diff --git a/Makefile b/Makefile
index c4dcd6c..f7f3b53 100644
--- a/Makefile
+++ b/Makefile
@@ -18,14 +18,14 @@ DEVCLUSTEROUT = $(DEVOUT)/cluster.yaml
 PRODOUT = $(OUTDIR)/prod
 PRODMANIFESTOUT = $(PRODOUT)/manifest.yaml
 PRODMANIFESTSRC = kustomize/overlays/prod
-PRODCLUSTERTOUT = $(PRODOUT)/cluster.yaml
-PRODCLUSTERTSRC = kustomize/overlays/prod-cluster
+PRODCLUSTEROUT = $(PRODOUT)/cluster.yaml
+PRODCLUSTERSRC = kustomize/overlays/prod-cluster
 
 ifeq ($(environment),prod)
 	environment = prod
 
 	ENVOUTDIR  = $(PRODOUT)
-	ENVOUTFILE = $(PRODMANIFESTOUT) $(PRODCLUSTERTOUT)
+	ENVOUTFILE = $(PRODMANIFESTOUT) $(PRODCLUSTEROUT)
 else
 	environment = dev
 
diff --git a/kustomize/bases/longhorn/kustomization.yaml b/kustomize/bases/longhorn/kustomization.yaml
new file mode 100644
index 0000000..393ecad
--- /dev/null
+++ b/kustomize/bases/longhorn/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+  - https://raw.githubusercontent.com/longhorn/longhorn/v1.2.0/deploy/longhorn.yaml
\ No newline at end of file
diff --git a/kustomize/overlays/dev/cert-manager/clusterissuer.yaml b/kustomize/overlays/dev/cert-manager/clusterissuer.yaml
deleted file mode 100644
index 58f1934..0000000
--- a/kustomize/overlays/dev/cert-manager/clusterissuer.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-apiVersion: cert-manager.io/v1alpha2
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt
-  namespace: cert-manager
-spec:
-  acme:
-    # You must replace this email address with your own.
-    # Let's Encrypt will use this to contact you about expiring
-    # certificates, and issues related to your account.
-    email: marchambault@badjware.dev
-    server: https://acme-v02.api.letsencrypt.org/directory
-    privateKeySecretRef:
-      # Secret resource that will be used to store the account's private key.
-      name: letsencrypt-cert
-    solvers:
-      - selector:
-          dnsZones:
-          - local.badjware.dev
-        dns01: 
-          cnameStrategy: Follow
-          digitalocean:
-            tokenSecretRef:
-              name: digitalocean-api-key
-              key: access-token
\ No newline at end of file
diff --git a/kustomize/overlays/dev/cert-manager/kustomizeconfig.yaml b/kustomize/overlays/dev/cert-manager/kustomizeconfig.yaml
deleted file mode 100644
index e4c3acb..0000000
--- a/kustomize/overlays/dev/cert-manager/kustomizeconfig.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-nameReference:
-  - version: v1
-    kind: Secret
-    fieldSpecs:
-      - kind: ClusterIssuer
-        path: spec/acme/solvers/dns01/digitalocean/tokenSecretRef/name
diff --git a/kustomize/overlays/dev/placeholders.txt b/kustomize/overlays/dev/placeholders.txt
index f7ded37..292e9b0 100644
--- a/kustomize/overlays/dev/placeholders.txt
+++ b/kustomize/overlays/dev/placeholders.txt
@@ -1,6 +1,7 @@
-DRONE_EXTERNAL_HOST=drone.localhost
 GITEA_EXTERNAL_HOST=gitea.localhost
+NEXTCLOUD_EXTERNAL_HOST=nextcloud.localhost
+
+DRONE_EXTERNAL_HOST=drone.localhost
 GRAFANA_EXTERNAL_HOST=grafana.localhost
 KUBERNETES_DASHBOARD_EXTERNAL_HOST=kubernetes-dashboard.localhost
-NEXTCLOUD_EXTERNAL_HOST=nextcloud.localhost
 PROMETHEUS_EXTERNAL_HOST=prometheus.localhost
diff --git a/kustomize/overlays/prod-cluster/kustomization.yaml b/kustomize/overlays/prod-cluster/kustomization.yaml
new file mode 100644
index 0000000..69f103b
--- /dev/null
+++ b/kustomize/overlays/prod-cluster/kustomization.yaml
@@ -0,0 +1,9 @@
+bases:
+  - ../../namespaces/kube-system
+  - ../../namespaces/operators
+  - ../../bases/longhorn
+  # - ../../namespaces/cert-manager
+
+# allow "kubectl apply -l managed-by=cluster --prune ..."
+commonlabels:
+  managed-by: kustomize-cluster
diff --git a/kustomize/overlays/prod/cert-manager/clusterissuer.yaml b/kustomize/overlays/prod/cert-manager/clusterissuer.yaml
deleted file mode 100644
index 3793dc1..0000000
--- a/kustomize/overlays/prod/cert-manager/clusterissuer.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-apiVersion: cert-manager.io/v1alpha2
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt
-  namespace: cert-manager
-spec:
-  acme:
-    # You must replace this email address with your own.
-    # Let's Encrypt will use this to contact you about expiring
-    # certificates, and issues related to your account.
-    email: marchambault@badjware.dev
-    server: https://acme-v02.api.letsencrypt.org/directory
-    privateKeySecretRef:
-      # Secret resource that will be used to store the account's private key.
-      name: letsencrypt-cert
-    solvers:
-      - selector:
-          dnsZones:
-          - badjware.dev
-        dns01: 
-          cnameStrategy: Follow
-          digitalocean:
-            tokenSecretRef:
-              name: digitalocean-api-key
-              key: access-token
\ No newline at end of file
diff --git a/kustomize/overlays/prod/cert-manager/kustomizeconfig.yaml b/kustomize/overlays/prod/cert-manager/kustomizeconfig.yaml
deleted file mode 100644
index e4c3acb..0000000
--- a/kustomize/overlays/prod/cert-manager/kustomizeconfig.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-nameReference:
-  - version: v1
-    kind: Secret
-    fieldSpecs:
-      - kind: ClusterIssuer
-        path: spec/acme/solvers/dns01/digitalocean/tokenSecretRef/name
diff --git a/kustomize/overlays/prod/kustomization.yaml b/kustomize/overlays/prod/kustomization.yaml
new file mode 100644
index 0000000..4c69e70
--- /dev/null
+++ b/kustomize/overlays/prod/kustomization.yaml
@@ -0,0 +1,40 @@
+# bases:
+#   - ../../namespaces/kubernetes-dashboard
+#   - ../../namespaces/gitea
+#   - ../../namespaces/grafana
+#   - ../../namespaces/monitoring
+
+# images:
+#   - name: gitea/gitea
+#     newtag: 1.15.0
+#   - name: grafana
+#     newtag: 8.1.2
+#   - name: drone/drone
+#     newtag: 2.0.6
+#   - name: drone/drone-runner-kube
+#     newtag: 1.0.0-beta.9
+
+# secretGenerator:
+#   - name: drone-secret
+#     type: Opaque
+#     namespace: gitea
+#     behavior: replace
+#     literals:
+#       - rpc_secret=9128146e66f104873df80dad3ef12cf0
+#   # https://docs.drone.io/server/provider/gitea/
+#   - name: drone-gitea-oauth-secret
+#     type: Opaque
+#     namespace: gitea
+#     behavior: replace
+#     literals:
+#       - client_id=6c0c6878-baf1-4648-b0cf-69eeae69e692
+#       - client_secret=Q78VsgyfgTzKrvQEmokEMj84g7epKrlBpmDjcbhKXCIh
+
+# # allow "kubectl apply -l managed-by=kustomize --prune ..."
+# commonlabels:
+#   managed-by: kustomize
+
+# transformers:
+#   - transformers/placeholders.yaml
+#   # - transformers/ssm-secrets.yaml
+
diff --git a/kustomize/overlays/prod/placeholders.txt b/kustomize/overlays/prod/placeholders.txt
new file mode 100644
index 0000000..bf41747
--- /dev/null
+++ b/kustomize/overlays/prod/placeholders.txt
@@ -0,0 +1,7 @@
+GITEA_EXTERNAL_HOST=code.badjware.dev
+DRONE_EXTERNAL_HOST=drone.badjware.dev
+NEXTCLOUD_EXTERNAL_HOST=cloud.badjware.dev
+
+GRAFANA_EXTERNAL_HOST=grafana.badjnet.local
+KUBERNETES_DASHBOARD_EXTERNAL_HOST=kubernetes-dashboard.badjnet.local
+PROMETHEUS_EXTERNAL_HOST=prometheus.badjnet.local
diff --git a/kustomize/overlays/prod/transformers/placeholders.yaml b/kustomize/overlays/prod/transformers/placeholders.yaml
new file mode 100644
index 0000000..e3e18dd
--- /dev/null
+++ b/kustomize/overlays/prod/transformers/placeholders.yaml
@@ -0,0 +1,5 @@
+apiVersion: badjware/v1
+kind: PlaceholderTransformer
+metadata:
+  name: placeholders
+placeholdersFile: placeholders.txt
\ No newline at end of file
diff --git a/kustomize/overlays/dev/transformers/ssm-secrets.yaml b/kustomize/overlays/prod/transformers/ssm-secrets.yaml
similarity index 100%
rename from kustomize/overlays/dev/transformers/ssm-secrets.yaml
rename to kustomize/overlays/prod/transformers/ssm-secrets.yaml