diff --git a/.env.example b/.env.example
index b478059..3e1a759 100644
--- a/.env.example
+++ b/.env.example
@@ -1,3 +1,6 @@
 # Porkbun API credentials
 PORKBUN_API_KEY=pk1_your_key_here
-PORKBUN_SECRET_API_KEY=sk1_your_key_here
\ No newline at end of file
+PORKBUN_SECRET_API_KEY=sk1_your_key_here
+
+# K3s node token for agent join
+K3S_NODE_TOKEN=your_token_here
\ No newline at end of file
diff --git a/ansible/playbooks/join-debian-agent.yaml b/ansible/playbooks/join-debian-agent.yaml
new file mode 100644
index 0000000..4f5e586
--- /dev/null
+++ b/ansible/playbooks/join-debian-agent.yaml
@@ -0,0 +1,15 @@
+---
+# Run: ansible-playbook ansible/playbooks/join-debian-agent.yaml -K -e "k3s_node_token=$K3S_NODE_TOKEN"
+# Requires: K3S_NODE_TOKEN in .env
+#
+# What this does:
+#   - Joins Debian as a K3s agent node
+#   - Labels it as node-role=storage
+
+- name: Join Debian as K3s agent
+  hosts: debian
+  become: true
+  gather_facts: true
+
+  roles:
+    - k3s-agent
\ No newline at end of file
diff --git a/ansible/roles/k3s-agent/defaults/main.yaml b/ansible/roles/k3s-agent/defaults/main.yaml
new file mode 100644
index 0000000..e367fe5
--- /dev/null
+++ b/ansible/roles/k3s-agent/defaults/main.yaml
@@ -0,0 +1,4 @@
+---
+k3s_version: v1.32.2+k3s1
+k3s_server_url: https://192.168.7.77:6443
+k3s_node_token: ""  # pass via -e or vault
\ No newline at end of file
diff --git a/ansible/roles/k3s-agent/tasks/main.yaml b/ansible/roles/k3s-agent/tasks/main.yaml
new file mode 100644
index 0000000..7fb3557
--- /dev/null
+++ b/ansible/roles/k3s-agent/tasks/main.yaml
@@ -0,0 +1,26 @@
+---
+- name: Download and install K3s agent
+  ansible.builtin.shell:
+    cmd: >
+      curl -sfL https://get.k3s.io |
+      INSTALL_K3S_VERSION={{ k3s_version }}
+      K3S_URL={{ k3s_server_url }}
+      K3S_TOKEN={{ k3s_node_token }}
+      sh -
+    creates: /usr/local/bin/k3s
+
+- name: Ensure K3s agent service is running
+  ansible.builtin.service:
+    name: k3s-agent
+    state: started
+    enabled: true
+  become: true
+
+- name: Label node as storage
+  ansible.builtin.shell:
+    cmd: >
+      k3s kubectl label node nik-debian
+      node-role=storage --overwrite
+  delegate_to: minisforum
+  become: true
+  changed_when: false
\ No newline at end of file
diff --git a/manifests/jdownloader.yaml b/manifests/jdownloader.yaml
new file mode 100644
index 0000000..b2c69dd
--- /dev/null
+++ b/manifests/jdownloader.yaml
@@ -0,0 +1,85 @@
+# JDownloader + jd-bridge
+# Apply: kubectl apply -f manifests/jdownloader.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jdownloader
+  namespace: downloads
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: jdownloader
+  template:
+    metadata:
+      labels:
+        app: jdownloader
+    spec:
+      nodeSelector:
+        node-role: storage
+      containers:
+        - name: jdownloader
+          image: jlesage/jdownloader-2:latest
+          ports:
+            - containerPort: 5800
+          env:
+            - name: USER_ID
+              value: "1000"
+            - name: GROUP_ID
+              value: "1000"
+            - name: TZ
+              value: "Asia/Tokyo"
+          volumeMounts:
+            - name: config
+              mountPath: /config
+            - name: dl
+              mountPath: /output
+      volumes:
+        - name: config
+          hostPath:
+            path: /data/jdownloader
+            type: DirectoryOrCreate
+        - name: dl
+          hostPath:
+            path: /mnt/storage/dl
+            type: Directory
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: jdownloader
+  namespace: downloads
+spec:
+  selector:
+    app: jdownloader
+  ports:
+    - name: web
+      port: 80
+      targetPort: 5800
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jdownloader
+  namespace: downloads
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    cert-manager.io/cluster-issuer: internal-ca-issuer
+spec:
+  ingressClassName: traefik
+  tls:
+    - secretName: jdownloader-tls
+      hosts:
+        - jdownloader.home.arpa
+  rules:
+    - host: jdownloader.home.arpa
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: jdownloader
+                port:
+                  number: 80
\ No newline at end of file
diff --git a/manifests/qbittorrent.yaml b/manifests/qbittorrent.yaml
new file mode 100644
index 0000000..27da5a5
--- /dev/null
+++ b/manifests/qbittorrent.yaml
@@ -0,0 +1,105 @@
+# qBittorrent
+# Apply: kubectl apply -f manifests/qbittorrent.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: downloads
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: qbittorrent-config
+  namespace: downloads
+  annotations:
+    helm.sh/resource-policy: keep
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: qbittorrent
+  namespace: downloads
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: qbittorrent
+  template:
+    metadata:
+      labels:
+        app: qbittorrent
+    spec:
+      nodeSelector:
+        node-role: storage
+      containers:
+        - name: qbittorrent
+          image: lscr.io/linuxserver/qbittorrent:latest
+          ports:
+            - containerPort: 8080
+          env:
+            - name: PUID
+              value: "1000"
+            - name: PGID
+              value: "1000"
+            - name: TZ
+              value: "Asia/Tokyo"
+            - name: WEBUI_PORT
+              value: "8080"
+          volumeMounts:
+            - name: config
+              mountPath: /config
+            - name: torrents
+              mountPath: /torrents
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: qbittorrent-config
+        - name: torrents
+          hostPath:
+            path: /mnt/storage/torrents
+            type: Directory
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: qbittorrent
+  namespace: downloads
+spec:
+  selector:
+    app: qbittorrent
+  ports:
+    - port: 80
+      targetPort: 8080
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: qbittorrent
+  namespace: downloads
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    cert-manager.io/cluster-issuer: internal-ca-issuer
+spec:
+  ingressClassName: traefik
+  tls:
+    - secretName: qbittorrent-tls
+      hosts:
+        - qbittorrent.home.arpa
+  rules:
+    - host: qbittorrent.home.arpa
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: qbittorrent
+                port:
+                  number: 80
\ No newline at end of file
diff --git a/values/pihole.yaml b/values/pihole.yaml
index 6656112..ffe4ea0 100644
--- a/values/pihole.yaml
+++ b/values/pihole.yaml
@@ -74,4 +74,6 @@ dnsmasq:
     - address=/home.arpa/192.168.7.77
     - address=/nik4nao.home.arpa/192.168.7.183
     - address=/dashy.home.arpa/192.168.7.77
-    - address=/jellyfin.home.arpa/192.168.7.77
\ No newline at end of file
+    - address=/jellyfin.home.arpa/192.168.7.77
+    - address=/qbittorrent.home.arpa/192.168.7.77
+    - address=/jdownloader.home.arpa/192.168.7.77
\ No newline at end of file