diff --git a/basic/apps/do-test/vikunja-oauth-client.yaml b/basic/apps/do-test/vikunja-oauth-client.yaml
new file mode 100644
index 0000000..352214c
--- /dev/null
+++ b/basic/apps/do-test/vikunja-oauth-client.yaml
@@ -0,0 +1,21 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: vikunja-test-oauth-client
+  # Has to live in the same namespace as the stackspin-wordpress-oauth-variables secret
+  namespace: flux-system
+spec:
+  # TODO copied from wekan: https://github.com/wekan/wekan/wiki/Keycloak
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-vikunja-test-oauth-variables
+  redirectUris:
+    - https://do-test.${domain}/auth/openid/stackspin
+  tokenEndpointAuthMethod: client_secret_post
diff --git a/basic/apps/do-test/vikunja-postgres-pvc.yaml b/basic/apps/do-test/vikunja-postgres-pvc.yaml
new file mode 100644
index 0000000..2d4616b
--- /dev/null
+++ b/basic/apps/do-test/vikunja-postgres-pvc.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vikunja-test-postgres
+  namespace: stackspout
+  labels:
+    stackspin.net/backupSet: "vikunja"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: local-path
diff --git a/basic/apps/do-test/vikunja-release.yaml b/basic/apps/do-test/vikunja-release.yaml
new file mode 100644
index 0000000..684affb
--- /dev/null
+++ b/basic/apps/do-test/vikunja-release.yaml
@@ -0,0 +1,27 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: vikunja
+  namespace: stackspout
+spec:
+  releaseName: vikunja
+  chart:
+    spec:
+      chart: vikunja
+      version: 5.5.3
+      sourceRef:
+        kind: HelmRepository
+        name: k8s-at-home
+        namespace: flux-system
+  interval: 5m
+  valuesFrom:
+    - kind: ConfigMap
+      name: stackspin-vikunja-values
+      optional: false
+    # Allow overriding values by ConfigMap or Secret
+    - kind: ConfigMap
+      name: stackspin-vikunja-override
+      optional: true
+    - kind: Secret
+      name: stackspin-vikunja-override
+      optional: true
diff --git a/basic/apps/do-test/vikunja-values-configmap.yaml b/basic/apps/do-test/vikunja-values-configmap.yaml
new file mode 100644
index 0000000..5a554f0
--- /dev/null
+++ b/basic/apps/do-test/vikunja-values-configmap.yaml
@@ -0,0 +1,71 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-vikunja-test-values
+  namespace: stackspout
+data:
+  # Defaults: https://github.com/k8s-at-home/charts/blob/master/charts/stable/vikunja/values.yaml
+  # Inherits: https://github.com/k8s-at-home/library-charts/blob/main/charts/stable/common/values.yaml
+  values.yaml: |
+    additionalContainers:
+      api:
+        image: vikunja/api:unstable
+        imagePullPolicy: Always
+      frontend:
+        image: vikunja/frontend:unstable
+        imagePullPolicy: Always
+    vikunja:
+      config: |-
+        auth:
+          openid:
+            # https://vikunja.io/docs/config-options/#openid
+            # Example: https://github.com/go-vikunja/api/blob/main/config.yml.sample#L289-L312
+            enabled: true
+            redirecturl: "https://do-test.${domain}/auth/openid/"
+            providers:
+              - name: Stackspin
+                authurl: "https://sso.${domain}/"
+                clientid: "${client_id}"
+                clientsecret: "${client_secret}"
+          local:
+            enabled: false
+        service:
+          frontendurl: "https://do-test.${domain}"
+          motd: "Please allow public profile discovery in settings!"
+          timezone: "CET"
+        database:
+          type: postgres
+          host: vikunja-test-postgresql
+          password: "${postgresql_password}"
+        log:
+          path: "/app/vikunja"
+          http: file
+          database: stderr
+          databaselevel: debug
+    ingress:
+      main:
+        enabled: true
+        primary: false
+        annotations:
+          kubernetes.io/tls-acme: "true"
+        hosts:
+          - host: "do-test.${domain}"
+            # TODO Helm template rather than repetition in every file? See https://github.com/k8s-at-home/library-charts/blob/4d09a8ddbdf11c278101b74b36720b5f7c17cd71/charts/stable/common/values.yaml#L342
+            paths:
+               - path: /
+                 pathType: Prefix
+        tls:
+          - secretName: vikunja-test-tls
+            hosts:
+              - "do-test.${domain}"
+    caddy:
+      # TODO is caddy needed at all?
+      noTls: true
+    postgresql:
+      enabled: true
+      postgresqlDatabase: vikunja
+      postgresqlUsername: vikunja
+      postgresqlPassword: "${postgresql_password}"
+      persistence:
+        enabled: true
+        existingClaim: vikunja-test-postgres
diff --git a/basic/infrastructure/kustomizations/vikunja-test-kustomization.yaml b/basic/infrastructure/kustomizations/vikunja-test-kustomization.yaml
new file mode 100644
index 0000000..925e8d8
--- /dev/null
+++ b/basic/infrastructure/kustomizations/vikunja-test-kustomization.yaml
@@ -0,0 +1,26 @@
+
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: vikunja-test
+  namespace: flux-system
+spec:
+  interval: 10m
+  retryInterval: 1m
+  wait: true
+  timeout: 3m
+  dependsOn:
+    - name: single-sign-on
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  path: ./basic/apps/do-test
+  prune: true
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-vikunja-variables
+      - kind: Secret
+        name: stackspin-vikunja-oauth-variables
+      - kind: Secret
+        name: stackspin-cluster-variables