ -0,0 +1,59 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: etcd-coredns
+  namespace: system-dns
+spec:
+  interval: 5m
+  timeout: 10m
+  chart:
+    spec:
+      chart: etcd
+      # renovate: datasource=helm depName=etcd package=etcd helmRepo=https://charts.bitnami.com/bitnami
+      version: 10.2.6
+      sourceRef:
+        kind: HelmRepository
+        name: coredns-etcd-bitnami
+        namespace: system-gitops
+  values:      
+    # global:
+    #   storageClass: single
+    replicaCount: 3
+    securityContext:
+      fsGroup: 1000
+    # Modifies the liveness probe to behave like the other probes. Endpoint healthchecks with mTLS are not supported by k8s.
+    customLivenessProbe:
+      exec:
+        command:
+        - /opt/bitnami/scripts/etcd/healthcheck.sh
+      initialDelaySeconds: 60
+      periodSeconds: 10
+      timeoutSeconds: 5
+      successThreshold: 1
+      failureThreshold: 5
+    auth:
+      rbac:
+        create: false
+        allowNoneAuthentication: true
+      peer:
+        useAutoTLS: false
+        secureTransport: true
+        enableAuthentication: true
+        certFilename: tls.crt
+        certKeyFilename: tls.key
+        caFilename: ca.crt
+        existingSecret: etcd-peer-tls
+      client:
+        secureTransport: true
+        enableAuthentication: true
+        certFilename: tls.crt
+        certKeyFilename: tls.key
+        caFilename: ca.crt
+        # The server certificate is what etcd serves to clients
+        existingSecret: etcd-server-tls
+    persistence:
+      enabled: false
+    resources:
+      requests:
+        cpu: 200m
+        memory: 256Mi
diff --git a/kustomize/dns/coredns/etcd/helm-repository.yaml b/kustomize/dns/coredns/etcd/helm-repository.yaml
new file mode 100644
index 00000000..77b7fa10
--- /dev/null
+++ b/kustomize/dns/coredns/etcd/helm-repository.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: coredns-etcd-bitnami
+  namespace: system-gitops
+spec:
+  interval: 10m
+  timeout: 3m
+  url: https://charts.bitnami.com/bitnami
diff --git a/kustomize/dns/coredns/etcd/kustomization.yaml b/kustomize/dns/coredns/etcd/kustomization.yaml
new file mode 100644
index 00000000..3638156d
--- /dev/null
+++ b/kustomize/dns/coredns/etcd/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - certificates.yaml
+  - helm-repository.yaml
+  - helm-release.yaml
+patches:
+  - path: patches/patch.yaml
+    target:
+      group: helm.toolkit.fluxcd.io
+      version: v2
+      kind: HelmRelease
+      name: coredns
+      namespace: system-dns
diff --git a/kustomize/dns/coredns/etcd/patches/patch.yaml b/kustomize/dns/coredns/etcd/patches/patch.yaml
new file mode 100644
index 00000000..f99092b3
--- /dev/null
+++ b/kustomize/dns/coredns/etcd/patches/patch.yaml
@@ -0,0 +1,17 @@
+- op: add
+  path: /spec/dependsOn/-
+  value:
+    name: etcd-coredns
+    namespace: system-dns
+- op: add
+  path: /spec/values/extraVolumes/-
+  value:
+    name: etcd-client-tls
+    secret:
+      secretName: etcd-client-tls
+- op: add
+  path: /spec/values/extraVolumeMounts/-
+  value:
+    name: etcd-client-tls
+    mountPath: /etc/coredns/tls
+    readOnly: true
diff --git a/kustomize/dns/coredns/helm-release.yaml b/kustomize/dns/coredns/helm-release.yaml
new file mode 100644
index 00000000..67d60a82
--- /dev/null
+++ b/kustomize/dns/coredns/helm-release.yaml
@@ -0,0 +1,42 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: coredns
+  namespace: system-dns
+spec:
+  interval: 5m
+  timeout: 10m
+  dependsOn: []
+  chart:
+    spec:
+      chart: coredns
+      # renovate: datasource=helm depName=coredns package=coredns helmRepo=https://coredns.github.io/helm
+      version: 1.35.0
+      sourceRef: 
+        kind: HelmRepository
+        name: coredns
+        namespace: system-gitops
+  values:
+    isClusterService: false
+    extraVolumes: []
+    extraVolumeMounts: []
+    servers:
+      - zones:
+          - zone: .
+        port: 53
+        plugins:
+          - name: errors
+          - name: health
+            configBlock: |-
+              lameduck 5s
+          - name: forward
+            parameters: . 1.1.1.1 8.8.8.8
+          - name: ready
+          - name: prometheus
+            parameters: 0.0.0.0:9153
+          - name: cache
+            parameters: 30
+          - name: loop
+          - name: reload
+          - name: loadbalance
diff --git a/kustomize/dns/coredns/helm-repository.yaml b/kustomize/dns/coredns/helm-repository.yaml
new file mode 100644
index 00000000..e9176cbc
--- /dev/null
+++ b/kustomize/dns/coredns/helm-repository.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: coredns
+  namespace: system-gitops
+spec:
+  interval: 10m
+  timeout: 3m
+  url: https://coredns.github.io/helm
diff --git a/kustomize/dns/coredns/kustomization.yaml b/kustomize/dns/coredns/kustomization.yaml
new file mode 100644
index 00000000..e768af5d
--- /dev/null
+++ b/kustomize/dns/coredns/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - helm-repository.yaml
+  - helm-release.yaml
diff --git a/kustomize/dns/external-dns/coredns/kustomization.yaml b/kustomize/dns/external-dns/coredns/kustomization.yaml
new file mode 100644
index 00000000..25e5cb2a
--- /dev/null
+++ b/kustomize/dns/external-dns/coredns/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+patches:
+  - target:
+      group: helm.toolkit.fluxcd.io
+      version: v2
+      kind: HelmRelease
+      name: external-dns
+      namespace: system-dns
+    path: patches/helm-release.yaml
diff --git a/kustomize/dns/external-dns/coredns/patches/helm-release.yaml b/kustomize/dns/external-dns/coredns/patches/helm-release.yaml
new file mode 100644
index 00000000..87e40864
--- /dev/null
+++ b/kustomize/dns/external-dns/coredns/patches/helm-release.yaml
@@ -0,0 +1,45 @@
+- op: add
+  path: /spec/dependsOn/-
+  value:
+    name: etcd-coredns
+    namespace: system-dns
+- op: add
+  path: /spec/values/provider
+  value: coredns
+- op: add
+  path: /spec/values/env/-
+  value:
+    name: ETCD_URLS
+    value: https://etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}:2379
+- op: add
+  path: /spec/values/env/-
+  value:
+    name: ETCD_CA_FILE
+    value: /etc/external-dns/tls/ca.crt
+- op: add
+  path: /spec/values/env/-
+  value:
+    name: ETCD_CERT_FILE
+    value: /etc/external-dns/tls/tls.crt
+- op: add
+  path: /spec/values/env/-
+  value:
+    name: ETCD_KEY_FILE
+    value: /etc/external-dns/tls/tls.key
+- op: add
+  path: /spec/values/env/-
+  value:
+    name: ETCD_TLS_SERVER_NAME
+    value: etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}
+- op: add
+  path: /spec/values/extraVolumes/-
+  value:
+    name: etcd-tls
+    secret:
+      secretName: etcd-client-tls
+- op: add
+  path: /spec/values/extraVolumeMounts/-
+  value:
+    name: etcd-tls
+    mountPath: /etc/external-dns/tls
+    readOnly: true
diff --git a/kustomize/dns/external-dns/helm-release.yaml b/kustomize/dns/external-dns/helm-release.yaml
new file mode 100644
index 00000000..b4a14e3c
--- /dev/null
+++ b/kustomize/dns/external-dns/helm-release.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: external-dns
+  namespace: system-dns
+spec:
+  interval: 5m
+  timeout: 10m
+  dependsOn: []
+  chart:
+    spec:
+      chart: external-dns
+      # renovate: datasource=helm depName=external-dns package=external-dns helmRepo=https://kubernetes-sigs.github.io/external-dns/
+      version: 1.15.0
+      sourceRef: 
+        kind: HelmRepository
+        name: external-dns
+        namespace: system-gitops
+  values:
+    env: []
+    extraVolumes: []
+    extraVolumeMounts: []
+    sources: []
+    domainFilters:
+      - "${DOMAIN}"
diff --git a/kustomize/dns/external-dns/helm-repository.yaml b/kustomize/dns/external-dns/helm-repository.yaml
new file mode 100644
index 00000000..fd0c9420
--- /dev/null
+++ b/kustomize/dns/external-dns/helm-repository.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: external-dns
+  namespace: system-gitops
+spec:
+  interval: 10m
+  timeout: 3m
+  url: https://kubernetes-sigs.github.io/external-dns/
diff --git a/kustomize/ingress/base/nginx/nodeport-web/kustomization.yaml b/kustomize/dns/external-dns/ingress/kustomization.yaml
similarity index 100%
rename from kustomize/ingress/base/nginx/nodeport-web/kustomization.yaml
rename to kustomize/dns/external-dns/ingress/kustomization.yaml
diff --git a/kustomize/dns/external-dns/ingress/patches/helm-release.yaml b/kustomize/dns/external-dns/ingress/patches/helm-release.yaml
new file mode 100644
index 00000000..c89614ca
--- /dev/null
+++ b/kustomize/dns/external-dns/ingress/patches/helm-release.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: external-dns
+  namespace: system-dns
+spec:
+  values:
+    sources:
+      - ingress
diff --git a/kustomize/dns/external-dns/kustomization.yaml b/kustomize/dns/external-dns/kustomization.yaml
new file mode 100644
index 00000000..e768af5d
--- /dev/null
+++ b/kustomize/dns/external-dns/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - helm-repository.yaml
+  - helm-release.yaml
diff --git a/kustomize/dns/kustomization.yaml b/kustomize/dns/kustomization.yaml
new file mode 100644
index 00000000..e8aa5f88
--- /dev/null
+++ b/kustomize/dns/kustomization.yaml
@@ -0,0 +1,2 @@
+resources: 
+  - namespace.yaml
diff --git a/kustomize/dns/namespace.yaml b/kustomize/dns/namespace.yaml
new file mode 100644
index 00000000..91870ec5
--- /dev/null
+++ b/kustomize/dns/namespace.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: system-dns
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/audit: baseline
+    pod-security.kubernetes.io/warn: baseline
diff --git a/kustomize/ingress/base/nginx/coredns/kustomization.yaml b/kustomize/ingress/base/nginx/coredns/kustomization.yaml
new file mode 100644
index 00000000..8138d116
--- /dev/null
+++ b/kustomize/ingress/base/nginx/coredns/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+patches:
+  - path: patches/helm-release.yaml
diff --git a/kustomize/ingress/base/nginx/coredns/patches/helm-release.yaml b/kustomize/ingress/base/nginx/coredns/patches/helm-release.yaml
new file mode 100644
index 00000000..a317f6d2
--- /dev/null
+++ b/kustomize/ingress/base/nginx/coredns/patches/helm-release.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ingress-nginx-controller
+  namespace: system-ingress
+spec:
+  values:
+    controller:
+      service:
+        enableUDP: true
+        nodePorts:
+          udp:
+            "53": 30053
+          tcp:
+            "53": 30053
+    udp:
+      "53": "system-dns/coredns:53"
+    tcp:
+      "53": "system-dns/coredns:53"
diff --git a/kustomize/ingress/base/nginx/flux-webhook/kustomization.yaml b/kustomize/ingress/base/nginx/flux-webhook/kustomization.yaml
new file mode 100644
index 00000000..8138d116
--- /dev/null
+++ b/kustomize/ingress/base/nginx/flux-webhook/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+patches:
+  - path: patches/helm-release.yaml
diff --git a/kustomize/ingress/base/nginx/nodeport-flux-webhook/patches/helm-release.yaml b/kustomize/ingress/base/nginx/flux-webhook/patches/helm-release.yaml
similarity index 92%
rename from kustomize/ingress/base/nginx/nodeport-flux-webhook/patches/helm-release.yaml
rename to kustomize/ingress/base/nginx/flux-webhook/patches/helm-release.yaml
index 34dc197b..505cf4c5 100644
--- a/kustomize/ingress/base/nginx/nodeport-flux-webhook/patches/helm-release.yaml
+++ b/kustomize/ingress/base/nginx/flux-webhook/patches/helm-release.yaml
@@ -8,7 +8,6 @@ spec:
   values:
     controller:
       service:
-        type: NodePort
         nodePorts:
           tcp:
             "9292": 30292
diff --git a/kustomize/ingress/base/nginx/helm-release.yaml b/kustomize/ingress/base/nginx/helm-release.yaml
index 281476bc..ea624b08 100644
--- a/kustomize/ingress/base/nginx/helm-release.yaml
+++ b/kustomize/ingress/base/nginx/helm-release.yaml
@@ -20,3 +20,4 @@ spec:
     controller:
       service:
         enableHttp: false
+        enableTls: false
diff --git a/kustomize/ingress/base/nginx/loadbalancer/kustomization.yaml b/kustomize/ingress/base/nginx/loadbalancer/kustomization.yaml
new file mode 100644
index 00000000..8138d116
--- /dev/null
+++ b/kustomize/ingress/base/nginx/loadbalancer/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+patches:
+  - path: patches/helm-release.yaml
diff --git a/kustomize/ingress/base/nginx/loadbalancer/patches/helm-release.yaml b/kustomize/ingress/base/nginx/loadbalancer/patches/helm-release.yaml
new file mode 100644
index 00000000..265775b8
--- /dev/null
+++ b/kustomize/ingress/base/nginx/loadbalancer/patches/helm-release.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ingress-nginx-controller
+  namespace: system-ingress
+spec:
+  values:
+    controller:
+      service:
+        type: LoadBalancer
+        loadBalancerIP: ${LOADBALANCER_IP_START}
diff --git a/kustomize/ingress/base/nginx/nodeport/kustomization.yaml b/kustomize/ingress/base/nginx/nodeport/kustomization.yaml
new file mode 100644
index 00000000..8138d116
--- /dev/null
+++ b/kustomize/ingress/base/nginx/nodeport/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+patches:
+  - path: patches/helm-release.yaml
diff --git a/kustomize/ingress/base/nginx/nodeport/patches/helm-release.yaml b/kustomize/ingress/base/nginx/nodeport/patches/helm-release.yaml
new file mode 100644
index 00000000..bf19c638
--- /dev/null
+++ b/kustomize/ingress/base/nginx/nodeport/patches/helm-release.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ingress-nginx-controller
+  namespace: system-ingress
+spec:
+  values:
+    controller:
+      service:
+        type: NodePort
diff --git a/kustomize/ingress/base/nginx/web/kustomization.yaml b/kustomize/ingress/base/nginx/web/kustomization.yaml
new file mode 100644
index 00000000..8138d116
--- /dev/null
+++ b/kustomize/ingress/base/nginx/web/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+patches:
+  - path: patches/helm-release.yaml
diff --git a/kustomize/ingress/base/nginx/nodeport-web/patches/helm-release.yaml b/kustomize/ingress/base/nginx/web/patches/helm-release.yaml
similarity index 91%
rename from kustomize/ingress/base/nginx/nodeport-web/patches/helm-release.yaml
rename to kustomize/ingress/base/nginx/web/patches/helm-release.yaml
index 04d898dd..0dbc9ded 100644
--- a/kustomize/ingress/base/nginx/nodeport-web/patches/helm-release.yaml
+++ b/kustomize/ingress/base/nginx/web/patches/helm-release.yaml
@@ -8,8 +8,8 @@ spec:
   values:
     controller:
       service:
-        type: NodePort
         enableHttp: true
+        enableTls: true
         nodePorts:
           http: 30080
           https: 30443
diff --git a/kustomize/pki/resources/private-issuer/selfsigned/kustomization.yaml b/kustomize/pki/resources/private-issuer/selfsigned/kustomization.yaml
index 3ef04257..ee2903d3 100644
--- a/kustomize/pki/resources/private-issuer/selfsigned/kustomization.yaml
+++ b/kustomize/pki/resources/private-issuer/selfsigned/kustomization.yaml
@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 patches:
-  - path: patches/private-issuer.yaml
+  - path: patches/issuer.yaml
diff --git a/kustomize/pki/resources/private-issuer/selfsigned/patches/issuer.yaml b/kustomize/pki/resources/private-issuer/selfsigned/patches/issuer.yaml
new file mode 100644
index 00000000..d36ac5f6
--- /dev/null
+++ b/kustomize/pki/resources/private-issuer/selfsigned/patches/issuer.yaml
@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: private
+spec:
+  selfSigned: {}
diff --git a/kustomize/pki/resources/public-issuer/selfsigned/kustomization.yaml b/kustomize/pki/resources/public-issuer/selfsigned/kustomization.yaml
index e1e62721..ee2903d3 100644
--- a/kustomize/pki/resources/public-issuer/selfsigned/kustomization.yaml
+++ b/kustomize/pki/resources/public-issuer/selfsigned/kustomization.yaml
@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 patches:
-  - path: patches/public-issuer.yaml
+  - path: patches/issuer.yaml
diff --git a/kustomize/pki/resources/public-issuer/selfsigned/patches/public-issuer.yaml b/kustomize/pki/resources/public-issuer/selfsigned/patches/issuer.yaml
similarity index 100%
rename from kustomize/pki/resources/public-issuer/selfsigned/patches/public-issuer.yaml
rename to kustomize/pki/resources/public-issuer/selfsigned/patches/issuer.yaml
diff --git a/windsor.yaml b/windsor.yaml
index 39e67f29..b362a709 100644
--- a/windsor.yaml
+++ b/windsor.yaml
@@ -1,6 +1,6 @@
 version: v1alpha1
 contexts:
-  default:
+  colima:
     docker:
       enabled: true
       registries:
@@ -30,7 +30,7 @@ contexts:
       enabled: true
       backend: local
     vm:
-      driver: docker-desktop
+      driver: colima
     cluster:
       enabled: true
       driver: talos
@@ -42,10 +42,6 @@ contexts:
         count: 1
         cpu: 4
         memory: 4
-        nodeports:
-        - 8080:30080/tcp
-        - 8443:30443/tcp
-        - 9292:30292/tcp
     network:
       cidr_block: 10.5.0.0/16
       loadbalancer_ips:
@@ -54,3 +50,56 @@ contexts:
     dns:
       enabled: true
       domain: test
+      forward:
+      - 10.5.1.1
+      - 1.1.1.1
+      - 8.8.8.8
+  docker-desktop:
+    docker:
+      enabled: true
+      registries:
+        gcr.io:
+          remote: https://gcr.io
+        ghcr.io:
+          remote: https://ghcr.io
+        quay.io:
+          remote: https://quay.io
+        registry-1.docker.io:
+          remote: https://registry-1.docker.io
+          local: https://docker.io
+        registry.k8s.io:
+          remote: https://registry.k8s.io
+        registry.test: {}
+    git:
+      livereload:
+        enabled: true
+        rsync_exclude: .windsor,.terraform,data,.volumes,.venv
+        rsync_protect: flux-system
+        username: local
+        password: local
+        webhook_url: http://worker-1.test:30292/hook/5dc88e45e809fb0872b749c0969067e2c1fd142e17aed07573fad20553cc0c59
+        verify_ssl: false
+        image: ghcr.io/windsorcli/git-livereload:v0.1.1
+    terraform:
+      enabled: true
+      backend: local
+    vm:
+      driver: docker-desktop
+    cluster:
+      enabled: true
+      driver: talos
+      controlplanes:
+        count: 1
+        cpu: 2
+        memory: 2
+      workers:
+        count: 1
+        cpu: 4
+        memory: 4
+        hostports:
+        - 8080:30080/tcp
+        - 8443:30443/tcp
+        - 9292:30292/tcp
+    dns:
+      enabled: true
+      domain: test