diff --git a/.gitignore b/.gitignore
index 533ca5b..9a4691a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,7 @@ helm/*.yaml
 !helm/*.yaml.template
 # Kubernetes manifests (no secrets) are safe to commit
 !helm/*-cluster.yaml
+!helm/*-networkpolicies.yaml
 
 # Kubeconfig
 *.kubeconfig
diff --git a/helm/gitea-db-networkpolicies.yaml b/helm/gitea-db-networkpolicies.yaml
new file mode 100644
index 0000000..0195230
--- /dev/null
+++ b/helm/gitea-db-networkpolicies.yaml
@@ -0,0 +1,43 @@
+# NetworkPolicies for gitea-db cnpg cluster
+# The databases namespace has a default-deny-all policy; each cluster needs
+# explicit egress-to-kube-api and ingress-from-cnpg-operator policies.
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-kube-api-gitea-db
+  namespace: databases
+spec:
+  podSelector:
+    matchLabels:
+      cnpg.io/cluster: gitea-db
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - port: 6443
+          protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-from-cnpg-operator-gitea-db
+  namespace: databases
+spec:
+  podSelector:
+    matchLabels:
+      cnpg.io/cluster: gitea-db
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: cnpg-system
+      ports:
+        - port: 5432
+          protocol: TCP
+        - port: 8000
+          protocol: TCP
+        - port: 9187
+          protocol: TCP
diff --git a/helm/valkey-values.sops.yaml.template b/helm/valkey-values.sops.yaml.template
new file mode 100644
index 0000000..7a7eee2
--- /dev/null
+++ b/helm/valkey-values.sops.yaml.template
@@ -0,0 +1,21 @@
+# Valkey standalone Helm values — S3 Platform Services
+# Encrypt before committing: sops -e -i helm/valkey-values.sops.yaml
+# Deploy: make valkey-deploy
+#
+# Gitea connection strings (update gitea-values.sops.yaml after deployment):
+#   cache:    redis://:PASSWORD@valkey-master.platform.svc.cluster.local:6379/0
+#   session:  redis://:PASSWORD@valkey-master.platform.svc.cluster.local:6379/1
+#   queue:    redis://:PASSWORD@valkey-master.platform.svc.cluster.local:6379/2
+auth:
+  enabled: true
+  password: REPLACE_WITH_PASSWORD   # encrypt with SOPS
+
+architecture: standalone   # single node; upgrade to replication when RAM allows
+
+master:
+  persistence:
+    enabled: true
+    size: 2Gi
+
+replica:
+  replicaCount: 0   # standalone mode — no replicas