diff --git a/app-files/apps.yaml b/app-files/apps.yaml
index 722a8aa..22d1836 100644
--- a/app-files/apps.yaml
+++ b/app-files/apps.yaml
@@ -16,7 +16,6 @@ spec:
   syncPolicy:
     automated:
       prune: false
-      selfHeal: true
 ---
 #apiVersion: argoproj.io/v1alpha1
 #kind: Application
@@ -51,6 +50,41 @@ spec:
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
+metadata:
+  name: aaron-drone-runner
+  namespace: argocd
+spec:
+  project: default
+  sources:
+    - chart: drone-runner-kube
+      repoURL: https://charts.drone.io
+      targetRevision: 0.1.10
+      helm:
+        releaseName: drone-runner
+        values: |
+          extraSecretNamesForEnvFrom:
+            - drone-secrets
+          rbac:
+            buildNamespaces:
+              - aaron-drone
+          env:
+            DRONE_RPC_HOST: drone.ar21.de
+            DRONE_RPC_PROTO: https
+            DRONE_NAMESPACE_DEFAULT: drone
+    - repoURL: https://git.ar21.de/aaron/k8s-deployments.git
+      targetRevision: HEAD
+      path: drone
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: aaron-drone
+  syncPolicy:
+    syncOptions:
+    - CreateNamespace=true
+    automated:
+      prune: false
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
 metadata:
   name: aaron-hoylogo
   namespace: argocd
@@ -68,7 +102,6 @@ spec:
     - CreateNamespace=true
     automated:
       prune: true
-      selfHeal: true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -89,7 +122,6 @@ spec:
     - CreateNamespace=true
     automated:
       prune: true
-      selfHeal: true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -110,7 +142,6 @@ spec:
     - CreateNamespace=true
     automated:
       prune: true
-      selfHeal: true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -122,7 +153,7 @@ spec:
   sources:
     - chart: cloudnative-pg
       repoURL: https://cloudnative-pg.io/charts
-      targetRevision: 0.24.0
+      targetRevision: 0.23.0
       helm:
         releaseName: cloudnative-pg
   destination:
@@ -131,7 +162,36 @@ spec:
   syncPolicy:
     syncOptions:
     - CreateNamespace=true
-    - ServerSideApply=true
     automated:
-      prune: true
-      selfHeal: true
+      prune: false
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: aaron-openproject
+  namespace: argocd
+spec:
+  project: default
+  sources:
+    - repoURL: https://charts.openproject.org
+      chart: openproject
+      targetRevision: 9.6.0
+      helm:
+        releaseName: openproject
+        valueFiles:
+          - $values/openproject/values.yaml
+    - repoURL: https://git.ar21.de/aaron/k8s-deployments.git
+      targetRevision: HEAD
+      ref: values
+    - repoURL: https://git.ar21.de/aaron/k8s-deployments.git
+      targetRevision: HEAD
+      path: openproject
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: aaron-openproject
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: false
+      prune: false
diff --git a/drone/kustomization.yaml b/drone/kustomization.yaml
new file mode 100644
index 0000000..d840c3c
--- /dev/null
+++ b/drone/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+generators:
+  - ./secret-generator.yaml
diff --git a/drone/secret-generator.yaml b/drone/secret-generator.yaml
new file mode 100644
index 0000000..7f9b73e
--- /dev/null
+++ b/drone/secret-generator.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - ./secret.yaml
diff --git a/drone/secret.yaml b/drone/secret.yaml
new file mode 100644
index 0000000..5aa2a4c
--- /dev/null
+++ b/drone/secret.yaml
@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: drone-secrets
+type: Opaque
+data:
+    DRONE_RPC_SECRET: ENC[AES256_GCM,data:jrF3Y4c6HVYse2h8MhzPMTfLhD2VLmAGyr4yxjf0gFspTAVLcYwNtoJbjnI=,iv:7xGbWm5exOTDYJc3Uwj++9HWheyJI+F0SypeAmK7HcI=,tag:ksWv+zzc8fH9a193cNwYXA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4cWRBQzFHTzR0WUNhc0Rl
+            dWlaTE9BTUFBb250c1ZaVjRrVUY3MjBXcDNjCmgwMjRzcFlmc3NhRUhkdHJHa3BV
+            bis5VWNCY1JFZ0ZpcjhJUWcxZXluZ0kKLS0tIFk1NnhSMWxvZ0JuSTFTV1lwY1Na
+            UW1YSVplRWNZc0o2UjNDUG5CUncvbk0KR/UDgABlTT4wA7CcE31LkPOMk7sXM6jr
+            rccWRqlgEyvD3AgRPQNUEZ/3nJbORhFLDt8jxsT4POFsDtZvxH1f2g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYkljMUlGZmtnNTU4dnR2
+            dXFyMkNUeFVHMENZa3d0a3MxNGpyYlhSS0VBClVXaXBVTU9GWkNjWk9OakNxakJK
+            a29VNzZ1UGFqNFhWclRONUw5dFo0WVUKLS0tIEQzS2ZxeldzZFY0cWlvRzIvVkl1
+            MGJpczFOcThtTlVrSUROMytRNVVkc0kK0iO5dHZA/PhRGczCqFa1frXGMfJE30Cq
+            ZVfX5HcndP/87F5dv8FO2A9EJz4riz/TjuOpxIUhinDul7JI0T4KQw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBUXREYjJEUmVwZ1ZTTmZh
+            cnp4K3dYdmczQ3o5RWFzMlF3NTRrOHFaSzA4CnBFbXk2MXVpVUxudXBMRWJwQ0JW
+            S2M3UEp1Qys3L0J1KzNsV1R3d05zamcKLS0tIDhMaDFmeG1vZWkzWDBKWGVoNWJS
+            REFDWXpDUkVkSnkzSmNiMzd6a2ZsbUEKFoDTBpjI/VCPCeqE+hVNk0zswNEWbnNw
+            TTwVfQ1xOXD5FeH8B+9zHo14UTi/Cp9T4OIcYNduKar7K0rQLlgz6A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-13T20:19:15Z"
+    mac: ENC[AES256_GCM,data:kCdPeuBOut4sXFYcp5uStaERQL8steUy1MZ51hWlP7sDfHpoKIV2oEEbRDlVy/2+no58WfH161J8gy5dw+B+ambwkcBShUA3D8yR8akX3ZlCSPR+Xp/KsUrtM5CtBmWpCiaI+0RZUnEXcRRWYPzHA4g2Hmrlg5mMmcD63zmV100=,iv:nXWlCN+DNLovf26fyCMDc0GmVtCaKB18pZUVpbqfjzw=,tag:QNT0A0SN8Vt992WAukNpmA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1
diff --git a/openproject/db.yaml b/openproject/db.yaml
new file mode 100644
index 0000000..d0b33da
--- /dev/null
+++ b/openproject/db.yaml
@@ -0,0 +1,44 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: openproject
+spec:
+  instances: 3
+  storage:
+    size: 1Gi
+#  bootstrap:
+#    recovery:
+#      source: clusterBackup
+#      recoveryTarget:
+#        targetTime: "2025-02-12 21:00:00.00000+00"
+  backup:
+    barmanObjectStore:
+      destinationPath: "s3://openproject/backups"
+      endpointURL: "https://fsn1.your-objectstorage.com"
+      serverName: "new-openproject"
+      s3Credentials:
+        accessKeyId:
+          name: openproject-secret
+          key: OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID
+        secretAccessKey:
+          name: openproject-secret
+          key: OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY
+      wal:
+        compression: gzip
+    retentionPolicy: "30d"
+#  externalClusters:
+#    - name: clusterBackup
+#      barmanObjectStore:
+#        destinationPath: "s3://openproject/backups"
+#        endpointURL: "https://fsn1.your-objectstorage.com"
+#        serverName: openproject
+#        s3Credentials:
+#          accessKeyId:
+#            name: openproject-secret
+#            key: OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID
+#          secretAccessKey:
+#            name: openproject-secret
+#            key: OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY
+#        wal:
+#          maxParallel: 8
+#          compression: gzip
diff --git a/openproject/kustomization.yaml b/openproject/kustomization.yaml
new file mode 100644
index 0000000..d507cbe
--- /dev/null
+++ b/openproject/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+generators:
+  - ./secret-generator.yaml
+resources:
+  - ./db.yaml
diff --git a/openproject/secret-generator.yaml b/openproject/secret-generator.yaml
new file mode 100644
index 0000000..7f9b73e
--- /dev/null
+++ b/openproject/secret-generator.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - ./secret.yaml
diff --git a/openproject/secret.yaml b/openproject/secret.yaml
new file mode 100644
index 0000000..4c3356d
--- /dev/null
+++ b/openproject/secret.yaml
@@ -0,0 +1,51 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: openproject-secret
+    labels:
+        app.kubernetes.io/name: openproject-secret
+        app.kubernetes.io/part-of: openproject
+stringData:
+    OPENPROJECT_OPENID__CONNECT_AUTHENTIK_IDENTIFIER: ENC[AES256_GCM,data:u0EqZSaIBVEavmNVevNcO1ZtlMHZfdXDi4s0Rfjo9NyeIIsN3rHWuQ==,iv:mvhGi5w/kCOQGcTaQz8FOeGBvaP0NSH4DRzFhA5IwQg=,tag:P9CYCymCpWPZ0+0Ujc0rrQ==,type:str]
+    OPENPROJECT_OPENID__CONNECT_AUTHENTIK_SECRET: ENC[AES256_GCM,data:z17lplltjJd+LnmceX9Hdak6BHVaZ1nSHWt4FMiSbCtl02igdA5i3jozUyagwy4y+B5TMrla+BmK5KMFoZsalpThJZjWFcOZyo8BtQOeAEODXnwNg6Sznmhvya4BTEzdzkqbeOIYp/38rkcSUeTDPwo1ca+M9tb2udfvTmIg6FA=,iv:XEOCc5uUu4s5DQTnClCv1W89x4T+TS4zQS/G6V9UedI=,tag:GjY97MANIMAKEOgelbeprQ==,type:str]
+    OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: ENC[AES256_GCM,data:0vVJDBN9yl+K+LAAfvtMMQPX2YM=,iv:7PXtPZsYlOffhJMu4l6MRgBKkC8sI4R+6DFWIGK3rJ8=,tag:4XEdO10j8VXMCDst86KYFw==,type:str]
+    OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: ENC[AES256_GCM,data:OAZ1embfVUQBorMd69mBaGy0fAI4TEjuwDzCyriWQwtlSr/xsi1ypQ==,iv:eOu/LwYxsoCKbx61gmioLm8Zn1rfIVd2Qsil03r6Kro=,tag:/hRprgV+c9Qpwsbpkdj1xg==,type:str]
+type: Opaque
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6U3ZOaHd3Q21ZbVZudjZp
+            Y1BKMUdhU2ZQU1M2ZVlpNnVLMlRhNnZyTlJvCnI2TWZGR04yTWhUTllwUDI4aVlF
+            d24veFJwSmV0Y2NjL3l5ZW44a0F0d2cKLS0tIDdTMndsTk53Y3Q5WEpiQUFCRHZt
+            QXY5NTYyNldCSnFaQmE1QklTUURETDQKNlWFVA6qHmKDazv48PVygwV4/4cgBtKK
+            IYPcP2N0/T0rDw2ngw4lNdHJ90doTTmlUjiPYDmmfopGOi1XpoG2dQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbDlvVldrL2lCMzhsMjg4
+            aHo5aExVWVBDTGl0RGtqUEZQS1JyWGRvZFFnCkNyMzc2WS9aS1doa1Y2R09JM0NJ
+            eWZRbEtNdTN1YWE4N3hqVDRRekZ0cDQKLS0tIE5oT1FCQlY2TDRlM3JSM2p4ckM4
+            bHBpKzUvVi9YbHNNcjZEanVOeXB4SDQKFAV1upJgJzRlXzEB9FEW2sSeebC8dGt8
+            xdfRIMKXn1pnf64N69ZnJ+hbcDvuMPnoSBsZ7W95nF0lItYfDIyHFw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUdDEyanpERGpaMFV2cE5n
+            dmg3QjYzNkk3R2c0Yk1OTHlpRlZLRkYrNXlBCjJYdWRNeVVCR1FEVXBoZlJwU0Fn
+            aDFpbG1nbXRUOHBZcG9jMGZqeFM1OUkKLS0tIHZkYkQ0dlN1UDBZajRhVWZXUHVR
+            ci9LK2JjSlVvaDR2UFpwWGZmMDhQbDgKxcvqSMhGzpxoP2OSdjs2KsA9cd36j+xO
+            JYBFmTQnb4oTTzMQZxMAowaiqDt4fLsD6fXcwBnclq2SwAGsOlzvJw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-13T20:19:15Z"
+    mac: ENC[AES256_GCM,data:qloZYbT1ht2wTzTVD5O57C/VVHy80yT0bIpB+mSjF9yvvDF38rpUS3FuZFoXoDeyaniCml3IUV3Bww/lHXoHI/nPr70Vsl+Q2n9FdUnD1JKfI/kLqvk+XM5HB8qqY4XFXhjwZOGrbN3v5Stgi+CWb2s8518g8OCSdR8pyaWDSqc=,iv:4v77gZzMfjMYyF4K4BOBCdYbxk0wa3zrruy7VD7Tux0=,tag:50/uxJDqgvaEItqMepWwoA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1
diff --git a/openproject/values.yaml b/openproject/values.yaml
new file mode 100644
index 0000000..7537799
--- /dev/null
+++ b/openproject/values.yaml
@@ -0,0 +1,62 @@
+image:
+  registry: git.ar21.de
+  repository: aaron/openproject
+  tag: '30'
+appInit:
+  resources:
+    limits:
+      memory: 4Gi
+    requests:
+      memory: 4Gi
+clusterDomain: project.aaronriedel.de
+ingress:
+  annotations:
+    kubernetes.io/tls-acme: 'true'
+  host: project.aaronriedel.de
+  tls:
+    secretName: openproject-tls
+workers:
+  default:
+    replicas: 2
+environment:
+  OPENPROJECT_DISABLE__PASSWORD__LOGIN: true
+openproject:
+  admin_user:
+    password_reset: 'true'
+    name: Aaron Riedel
+    mail: aaron@ar21.de
+  extraEnvVarsSecret: openproject-secret
+  oidc:
+    enabled: true
+    provider: authentik
+    displayName: aaronID
+    host: auth.ar21.de
+    identifier: null
+    secret: null
+    userinfoEndpoint: /application/o/userinfo/
+    tokenEndpoint: /application/o/token/
+    authorizationEndpoint: /application/o/authorize/
+    endSessionEndpoint: /application/o/openproject/end-session/
+    scope: '[openid email profile]'
+persistence:
+  enabled: false
+s3:
+  enabled: true
+  region: fsn1
+  bucketName: openproject
+  endpoint: https://fsn1.your-objectstorage.com
+  pathStyle: true
+  enableSignatureV4Streaming: false
+  directUploads: false
+postgresql:
+  bundled: false
+  connection:
+    host: openproject-rw.openproject.svc.cluster.local
+    port: 5432
+  auth:
+    existingSecret: openproject-app
+    secretKeys:
+      adminPasswordKey: password
+      userPasswordKey: password
+    username: app
+    database: app
diff --git a/renovate.json b/renovate.json
index b09d564..6eb5df5 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,13 +1,10 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "dependencyDashboard": true,
-  "enabledManagers": [
-    "argocd"
-  ],
+  "enabledManagers": ["argocd"],
   "argocd": {
-    "managerFilePatterns": [
-      "/^app-files/apps\\.yaml$/"
-    ]
+    "fileMatch": ["^app-files/apps\\.yaml$"]
   },
-  "packageRules": []
+  "packageRules": [
+  ]
 }