diff --git a/dch-webhooks/.gitignore b/dch-webhooks/.gitignore
new file mode 100644
index 0000000..4fdc34d
--- /dev/null
+++ b/dch-webhooks/.gitignore
@@ -0,0 +1,2 @@
+paperless.token
+firefly.token
diff --git a/dch-webhooks/dch-webhooks.yaml b/dch-webhooks/dch-webhooks.yaml
new file mode 100644
index 0000000..0041f29
--- /dev/null
+++ b/dch-webhooks/dch-webhooks.yaml
@@ -0,0 +1,91 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: dch-webhooks
+    app.kubernetes.io/component: dch-webhooks
+    app.kubernetes.io/instance: dch-webhooks
+    app.kubernetes.io/part-of: dch-webhooks
+  name: dch-webhooks
+spec:
+  ports:
+  - name: http
+    port: 8000
+  selector:
+    app.kubernetes.io/name: dch-webhooks
+    app.kubernetes.io/component: dch-webhooks
+    app.kubernetes.io/instance: dch-webhooks
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dch-webhooks
+  labels:
+    app.kubernetes.io/name: dch-webhooks
+    app.kubernetes.io/component: dch-webhooks
+    app.kubernetes.io/instance: dch-webhooks
+    app.kubernetes.io/part-of: dch-webhooks
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: dch-webhooks
+      app.kubernetes.io/component: dch-webhooks
+      app.kubernetes.io/instance: dch-webhooks
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: dch-webhooks
+        app.kubernetes.io/component: dch-webhooks
+        app.kubernetes.io/instance: dch-webhooks
+    spec:
+      containers:
+      - name: dch-webhooks
+        image: git.pyrocufflink.net/containerimages/dch-webhooks
+        env:
+        - name: FIREFLY_URL
+          value: http://firefly-iii.firefly-iii.svc.cluster.local:8080
+        - name: FIREFLY_AUTH_TOKEN
+          value: /run/secrets/du5t1n.me/firefly/firefly.token
+        - name: PAPERLESS_URL
+          value: http://paperless-ngx.paperless-ngx.svc.cluster.local:8000
+        - name: PAPERLESS_AUTH_TOKEN
+          value: /run/secrets/du5t1n.me/paperless/paperless.token
+        - name: UVICORN_HOST
+          value: 0.0.0.0
+        - name: UVICORN_LOG_LEVEL
+          value: debug
+        ports:
+        - name: http
+          containerPort: 8000
+        startupProbe: &probe
+          httpGet:
+            path: /
+            port: 8000
+          periodSeconds: 1
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 10
+        readinessProbe:
+          <<: *probe
+          periodSeconds: 60
+          failureThreshold: 2
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /run/secrets/du5t1n.me/firefly
+          name: firefly-token
+        - mountPath: /run/secrets/du5t1n.me/paperless
+          name: paperless-token
+      securityContext:
+        runAsNonRoot: true
+      volumes:
+      - name: firefly-token
+        secret:
+          secretName: firefly-token
+          optional: true
+      - name: paperless-token
+        secret:
+          secretName: paperless-token
+          optional: true
diff --git a/dch-webhooks/kustomization.yaml b/dch-webhooks/kustomization.yaml
new file mode 100644
index 0000000..a6765ba
--- /dev/null
+++ b/dch-webhooks/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- dch-webhooks.yaml
+
+secretGenerator:
+- name: firefly-token
+  files:
+  - firefly.token
+
+- name: paperless-token
+  files:
+  - paperless.token