diff --git a/headscale/webui/deployment.yaml b/headscale/webui/deployment.yaml
new file mode 100644
index 0000000..45d8550
--- /dev/null
+++ b/headscale/webui/deployment.yaml
@@ -0,0 +1,46 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: headscale-webui
+spec:
+  selector:
+    matchLabels:
+      app: headscale-webui
+  template:
+    metadata:
+      labels:
+        app: headscale-webui
+    spec:
+      volumes:
+        - name: headscale-webui
+          persistentVolumeClaim:
+            claimName: headscale-webui
+        - name: headscale-config
+          configMap:
+            name: headscale-8mfb922bbb
+      containers:
+      - name: headscale-webui
+        image: headscale-webui
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "200m"
+          requests:
+            memory: "32Mi"
+            cpu: "10m"
+        ports:
+        - containerPort: 5000
+        env:
+        - name: TZ
+          value: Asia/Shanghai
+        envFrom:
+        - configMapRef:
+            name: headscale-webui
+        - secretRef:
+            name: headscale-webui
+        volumeMounts:
+          - mountPath: /data
+            name: headscale-webui
+          - mountPath: /etc/headscale
+            name: headscale-config
+        
diff --git a/headscale/webui/ingress.yaml b/headscale/webui/ingress.yaml
new file mode 100644
index 0000000..2bc3542
--- /dev/null
+++ b/headscale/webui/ingress.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: headscale-webui
+  labels:
+    name: headscale-webui
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: 'true'
+    traefik.ingress.kubernetes.io/router.tls.certresolver: default
+    traefik.ingress.kubernetes.io/router.tls.domains.0.main: wetofu.me
+    traefik.ingress.kubernetes.io/router.tls.domains.0.sans: '*.wetofu.me'
+spec:
+  rules:
+  - host: hs.wetofu.me
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/admin"
+        backend:
+          service:
+            name: headscale-webui
+            port: 
+              number: 5000
diff --git a/headscale/webui/kustomization.yaml b/headscale/webui/kustomization.yaml
new file mode 100644
index 0000000..528b75d
--- /dev/null
+++ b/headscale/webui/kustomization.yaml
@@ -0,0 +1,26 @@
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - deployment.yaml
+  - pvc.yaml
+  - service.yaml
+  - ingress.yaml
+configMapGenerator:
+  - name: headscale-webui
+    files:
+    - config/BASIC_AUTH_USER
+    - config/DOMAIN_NAME
+    - config/AUTH_TYPE
+    - config/SCRIPT_NAME
+    - config/HS_SERVER
+secretGenerator:
+  - name: headscale-webui
+    files:
+    - config/KEY
+    - config/BASIC_AUTH_PASS
+images:
+  - name: headscale-webui
+    newName: ghcr.io/ifargle/headscale-webui
+    newTag: v0.6.2
\ No newline at end of file
diff --git a/headscale/webui/pvc.yaml b/headscale/webui/pvc.yaml
new file mode 100644
index 0000000..f5e12ff
--- /dev/null
+++ b/headscale/webui/pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: headscale-webui
+spec:
+  resources:
+    requests:
+      storage: 5Gi
+  volumeMode: Filesystem
+  storageClassName: local-path
+  accessModes:
+    - ReadWriteOnce
diff --git a/headscale/webui/service.yaml b/headscale/webui/service.yaml
new file mode 100644
index 0000000..8b2218d
--- /dev/null
+++ b/headscale/webui/service.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: headscale-webui
+spec:
+  selector:
+    app: headscale-webui
+  ports:
+  - port: 5000
+    targetPort: 5000