diff --git a/clusters/cl01tl/services/talos/Chart.yaml b/clusters/cl01tl/services/talos/Chart.yaml
index a9cae1b14..7ab846343 100644
--- a/clusters/cl01tl/services/talos/Chart.yaml
+++ b/clusters/cl01tl/services/talos/Chart.yaml
@@ -18,5 +18,9 @@ dependencies:
     alias: etcd-backup
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.2.0
+  - name: app-template
+    alias: etcd-defrag
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.2.0
 icon: https://avatars.githubusercontent.com/u/13804887?s=200&v=4
 appVersion: v0.1.0-beta.3
diff --git a/clusters/cl01tl/services/talos/templates/external-secret.yaml b/clusters/cl01tl/services/talos/templates/external-secret.yaml
index 7d725d1c6..15d7c19f5 100644
--- a/clusters/cl01tl/services/talos/templates/external-secret.yaml
+++ b/clusters/cl01tl/services/talos/templates/external-secret.yaml
@@ -49,3 +49,28 @@ spec:
         key: /cl01tl/talos/etcd-backup
         metadataPolicy: None
         property: AGE_X25519_PUBLIC_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: talos-etcd-defrag-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: talos-etcd-defrag-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    kubernetes.io/service-account.name: talos-defrag-secrets
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: config
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/talos/etcd-defrag
+        metadataPolicy: None
+        property: config
diff --git a/clusters/cl01tl/services/talos/values.yaml b/clusters/cl01tl/services/talos/values.yaml
index f5c956384..de293c2d3 100644
--- a/clusters/cl01tl/services/talos/values.yaml
+++ b/clusters/cl01tl/services/talos/values.yaml
@@ -142,3 +142,63 @@ etcd-backup:
               readOnly: true
               mountPropagation: None
               subPath: .s3cfg
+etcd-defrag:
+  controllers:
+    main:
+      type: cronjob
+      pod:
+        nodeSelector:
+          node-role.kubernetes.io/control-plane: ""
+        tolerations:
+          - key: node-role.kubernetes.io/control-plane
+            operator: Exists
+            effect: NoSchedule
+      cronjob:
+        suspend: false
+        concurrencyPolicy: Forbid
+        timeZone: US/Central
+        schedule: "0 0 * * 0"
+        startingDeadlineSeconds: 90
+        successfulJobsHistory: 3
+        failedJobsHistory: 3
+        backoffLimit: 3
+        parallelism: 1
+      containers:
+        main:
+          image:
+            repository: ghcr.io/siderolabs/talosctl
+            tag: v1.10.4
+            pullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+          args:
+            - -ec
+            - |
+              talosctl -n 10.232.1.11 etcd defrag;
+              talosctl -n 10.232.1.12 etcd defrag;
+              talosctl -n 10.232.1.13 etcd defrag;
+          workingDir: /tmp
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+  persistence:
+    tmp:
+      type: emptyDir
+      medium: Memory
+      advancedMounts:
+        main:
+          main:
+            - path: /tmp
+              readOnly: false
+    secret:
+      enabled: true
+      type: secret
+      name: talos-etcd-defrag-secret
+      advancedMounts:
+        main:
+          main:
+            - path: ~/.talos/config
+              readOnly: true
+              mountPropagation: None
+              subPath: config