diff --git a/argocd/README.md b/argocd/README.md
new file mode 100644
index 0000000..fd94ca6
--- /dev/null
+++ b/argocd/README.md
@@ -0,0 +1,46 @@
+# Argo CD
+
+> [Argo CD] is a declarative GitOps continuous delivery tool, which allows
+> developers to define and control deployment of Kubernetes application
+> resources from within their existing Git workflow.
+
+```sh
+kubectl apply -k argocd
+kubectl apply -f argocd/applications
+```
+
+## Components
+
+Argo CD consists of several components, some of which are not used:
+
+- [x] Application Controller
+- [x] Repository Service
+- [x] Web Server
+- [x] Notification Controller
+- [ ] ApplicationSet Controller[^1]
+- [ ] Dex Server[^2]
+
+[^1]: ApplicationSets are "generators" that can be used to apply applications
+    to multiple clusters.  As we only have a single cluster, it is not useful.
+[^2]: Argo CD includes Dex to handle authentication and authorization, but we
+    are using Authelia instead.
+    
+
+## Applications
+
+*Applications* are the core resource in Argo CD.  They form a collection of
+resources associated with a particular application deployment.  They are
+themselves defined as Kubernetes resources (see [applications]).
+
+
+## Git Webhook
+
+*Argo CD* will automatically refresh the desired state of applications whenever
+a changeset is pushed to the Git repository where manifests are stored.  The
+[infra/kubernetes] repository has a Webhook configured in Gitea that notifies
+the Argo CD server on Git push events.
+
+
+[Argo CD]: https://argo-cd.readthedocs.io/
+[applications]: ./applications/
+[infra/kubernetes]: https://git.pyrocufflink.blue/infra/kubernetes
diff --git a/argocd/applications/dynk8s-provisioner.yaml b/argocd/applications/dynk8s-provisioner.yaml
new file mode 100644
index 0000000..1c648a7
--- /dev/null
+++ b/argocd/applications/dynk8s-provisioner.yaml
@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dynk8s-provisioner
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: dynk8s-provisioner
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
diff --git a/argocd/applications/firefly-iii.yaml b/argocd/applications/firefly-iii.yaml
new file mode 100644
index 0000000..2610ce4
--- /dev/null
+++ b/argocd/applications/firefly-iii.yaml
@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: firefly-iii
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: firefly-iii
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
diff --git a/argocd/applications/home-assistant.yaml b/argocd/applications/home-assistant.yaml
new file mode 100644
index 0000000..54f650f
--- /dev/null
+++ b/argocd/applications/home-assistant.yaml
@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: home-assistant
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: home-assistant
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
diff --git a/argocd/applications/jenkins.yaml b/argocd/applications/jenkins.yaml
new file mode 100644
index 0000000..a048689
--- /dev/null
+++ b/argocd/applications/jenkins.yaml
@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: jenkins
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: jenkins
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
diff --git a/argocd/applications/ntfy.yaml b/argocd/applications/ntfy.yaml
new file mode 100644
index 0000000..58695be
--- /dev/null
+++ b/argocd/applications/ntfy.yaml
@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ntfy
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: ntfy
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
diff --git a/argocd/applications/paperless-ngx.yaml b/argocd/applications/paperless-ngx.yaml
new file mode 100644
index 0000000..bbb4f57
--- /dev/null
+++ b/argocd/applications/paperless-ngx.yaml
@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: paperless-ngx
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: paperless-ngx
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
diff --git a/argocd/applications/phpipam.yaml b/argocd/applications/phpipam.yaml
new file mode 100644
index 0000000..99d8709
--- /dev/null
+++ b/argocd/applications/phpipam.yaml
@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: phpipam
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: phpipam
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
diff --git a/argocd/argocd-cm.yml b/argocd/argocd-cm.yml
new file mode 100644
index 0000000..77505aa
--- /dev/null
+++ b/argocd/argocd-cm.yml
@@ -0,0 +1,7 @@
+url: https://argocd.pyrocufflink.blue
+
+oidc.config: |
+  name: Authelia
+  issuer: https://auth.pyrocufflink.blue
+  clientID: argocd
+  clientSecret: $oidc.authelia.clientSecret
diff --git a/argocd/hooks.yaml b/argocd/hooks.yaml
new file mode 100644
index 0000000..22de969
--- /dev/null
+++ b/argocd/hooks.yaml
@@ -0,0 +1,20 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  generateName: jenkins-snapshot-
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+spec:
+  template:
+    spec:
+      containers:
+      - name: jenkins-snapshot
+        image: docker.io/curlimages/curl
+        command:
+        - curl
+        - http://longhorn-frontend.longhorn-system/v1/volumes/pvc-4d42f4d3-2f9d-4edd-b82c-b51a385a3276?action=snapshotCreate
+        - -H
+        - Content-Type application/json
+        - -d
+        - '{}'
+      restartPolicy: Never
diff --git a/argocd/ingress.yaml b/argocd/ingress.yaml
new file mode 100644
index 0000000..08838c6
--- /dev/null
+++ b/argocd/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-server-ingress
+  namespace: argocd
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+spec:
+  rules:
+  - host: argocd.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              name: https
+  tls:
+  - hosts:
+    - argocd.example.com
diff --git a/argocd/kustomization.yaml b/argocd/kustomization.yaml
new file mode 100644
index 0000000..5e80df5
--- /dev/null
+++ b/argocd/kustomization.yaml
@@ -0,0 +1,116 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: argocd
+
+resources:
+- namespace.yaml
+- https://raw.githubusercontent.com/argoproj/argo-cd/v2.8.4/manifests/install.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: argocd-cm
+  behavior: merge
+  literals:
+  - url=https://argocd.pyrocufflink.blue
+  files:
+  - oidc.config
+
+- name: argocd-rbac-cm
+  behavior: merge
+  literals:
+  - policy.default=role:readonly
+  files:
+  - policy.csv
+
+patches:
+- patch: |-
+    $patch: delete
+    apiVersion: apiextensions.k8s.io/v1
+    kind: CustomResourceDefinition
+    metadata:
+      name: applicationsets.argoproj.io
+
+- patch: |-
+    $patch: delete
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: argocd-applicationset-controller
+
+- patch: |-
+    $patch: delete
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: argocd-dex-server
+
+- patch: |-
+    $patch: delete
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      name: argocd-applicationset-controller
+
+- patch: |-
+    $patch: delete
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      name: argocd-dex-server
+
+- patch: |-
+    $patch: delete
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: argocd-applicationset-controller
+
+- patch: |-
+    $patch: delete
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: argocd-dex-server
+
+- patch: |-
+    $patch: delete
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: argocd-applicationset-controller
+
+- patch: |-
+    $patch: delete
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: argocd-dex-server
+
+- patch: |-
+    $patch: delete
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: argocd-applicationset-controller
+
+- patch: |-
+    $patch: delete
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: argocd-dex-server
+
+- patch: |-
+    $patch: delete
+    apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: argocd-applicationset-controller-network-policy
+
+- patch: |-
+    $patch: delete
+    apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: argocd-dex-server-network-policy
diff --git a/argocd/namespace.yaml b/argocd/namespace.yaml
new file mode 100644
index 0000000..a040f2b
--- /dev/null
+++ b/argocd/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: argocd
diff --git a/argocd/oidc.config b/argocd/oidc.config
new file mode 100644
index 0000000..8244638
--- /dev/null
+++ b/argocd/oidc.config
@@ -0,0 +1,4 @@
+name: Authelia
+issuer: https://auth.pyrocufflink.blue
+clientID: argocd
+clientSecret: $oidc.authelia.clientSecret
diff --git a/argocd/policy.csv b/argocd/policy.csv
new file mode 100644
index 0000000..98ab51e
--- /dev/null
+++ b/argocd/policy.csv
@@ -0,0 +1 @@
+g, Argo CD Admins, role:admin
diff --git a/authelia/configuration.yml b/authelia/configuration.yml
index d9293dd..dac48b9 100644
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -65,6 +65,12 @@ identity_providers:
       redirect_uris:
       - http://127.0.0.1
       pre_configured_consent_duration: 7d
+    - id: argocd
+      description: Argo CD
+      redirect_uris:
+      - https://argocd.pyrocufflink.blue/auth/callback
+      secret: >-
+        $pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw
 
 log:
   level: trace