diff --git a/dmz/vault/templates/secret-store.yaml b/dmz/vault/templates/secret-store.yaml
new file mode 100644
index 0000000..60b7e93
--- /dev/null
+++ b/dmz/vault/templates/secret-store.yaml
@@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault
+spec:
+  provider:
+    vault:
+      server: "https://vault.infra.durp.info"
+      path: "kv"
+      version: "v2"
+      auth:
+        kubernetes:
+          mountPath: "kubernetes"
+          role: "external-secrets"
+          serviceAccountRef:
+            name: "vault-dmz"