diff --git a/argocd/.gitignore b/argocd/.gitignore
deleted file mode 100644
index 06916db..0000000
--- a/argocd/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-argocd.yml
-repo-credentials.yml
-id_*
-ssh_known_hosts
diff --git a/argocd/README.md b/argocd/README.md
index ce2bedf..4b7663e 100644
--- a/argocd/README.md
+++ b/argocd/README.md
@@ -36,23 +36,17 @@ done
 find applications -name "*.yaml" -exec kubectl apply -n argocd -f {} \;
 ```
 
-### Repository secrets
-1. Generate keys locally with `ssh-keygen -f argo`
-2. Add `argo.pub` in `git.k-space.ee/<your>/<repo>` → Settings → Deploy keys
-3. Add `argo` (private key) at https://argocd.k-space.ee/settings/repos along with referenced repo.
 
-## Argo Deployment
-To deploy ArgoCD itself:
+## Cold start
+Normally ArgoCD deploys itself. Deploy ArgoCD out-of-bounds:
 
 ```bash
-helm repo add argo-cd https://argoproj.github.io/argo-helm
-kubectl create secret -n argocd generic argocd-secret # Empty secret for sessions
-kubectl label -n argocd secret oidc-client-argocd-owner-secrets app.kubernetes.io/part-of=argocd
-
-helm template -n argocd --release-name k6 argo-cd/argo-cd --include-crds -f values.yaml > argocd.yml
-kubectl apply -f argocd.yml -f application-extras.yml -f redis.yaml -f monitoring.yml -n argocd
-
-kubectl -n argocd rollout restart deployment/k6-argocd-redis deployment/k6-argocd-repo-server deployment/k6-argocd-server deployment/k6-argocd-notifications-controller statefulset/k6-argocd-application-controller
+kustomize build . --enable-helm | kubectl apply -f -
 ```
 
-WARN: ArgoCD doesn't host its own redis, Dragonfly must be able to independently cold-start.
+ArgoCD dependencies:
+- dragonfly (database)
+- passmower (auth)
+- traefik
+- #TODO: network...
+- gitea
diff --git a/argocd/applications/argocd-applications.yaml b/argocd/applications/argocd-applications.yaml
index f93c1ea..5096795 100644
--- a/argocd/applications/argocd-applications.yaml
+++ b/argocd/applications/argocd-applications.yaml
@@ -1,5 +1,20 @@
 ---
 apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  namespace: argocd
+  name: k-space.ee
+spec:
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'
+  destinations:
+    - namespace: '*'
+      server: '*'
+  sourceRepos:
+    - '*'
+---
+apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: argocd-applications
diff --git a/argocd/applications/argocd.yaml b/argocd/applications/argocd.yaml
new file mode 100644
index 0000000..21429da
--- /dev/null
+++ b/argocd/applications/argocd.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: argocd
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
diff --git a/argocd/deploy_key.pub b/argocd/deploy_key.pub
deleted file mode 100644
index af58ad4..0000000
--- a/argocd/deploy_key.pub
+++ /dev/null
@@ -1,2 +0,0 @@
-# used for git.k-space: k-space/kube, secretspace/kube, secretspace/members
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOxYpFf85Vnxw7WNb/V5dtZT0PJ4VbBhdBNscDd8TVv/ argocd.k-space.ee
diff --git a/argocd/kustomization.yaml b/argocd/kustomization.yaml
new file mode 100644
index 0000000..f34d61c
--- /dev/null
+++ b/argocd/kustomization.yaml
@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: argocd
+
+helmCharts:
+- includeCRDs: true
+  name: &name argo-cd
+  releaseName: *name
+  repo: https://argoproj.github.io/argo-helm/
+  valuesFile: values.yaml
+  version: 9.2.4
+
+resources:
+  - ./redis.yaml
+  - ./oidc-auth.yaml
+  - ./monitoring.yaml
+  - ./applications/argocd-applications.yaml
+  - ssh://git@git.k-space.ee/secretspace/kube/argocd # deploy key, used at k-space/kube, secretspace/kube, secretspace/members
diff --git a/argocd/monitoring.yml b/argocd/monitoring.yaml
similarity index 100%
rename from argocd/monitoring.yml
rename to argocd/monitoring.yaml
diff --git a/argocd/application-extras.yml b/argocd/oidc-auth.yaml
similarity index 65%
rename from argocd/application-extras.yml
rename to argocd/oidc-auth.yaml
index 843b184..5f634db 100644
--- a/argocd/application-extras.yml
+++ b/argocd/oidc-auth.yaml
@@ -21,18 +21,7 @@ spec:
     - openid
     - profile
   pkce: false
----
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  namespace: argocd
-  name: k-space.ee
-spec:
-  clusterResourceWhitelist:
-    - group: '*'
-      kind: '*'
-  destinations:
-    - namespace: '*'
-      server: '*'
-  sourceRepos:
-    - '*'
+  secretMetadata:
+    labels:
+      # Required, else ArgoCD will "Config referenced but key does not exist in secret"
+      app.kubernetes.io/part-of: argocd
diff --git a/argocd/values.yaml b/argocd/values.yaml
index d1072bf..c94e269 100644
--- a/argocd/values.yaml
+++ b/argocd/values.yaml
@@ -99,8 +99,6 @@ configs:
          - profile
          - email
          - groups
-  secret:
-    createSecret: false
   ssh:
     knownHosts: |
         # Copy-pasted from `ssh-keyscan git.k-space.ee`