diff --git a/hackerspace/README.md b/hackerspace/README.md
index 9fd07b1..4a2f9fb 100644
--- a/hackerspace/README.md
+++ b/hackerspace/README.md
@@ -1,8 +1,20 @@
-## inventory.k-space.ee
-Reads-writes to mongo.
-
+## hackerspace / inventory
 <!-- Referenced/linked by https://wiki.k-space.ee/en/hosting/doors -->
-A component of inventory is 'doorboy' (https://wiki.k-space.ee/en/hosting/doors)
 
-## k6.ee
+## [doorboy-proxy](https://github.com/k-space/doorboy-proxy)
+- Dispatches open events (from mongodb) to door controllers.
+- Handles Slack open events (to mongodb).
+- Forwards logs from door controllers to mongodb.
+- Broadcasts mongodb logs to Slack.
+
+See also:
+- inventory-app door components
+- https://wiki.k-space.ee/en/hosting/doors
+
+## [inventory-app](https://github.com/k-space/inventory-app) (inventory.k-space.ee)
+- Inventory
+- Manages door keycards.
+- Forwards door opens from website to mongodb (what are picked up by doorboy-proxy).
+
+## [goredirect](https://github.com/k-space/goredirect) (k6.ee)
 Reads from mongo, HTTP redirect to //inventory.k-space.ee/m/inventory/{uuid}/view
diff --git a/hackerspace/doorboy.yml b/hackerspace/doorboy.yaml
similarity index 80%
rename from hackerspace/doorboy.yml
rename to hackerspace/doorboy.yaml
index 927b777..1ce921c 100644
--- a/hackerspace/doorboy.yml
+++ b/hackerspace/doorboy.yaml
@@ -26,6 +26,7 @@ spec:
                       - doorboy-proxy
                 topologyKey: topology.kubernetes.io/zone
               weight: 100
+      serviceAccountName: inventory-svcacc
       containers:
         - name: doorboy-proxy
           image: harbor.k-space.ee/k-space/doorboy-proxy:latest
@@ -33,21 +34,14 @@ spec:
             - secretRef:
                 name: inventory-mongodb
             - secretRef:
-                name: doorboy-api
+                name: doorboy-godoor
+            - secretRef:
+                name: doorboy-slack
           env:
-            - name: FLOOR_ACCESS_GROUP
-              value: 'k-space:floor'
-            - name: WORKSHOP_ACCESS_GROUP
-              value: 'k-space:workshop'
-            - name: CARD_URI
-              value: 'https://inventory.k-space.ee/cards'
-            - name: SWIPE_URI
-              value: 'https://inventory.k-space.ee/m/doorboy/swipe'
-            - name: INVENTORY_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: inventory-api-key
-                  key: INVENTORY_API_KEY
+            - name: OIDC_USERS_NAMESPACE
+              value: passmower
+            - name: SLACK_CHANNEL_ID
+              value: CDL9H8Q9W
           securityContext:
             readOnlyRootFilesystem: true
             runAsNonRoot: true
diff --git a/hackerspace/inventory-extras.yaml b/hackerspace/inventory-extras.yaml
index 348aab1..9b35e68 100644
--- a/hackerspace/inventory-extras.yaml
+++ b/hackerspace/inventory-extras.yaml
@@ -1,37 +1,24 @@
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: members-inventory-redirect
-spec:
-  redirectRegex:
-    regex: ^https://members.k-space.ee/(.*)
-    replacement: https://inventory.k-space.ee/${1}
-    permanent: false
 ---
-# Creates a dummy/stub in auth.k-space.ee user-facing service listing (otherwise only inventory.k-space.ee is listed).
 apiVersion: codemowers.cloud/v1beta1
-kind: OIDCMiddlewareClient
+kind: OIDCClient
 metadata:
-  name: doorboy
+  name: inventory-app
 spec:
-  displayName: Doorboy
-  uri: 'https://inventory.k-space.ee/m/doorboy'
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: members-inventory
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`members.k-space.ee`)
-    kind: Rule
-    middlewares:
-      - name: members-inventory-redirect
-    services:
-      - kind: TraefikService
-        name: api@internal
+  uri: 'https://inventory.k-space.ee'
+  redirectUris:
+    - 'https://inventory.k-space.ee/login-callback'
+  grantTypes:
+    - 'authorization_code'
+    - 'refresh_token'
+  responseTypes:
+    - 'code'
+  availableScopes:
+    - 'openid'
+    - 'profile'
+    - 'groups'
+    - 'offline_access'
+  tokenEndpointAuthMethod: 'client_secret_basic'
+  pkce: false
 ---
 apiVersion: codemowers.cloud/v1beta1
 kind: MinioBucketClaim
diff --git a/hackerspace/inventory-redirects.yaml b/hackerspace/inventory-redirects.yaml
new file mode 100644
index 0000000..299b00f
--- /dev/null
+++ b/hackerspace/inventory-redirects.yaml
@@ -0,0 +1,35 @@
+---
+# Creates a dummy/stub in auth.k-space.ee user-facing service listing (otherwise only inventory.k-space.ee is listed).
+apiVersion: codemowers.cloud/v1beta1
+kind: OIDCMiddlewareClient
+metadata:
+  name: doorboy
+spec:
+  displayName: Doorboy
+  uri: 'https://inventory.k-space.ee/m/doorboy'
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: members-inventory-redirect
+spec:
+  redirectRegex:
+    regex: ^https://members.k-space.ee/(.*)
+    replacement: https://inventory.k-space.ee/${1}
+    permanent: false
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: members-inventory
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`members.k-space.ee`)
+    kind: Rule
+    middlewares:
+      - name: members-inventory-redirect
+    services:
+      - kind: TraefikService
+        name: api@internal
diff --git a/hackerspace/inventory.yaml b/hackerspace/inventory.yaml
index a9825e5..3762e44 100644
--- a/hackerspace/inventory.yaml
+++ b/hackerspace/inventory.yaml
@@ -20,36 +20,12 @@ spec:
       - image: harbor.k-space.ee/k-space/inventory-app:latest
         imagePullPolicy: Always
         env:
-        - name: ENVIRONMENT_TYPE
-          value: PROD
-        - name: PYTHONUNBUFFERED
-          value: "1"
         - name: INVENTORY_ASSETS_BASE_URL
           value: https://external.minio-clusters.k-space.ee/hackerspace-701d9303-0f27-4829-a2be-b1084021ad91/
         - name: MACADDRESS_OUTLINK_BASEURL
           value: https://grafana.k-space.ee/d/ddwyidbtbc16oa/ip-usage?orgId=1&from=now-2y&to=now&timezone=browser&var-Filters=mac%7C%3D%7C
         - name: OIDC_USERS_NAMESPACE
           value: passmower
-        - name: SECRET_KEY
-          valueFrom:
-            secretKeyRef:
-              key: SECRET_KEY
-              name: inventory-secrets
-        - name: INVENTORY_API_KEY
-          valueFrom:
-            secretKeyRef:
-              key: INVENTORY_API_KEY
-              name: inventory-api-key
-        - name: SLACK_DOORLOG_CALLBACK
-          valueFrom:
-            secretKeyRef:
-              key: SLACK_DOORLOG_CALLBACK
-              name: slack-secrets
-        - name: SLACK_VERIFICATION_TOKEN
-          valueFrom:
-            secretKeyRef:
-              key: SLACK_VERIFICATION_TOKEN
-              name: slack-secrets
         envFrom:
         - secretRef:
             name: miniobucket-inventory-external-owner-secrets
@@ -122,59 +98,3 @@ spec:
   tls:
   - hosts:
     - "*.k-space.ee"
----
-apiVersion: codemowers.cloud/v1beta1
-kind: OIDCClient
-metadata:
-  name: inventory-app
-spec:
-  uri: 'https://inventory.k-space.ee'
-  redirectUris:
-    - 'https://inventory.k-space.ee/login-callback'
-  grantTypes:
-    - 'authorization_code'
-    - 'refresh_token'
-  responseTypes:
-    - 'code'
-  availableScopes:
-    - 'openid'
-    - 'profile'
-    - 'groups'
-    - 'offline_access'
-  tokenEndpointAuthMethod: 'client_secret_basic'
-  pkce: false
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: inventory-role
-  namespace: hackerspace
-rules:
-  - verbs:
-      - get
-      - list
-      - watch
-    apiGroups:
-      - codemowers.cloud
-    resources:
-      - oidcusers
-      - oidcusers/status
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: inventory-roles
-  namespace: hackerspace
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: inventory-role
-subjects:
-  - kind: ServiceAccount
-    name: inventory-svcacc
-    namespace: hackerspace
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: inventory-svcacc
diff --git a/hackerspace/kustomization.yaml b/hackerspace/kustomization.yaml
new file mode 100644
index 0000000..28c206b
--- /dev/null
+++ b/hackerspace/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: hackerspace
+
+resources:
+- ssh://git@git.k-space.ee/secretspace/kube/hackerspace # secrets: inventory-mongodb, inventory-s3, doorboy-godoor, doorboy-slack
+- ./doorboy.yaml
+- ./svcacc.yaml
+- ./inventory.yaml
+- ./inventory-extras.yaml
+- ./inventory-redirects.yaml
+- ./goredirect.yaml
diff --git a/hackerspace/svcacc.yaml b/hackerspace/svcacc.yaml
new file mode 100644
index 0000000..fe29fd9
--- /dev/null
+++ b/hackerspace/svcacc.yaml
@@ -0,0 +1,35 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: inventory-role
+  namespace: hackerspace
+rules:
+  - verbs:
+      - get
+      - list
+      - watch
+    apiGroups:
+      - codemowers.cloud
+    resources:
+      - oidcusers
+      - oidcusers/status
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: inventory-roles
+  namespace: hackerspace
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: inventory-role
+subjects:
+  - kind: ServiceAccount
+    name: inventory-svcacc
+    namespace: hackerspace
+---
+# used by inventory and doorboy
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: inventory-svcacc