diff --git a/apps/forge-kustomization.yaml b/apps/forge-kustomization.yaml
new file mode 100644
index 0000000..5c2a63a
--- /dev/null
+++ b/apps/forge-kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: add-forge
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  path: ./apps/forge
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
diff --git a/apps/forge/forgejo-kustomization.yaml b/apps/forge/forgejo-kustomization.yaml
index f77286c..9b56c69 100644
--- a/apps/forge/forgejo-kustomization.yaml
+++ b/apps/forge/forgejo-kustomization.yaml
@@ -4,22 +4,33 @@ metadata:
   name: forgejo
   namespace: flux-system
 spec:
-  interval: 10m
+  interval: 5m
   retryInterval: 2m
+  timeout: 10m
   wait: true
-  timeout: 3m
-  dependsOn:
-    - name: single-sign-on
+  prune: true
+  path: ./apps/forge/forgejo
   sourceRef:
     kind: GitRepository
     name: stackspout
-  path: ./apps/forge
-  prune: true
+  dependsOn:
+    - name: flux
+    - name: local-path-provisioner
+    - name: forgejo-secrets
+    - name: nginx
+    - name: single-sign-on
   postBuild:
     substituteFrom:
-      #- kind: Secret
-      #  name: stackspin-forgejo-variables
-      - kind: Secret
-        name: stackspin-forgejo-oauth-variables
       - kind: Secret
         name: stackspin-cluster-variables
+      - kind: ConfigMap
+        name: stackspin-forgejo-kustomization-variables
+      - kind: Secret
+        name: stackspin-forgejo-variables
+      # OIDC
+      - kind: Secret
+        name: stackspin-forgejo-oauth-variables
+      - kind: ConfigMap
+        name: stackspin-single-sign-on-kustomization-variables
+      - kind: ConfigMap
+        name: stackspin-dashboard-kustomization-variables
diff --git a/apps/forge/forgejo-secrets-kustomization.yaml b/apps/forge/forgejo-secrets-kustomization.yaml
new file mode 100644
index 0000000..2c0e363
--- /dev/null
+++ b/apps/forge/forgejo-secrets-kustomization.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: forgejo-secrets
+  namespace: flux-system
+spec:
+  interval: 5m
+  timeout: 4m
+  wait: true
+  prune: true
+  path: ./apps/forge/forgejo-secrets
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: secrets-controller
diff --git a/apps/forge/forgejo-secrets/forgejo-kustomization-variables.yaml b/apps/forge/forgejo-secrets/forgejo-kustomization-variables.yaml
new file mode 100644
index 0000000..7373e01
--- /dev/null
+++ b/apps/forge/forgejo-secrets/forgejo-kustomization-variables.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-forgejo-kustomization-variables
+  namespace: flux-system
+data:
+  forgejo_domain: forge.${domain}
diff --git a/apps/forge/forgejo-secrets/forgejo-oauth-secret.yaml b/apps/forge/forgejo-secrets/forgejo-oauth-secret.yaml
new file mode 100644
index 0000000..90b124e
--- /dev/null
+++ b/apps/forge/forgejo-secrets/forgejo-oauth-secret.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-forgejo-oauth-variables
+  namespace: flux-system
+spec:
+  data:
+    client_id: forgejo
+  fields:
+  - fieldName: client_secret
+    length: "32"
diff --git a/apps/forge/forgejo-secrets/forgejo-variables.yaml b/apps/forge/forgejo-secrets/forgejo-variables.yaml
new file mode 100644
index 0000000..21c3311
--- /dev/null
+++ b/apps/forge/forgejo-secrets/forgejo-variables.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-forgejo-variables
+  namespace: flux-system
+spec:
+  fields:
+  - fieldName: postgresql_password
diff --git a/apps/forge/forgejo/forgejo-values-configmap.yaml b/apps/forge/forgejo/forgejo-values-configmap.yaml
index 94f31f6..436d33b 100644
--- a/apps/forge/forgejo/forgejo-values-configmap.yaml
+++ b/apps/forge/forgejo/forgejo-values-configmap.yaml
@@ -30,8 +30,8 @@ data:
           provider: "openidConnect"
           key: "${client_id}"
           secret: "${client_secret}"
-          autoDiscoverUrl: "https://sso.${domain}/.well-known/openid-configuration"
-          iconUrl: "https://dashboard.${domain}/favicon-32x32.png"
+          autoDiscoverUrl: "https://${hydra_domain}/.well-known/openid-configuration"
+          iconUrl: "https://${dashboard_domain}/favicon-32x32.png"
       # https://forgejo.org/docs/latest/admin/config-cheat-sheet/
       config:
         APP_NAME: "Forge for ${company_name}"
@@ -51,13 +51,31 @@ data:
           ALLOW_ONLY_EXTERNAL_REGISTRATION: true
         log:
           LEVEL: "Debug"
+      podAnnotations:
+        backup.velero.io/backup-volumes: "data"
     persistence:
-      enabled: true
       existingClaim: forgejo-data
+      labels:
+        stackspin.net/backupSet: "forgejo"
+    deployment:
+      labels:
+        stackspin.net/backupSet: "forgejo"
+    podLabels:
+      stackspin.net/backupSet: "forgejo"
     postgresql:
-      persistence:
-        enabled: true
-        existingClaim: forgejo-postgres
+      enabled: true
+      global:
+        commonLabels:
+          stackspin.net/backupSet: "forgejo"
+        postgresql:
+          database: gitea
+          username: gitea
+          password: gitea # "${postgresql_password}"
+        persistence:
+          existingClaim: forgejo-postgres
+      primary:
+        podAnnotations:
+          backup.velero.io/backup-volumes: "data"
     service:
       ssh:
         type: LoadBalancer