diff --git a/apps-kustomized/cryptpad/deploy.yaml b/apps-kustomized/cryptpad/deploy.yaml
new file mode 100644
index 0000000..ab8cd9e
--- /dev/null
+++ b/apps-kustomized/cryptpad/deploy.yaml
@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: cryptpad
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: cryptpad
+    spec:
+      containers:
+      - image: cryptpad/cryptpad:version-5.5.0
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          failureThreshold: 5
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          successThreshold: 1
+          tcpSocket:
+            port: http
+          timeoutSeconds: 10
+        name: cryptpad
+        ports:
+        - containerPort: 3000
+          name: http
+          protocol: TCP
+        - containerPort: 3001
+          name: http-safe
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 5
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          successThreshold: 1
+          tcpSocket:
+            port: http
+          timeoutSeconds: 10
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /cryptpad/blob
+          name: blob
+        - mountPath: /cryptpad/block
+          name: block
+        - mountPath: /cryptpad/config
+          name: config
+        - mountPath: /cryptpad/customize
+          name: customize
+        - mountPath: /cryptpad/data
+          name: data
+        - mountPath: /cryptpad/datasource
+          name: datasource
+        - mountPath: /cryptpad/datastore
+          name: datastore
+      volumes:
+      - name: blob
+        persistentVolumeClaim:
+          claimName: cryptpad-blob
+      - name: block
+        persistentVolumeClaim:
+          claimName: cryptpad-block
+      - name: config
+        persistentVolumeClaim:
+          claimName: cryptpad-config
+      - name: customize
+        persistentVolumeClaim:
+          claimName: cryptpad-customize
+      - name: data
+        persistentVolumeClaim:
+          claimName: cryptpad-data
+      - name: datasource
+        persistentVolumeClaim:
+          claimName: cryptpad-datasource
+      - name: datastore
+        persistentVolumeClaim:
+          claimName: cryptpad-datastore
diff --git a/apps-kustomized/cryptpad/ingress.yaml b/apps-kustomized/cryptpad/ingress.yaml
new file mode 100644
index 0000000..a518c2c
--- /dev/null
+++ b/apps-kustomized/cryptpad/ingress.yaml
@@ -0,0 +1,63 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "cross-origin-resource-policy: cross-origin";
+      more_set_headers "cross-origin-embedder-policy: require-corp";
+    nginx.ingress.kubernetes.io/cors-allow-origin: https://cryptpad-safe.martyn.berlin
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad
+spec:
+  rules:
+  - host: cryptpad.martyn.berlin
+    http:
+      paths:
+      - backend:
+          service:
+            name: cryptpad
+            port:
+              number: 3000
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - cryptpad.martyn.berlin
+    secretName: cryptpad-tls
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "cross-origin-resource-policy: cross-origin";
+      more_set_headers "cross-origin-embedder-policy: require-corp";
+    nginx.ingress.kubernetes.io/cors-allow-origin: https://cryptpad-safe.martyn.berlin
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-0
+spec:
+  rules:
+  - host: cryptpad-safe.martyn.berlin
+    http:
+      paths:
+      - backend:
+          service:
+            name: cryptpad
+            port:
+              number: 3000
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - cryptpad-safe.martyn.berlin
+    secretName: cryptpad-safe-tls
diff --git a/apps-kustomized/cryptpad/pvc.yaml b/apps-kustomized/cryptpad/pvc.yaml
new file mode 100644
index 0000000..8a8c4d3
--- /dev/null
+++ b/apps-kustomized/cryptpad/pvc.yaml
@@ -0,0 +1,101 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-blob
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2500Mi
+  storageClassName: rook-ceph-block-ssd
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-block
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2500Mi
+  storageClassName: rook-ceph-block-ssd
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-config
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: rook-ceph-block-ssd
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-customize
+  namespace: cryptpad
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: rook-ceph-block-ssd
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-data
+  namespace: cryptpad
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2500Mi
+  storageClassName: rook-ceph-block-ssd
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-datasource
+  namespace: cryptpad
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: rook-ceph-block-ssd
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-datastore
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: rook-ceph-block-ssd
diff --git a/apps-kustomized/cryptpad/service.yaml b/apps-kustomized/cryptpad/service.yaml
new file mode 100644
index 0000000..1a017e8
--- /dev/null
+++ b/apps-kustomized/cryptpad/service.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad
+spec:
+  ports:
+  - name: http
+    port: 3000
+    targetPort: http
+  selector:
+    app.kubernetes.io/name: cryptpad
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-safe
+spec:
+  ports:
+  - name: http-safe
+    port: 3001
+  selector:
+    app.kubernetes.io/name: cryptpad