diff --git a/cluster/apps/home/emqx/helm-release.yaml b/cluster/apps/home/emqx/helm-release.yaml
new file mode 100644
index 000000000..702e0df0c
--- /dev/null
+++ b/cluster/apps/home/emqx/helm-release.yaml
@@ -0,0 +1,97 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: emqx
+  namespace: home
+spec:
+  interval: 5m
+  chart:
+    spec:
+      # renovate: registryUrl=https://repos.emqx.io/charts
+      chart: emqx
+      version: 4.3.5
+      sourceRef:
+        kind: HelmRepository
+        name: emqx-charts
+        namespace: flux-system
+      interval: 5m
+  values:
+    replicaCount: 3
+    recreatePods: true
+    service:
+      annotations:
+        prometheus.io/probe: "true"
+        prometheus.io/protocol: tcp
+      type: LoadBalancer
+      loadBalancerIP: ${CLUSTER_LB_EMQX}
+      externalTrafficPolicy: Local
+    ingress:
+      dashboard:
+        enabled: true
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+        path: /
+        hosts:
+          - emqx.${SECRET_CLUSTER_DOMAIN}
+        tls:
+          - hosts:
+              - emqx.${SECRET_CLUSTER_DOMAIN}
+    emqxConfig:
+      EMQX_ALLOW_ANONYMOUS: "false"
+      EMQX_ADMIN_PASSWORD: "${SECRET_EMQX_ADMIN_PASSWORD}"
+      EMQX_AUTH__MNESIA__PASSWORD_HASH: plain
+      EMQX_AUTH__USER__1__USERNAME: "${SECRET_MQTT_USERNAME}"
+      EMQX_AUTH__USER__1__PASSWORD: "${SECRET_MQTT_PASSWORD}"
+    emqxAclConfig: >
+      {allow, {user, "dashboard"}, subscribe, ["$SYS/#"]}.
+      {allow, {ipaddr, "127.0.0.1"}, pubsub, ["$SYS/#", "#"]}.
+      {allow, all, subscribe, ["$SYS/#", {eq, "#"}]}.
+      {allow, all}.
+    emqxLoadedPlugins: >
+      {emqx_management, true}.
+      {emqx_recon, true}.
+      {emqx_retainer, true}.
+      {emqx_dashboard, true}.
+      {emqx_telemetry, false}.
+      {emqx_rule_engine, true}.
+      {emqx_bridge_mqtt, false}.
+      {emqx_auth_mnesia, true}.
+      {emqx_prometheus, true}.
+    emqxLoadedModules: >
+      {emqx_mod_presence, true}.
+      {emqx_mod_delayed, false}.
+      {emqx_mod_rewrite, false}.
+      {emqx_mod_subscription, false}.
+      {emqx_mod_topic_metrics, true}.
+    affinity:
+      podAntiAffinity:
+        preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                  - key: app.kubernetes.io/name
+                    operator: In
+                    values:
+                      - emqx
+              topologyKey: kubernetes.io/hostname
+    resources:
+      requests:
+        cpu: 100m
+        memory: 150Mi
+      limits:
+        memory: 512Mi
+  postRenderers:
+    - kustomize:
+        patchesJson6902:
+          - target:
+              kind: Service
+              name: emqx
+            patch:
+              - op: remove
+                path: /spec/loadBalancerIP
+              - op: add
+                path: /spec/externalIPs
+                value:
+                  - "${CLUSTER_LB_EMQX}"
diff --git a/cluster/apps/home/emqx/kustomization.yaml b/cluster/apps/home/emqx/kustomization.yaml
new file mode 100644
index 000000000..34a8531ce
--- /dev/null
+++ b/cluster/apps/home/emqx/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-release.yaml
diff --git a/cluster/apps/home/kustomization.yaml b/cluster/apps/home/kustomization.yaml
index 915585525..ba12f4fb0 100644
--- a/cluster/apps/home/kustomization.yaml
+++ b/cluster/apps/home/kustomization.yaml
@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - emqx
   - esphome
   - frigate
   - home-assistant
diff --git a/cluster/base-custom/charts/emxq-charts.yaml b/cluster/base-custom/charts/emxq-charts.yaml
new file mode 100644
index 000000000..74feb1df2
--- /dev/null
+++ b/cluster/base-custom/charts/emxq-charts.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: emqx-charts
+  namespace: flux-system
+spec:
+  interval: 10m
+  url: https://repos.emqx.io/charts
+  timeout: 3m
diff --git a/cluster/base-custom/charts/kustomization.yaml b/cluster/base-custom/charts/kustomization.yaml
index 05a6fdb8e..829b8b5d8 100644
--- a/cluster/base-custom/charts/kustomization.yaml
+++ b/cluster/base-custom/charts/kustomization.yaml
@@ -6,6 +6,7 @@ resources:
   - cert-manager-webhook-ovh.yaml
   - coredns-charts.yaml
   - drone-charts.yaml
+  - emxq-charts.yaml
   - gitea-charts.yaml
   - grafana-loki-charts.yaml
   - influxdata-charts.yaml
diff --git a/cluster/base-custom/secrets/cluster-secrets.yaml b/cluster/base-custom/secrets/cluster-secrets.yaml
index 7e2042822..753cdf339 100644
--- a/cluster/base-custom/secrets/cluster-secrets.yaml
+++ b/cluster/base-custom/secrets/cluster-secrets.yaml
@@ -36,6 +36,7 @@ stringData:
     SECRET_DRONE_PLUGIN_TOKEN: ENC[AES256_GCM,data:5zirGXl7kqJeaqnK9GcWysmvasRmZYaXJSNeQA==,iv:m6jYVsLePa3tqTz1HgPQ3JbzoNiByxWSUnJLyeg6c0s=,tag:mwzpMtUcpFXn8OB1k3z8Kg==,type:str]
     SECRET_DRONE_RPC_SECRET: ENC[AES256_GCM,data:H0kp40OESjjO4rCns9OGnduNDwdfYFsFzZPMyFvhD0I=,iv:5wCmFMhmvXSa7x4B3M4ZbRFfTLpHOCmIgQnLMnUv7fA=,tag:R6ZvlSQWSbqu2/fIzNK+Xg==,type:str]
     SECRET_DOCKER_REGISTRY_HTPASSWD: ENC[AES256_GCM,data:2MyR0U0yFEkKDpcZMyqHPACP0eS7GlahQdvnRgHqYegVA8+ig6MZmDkNOGzOsrBNZAXdMr3q7UaAS9Cd/ycrpVLRHS8=,iv:9jakifhzX3YFKpISzRgL92lPPqSlfBcaibelHhds2L8=,tag:8m2j1qX94B1QnOaCyvbEIA==,type:str]
+    SECRET_EMQX_ADMIN_PASSWORD: ENC[AES256_GCM,data:i8G1/VWwAn7Tlr7Od5+XWshZtqOUM+wS,iv:WJjRXhxhTWB1g6eQHwo5uwz6ZTC/ARWWL5BAaceZow4=,tag:0wSUDjVgvhmkfV/AH2kdmQ==,type:str]
     SECRET_GITEA_ADMIN_EMAIL: ENC[AES256_GCM,data:KBAcyGqLv2E+gxQXouY28KIW8zFM,iv:MWNo0rbnNlJIbzFwzb7ErnLy1SmXvXcdRTVHykNfvtM=,tag:Sy4KRJhKnbXiKlbPuWm2VA==,type:str]
     SECRET_GITEA_ADMIN_PASSWORD: ENC[AES256_GCM,data:rfFObpWDIcJ4ljgqdMU=,iv:v+AZElA3alqCt1nAbRvyYnHWNL5ifo/kMa0n27kfpNM=,tag:cZOWMNAE+Z6fQm+LZWSKdw==,type:str]
     SECRET_GITEA_DB_PASSWORD: ENC[AES256_GCM,data:4/nWusn3aDGe+crwvXI=,iv:a2562BD27lO3RhMHMGRACg8zZFnLHBWt1SoUQkOUGbw=,tag:hUhwuPWlyMzKQfQqfaO82Q==,type:str]
@@ -86,8 +87,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2021-05-18T15:10:47Z"
-    mac: ENC[AES256_GCM,data:tgpaewqm1V57anSffLFXcSxSpijea+sUxXMnEI/hGo9wGUvEl7oun6UwCjRXXThW/HeNt09a5QQQcz39FEPc0eqb8LtPscBE7c00zg+sdBXpA1SnLz6vA9DQRkw5CtjuryoeB7VwdvhRaVI4lRZtsEEO6tb5czaRfDLt6U6Uxy8=,iv:KXnz9aLx2FiyGVF79OEYoSRJdVi7Xhk0haUzgkKZs3I=,tag:L4Z5CMm+IsK3bp5pbNVdFw==,type:str]
+    lastmodified: "2021-07-15T21:50:02Z"
+    mac: ENC[AES256_GCM,data:Hs5KbzdHYJcGlXbJqJ2XPfXMv+8Mi7VwlAlz49v265iedygywehp+6SEV0W2ZcD3ShjQjw0Ibp3YvJXx8uzSopedjzramfIBfqRw0fogjVy4mUBOqa6qUd8WWSjPOUZS1nTcOQ/swEBt28a7h1JK6A+f2Om3ZlKRKg7msli2Afk=,iv:Wn68zrKFcOpYwUUuDPrHnNSTaib/wPsiK7Xxn0XiISs=,tag:7MmQa9RQcnSmfX/UHJppZQ==,type:str]
     pgp:
         - created_at: "2021-04-19T23:03:06Z"
           enc: |
diff --git a/cluster/base-custom/settings/cluster-settings.yaml b/cluster/base-custom/settings/cluster-settings.yaml
index fdcf52fd7..71368da78 100644
--- a/cluster/base-custom/settings/cluster-settings.yaml
+++ b/cluster/base-custom/settings/cluster-settings.yaml
@@ -14,5 +14,6 @@ data:
   CLUSTER_LB_RESILIOSYNC: 192.168.169.106
   CLUSTER_LB_VERNEMQ: 192.168.169.107
   CLUSTER_LB_LOKI_SYSLOG: 192.168.169.108
+  CLUSTER_LB_EMQX: 192.168.169.109
   CLUSTER_LB_TDARR: 192.168.169.110
   LOCAL_LAN: 192.168.8.0/22