diff --git a/gitea/README.md b/gitea/README.md
index ed6ee88..dafd8cc 100644
--- a/gitea/README.md
+++ b/gitea/README.md
@@ -5,7 +5,7 @@ This application is managed by [ArgoCD](https://argocd.k-space.ee/applications/a
 Should ArgoCD be down manifests here can be applied with:
 
 ```
-kubectl apply -n gitea -f application.yaml
+kustomize build . | kubectl apply -f -
 ```
 
 Gitea DOES NOT go through Traefik. It has its own IP because ssh :22 would conflict with kube worker ssh. On its own IP, at the moment it doesn't flirt with Traefik — also has its own certificate.
diff --git a/gitea/application.yaml b/gitea/application.yaml
index 9a80a1c..0ba752d 100644
--- a/gitea/application.yaml
+++ b/gitea/application.yaml
@@ -19,21 +19,15 @@ spec:
 apiVersion: codemowers.cloud/v1beta1
 kind: SecretClaim
 metadata:
-  name: gitea-security-secret-key
+  name: gitea-random
 spec:
   size: 32
   mapping:
-    - key: secret
+    - key: GITEA__SECURITY__SECRET_KEY
       value: "%(plaintext)s"
----
-apiVersion: codemowers.cloud/v1beta1
-kind: SecretClaim
-metadata:
-  name: gitea-security-internal-token
-spec:
-  size: 32
-  mapping:
-    - key: secret
+    - key: GITEA__SECURITY__INTERNAL_TOKEN
+      value: "%(plaintext)s"
+    - key: GITEA__OAUTH2__JWT_SECRET
       value: "%(plaintext)s"
 ---
 apiVersion: codemowers.cloud/v1beta1
@@ -214,23 +208,23 @@ spec:
             - name: GITEA__MAILER__PASSWD
               valueFrom:
                 secretKeyRef:
-                  name: gitea-secrets
+                  name: gitea-mail
                   key: GITEA__MAILER__PASSWD
             - name: GITEA__OAUTH2__JWT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: gitea-secrets
+                  name: gitea-random
                   key: GITEA__OAUTH2__JWT_SECRET
             - name: GITEA__SECURITY__INTERNAL_TOKEN
               valueFrom:
                 secretKeyRef:
-                  name: gitea-security-internal-token
-                  key: secret
+                  name: gitea-random
+                  key: GITEA__SECURITY__INTERNAL_TOKEN
             - name: GITEA__SECURITY__SECRET_KEY
               valueFrom:
                 secretKeyRef:
-                  name: gitea-security-secret-key
-                  key: secret
+                  name: gitea-random
+                  key: GITEA__SECURITY__SECRET_KEY
           ports:
             - containerPort: 8080
               name: http
diff --git a/gitea/kustomization.yaml b/gitea/kustomization.yaml
new file mode 100644
index 0000000..5161b49
--- /dev/null
+++ b/gitea/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: gitea
+
+resources:
+- ssh://git@git.k-space.ee/secretspace/kube/gitea
+- ./application.yaml
+- ./mariadb.yaml
diff --git a/gitea/mariadb.yml b/gitea/mariadb.yaml
similarity index 100%
rename from gitea/mariadb.yml
rename to gitea/mariadb.yaml