diff --git a/helmfile.d/pocket-id.yaml.gotmpl b/helmfile.d/dex.yaml.gotmpl
similarity index 52%
rename from helmfile.d/pocket-id.yaml.gotmpl
rename to helmfile.d/dex.yaml.gotmpl
index abada7f3..cd9559d4 100644
--- a/helmfile.d/pocket-id.yaml.gotmpl
+++ b/helmfile.d/dex.yaml.gotmpl
@@ -1,38 +1,37 @@
 # yaml-language-server: $schema=https://www.schemastore.org/helmfile.json
 
 bases:
- - ../envs/environments.yaml.gotmpl
+- ../envs/environments.yaml.gotmpl
 
 repositories:
-- name: anza-labs
-  url: https://anza-labs.github.io/charts
+- name: dex
+  url: https://charts.dexidp.io
 
 commonLabels:
   tier: system
 
 releases:
-- name: pocket-id
-  namespace: pocket-id
-  chart: anza-labs/pocket-id
-  version: 1.7.6
-  condition: pocket_id.enabled
+- name: dex
+  namespace: dex
+  chart: dex/dex
+  version: 0.19.0
+  condition: dex.enabled
   values:
-  - ../values/pocket-id/values/values.yaml
-  - ../values/pocket-id/values/values-{{ .Environment.Name }}.yaml
+  - ../values/dex/values/values.yaml
   postRenderer: ../bin/kustomizer
   postRendererArgs:
-  - ../values/pocket-id/kustomize/{{ .Environment.Name }}
+  - ../values/dex/kustomize/{{ .Environment.Name }}
   missingFileHandler: Info
 - name: manifests
-  namespace: pocket-id
+  namespace: dex
   chart: manifests
-  condition: pocket_id.enabled
+  condition: dex.enabled
   missingFileHandler: Info
   values:
   - ../values/env.yaml
   - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
-  - ../values/pocket-id/env.yaml.gotmpl
-  - ../values/pocket-id/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  - ../values/dex/env.yaml.gotmpl
+  - ../values/dex/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
   hooks:
   - events: [ prepare, cleanup ]
     showlogs: true
@@ -41,5 +40,5 @@ releases:
     - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
     - '{{`{{ .Release.Chart }}`}}'
     - '{{`{{ .Environment.Name }}`}}'
-    - ../values/pocket-id/manifests
+    - ../values/dex/manifests
     - manifests
diff --git a/values/pocket-id/env-hel1.yaml.gotmpl b/values/dex/env-hel1.yaml.gotmpl
similarity index 59%
rename from values/pocket-id/env-hel1.yaml.gotmpl
rename to values/dex/env-hel1.yaml.gotmpl
index 69b00a01..822821bb 100644
--- a/values/pocket-id/env-hel1.yaml.gotmpl
+++ b/values/dex/env-hel1.yaml.gotmpl
@@ -1,2 +1,2 @@
-pocket_id:
+dex:
   enabled: true
diff --git a/values/pocket-id/env.yaml.gotmpl b/values/dex/env.yaml.gotmpl
similarity index 76%
rename from values/pocket-id/env.yaml.gotmpl
rename to values/dex/env.yaml.gotmpl
index f7e3cb8e..3ffe792d 100644
--- a/values/pocket-id/env.yaml.gotmpl
+++ b/values/dex/env.yaml.gotmpl
@@ -1,3 +1,3 @@
-pocket_id:
+dex:
   enabled: false
   autosync: false
diff --git a/values/dex/manifests/db.yaml b/values/dex/manifests/db.yaml
new file mode 100644
index 00000000..b21a8f78
--- /dev/null
+++ b/values/dex/manifests/db.yaml
@@ -0,0 +1,57 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: dex-db
+  namespace: dex
+spec:
+  # TODO: scale to 2 instances for HA
+  instances: 1
+  imageName: ghcr.io/cloudnative-pg/postgresql:17
+  storage:
+    resizeInUseVolumes: true
+    size: 10Gi
+---
+apiVersion: barmancloud.cnpg.io/v1
+kind: ObjectStore
+metadata:
+  name: tos-store
+  namespace: dex
+spec:
+  retentionPolicy: "7d"
+  configuration:
+    destinationPath: s3://cnpg/dex-db
+    endpointURL: http://10.255.241.30:30080
+    s3Credentials:
+      accessKeyId:
+        name: cnpg-s3
+        key: access_key
+      secretAccessKey:
+        name: cnpg-s3
+        key: access_secret
+    wal:
+      compression: snappy
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: dex-db
+  namespace: dex
+spec:
+  schedule: "0 0 1 * * *"
+  backupOwnerReference: self
+  cluster:
+    name: dex-db
+  method: plugin
+  pluginConfiguration:
+    name: barman-cloud.cloudnative-pg.io
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: dex-db-monitor
+spec:
+  selector:
+    matchLabels:
+      cnpg.io/cluster: dex-db
+  podMetricsEndpoints:
+  - port: metrics
diff --git a/values/pocket-id/manifests/pocket-id.yaml b/values/dex/manifests/dex.yaml
similarity index 83%
rename from values/pocket-id/manifests/pocket-id.yaml
rename to values/dex/manifests/dex.yaml
index 2bc9eaab..e5491560 100644
--- a/values/pocket-id/manifests/pocket-id.yaml
+++ b/values/dex/manifests/dex.yaml
@@ -2,7 +2,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: pocket-id
+  name: dex
   namespace: argocd
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
@@ -10,7 +10,7 @@ metadata:
   - resources-finalizer.argocd.argoproj.io
 spec:
   destination:
-    namespace: pocket-id
+    namespace: dex
     server: https://kubernetes.default.svc
   project: sys
   sources:
@@ -25,7 +25,7 @@ spec:
       - name: HELMFILE_ENVIRONMENT
         value: default
       - name: HELMFILE_FILE_PATH
-        value: pocket-id.yaml.gotmpl
+        value: dex.yaml.gotmpl
   syncPolicy:
     managedNamespaceMetadata:
       labels:
@@ -33,10 +33,8 @@ spec:
     syncOptions:
       - CreateNamespace=true
       - ApplyOutOfSyncOnly=true
-      # - ServerSideApply=true
-    {{- if .Values.pocket_id.autosync }}
+    {{- if .Values.dex.autosync }}
     automated:
       prune: true
-      # selfHeal: false
     {{- end }}
 {{- end }}
diff --git a/values/dex/values/values.yaml b/values/dex/values/values.yaml
new file mode 100644
index 00000000..2d290809
--- /dev/null
+++ b/values/dex/values/values.yaml
@@ -0,0 +1,166 @@
+replicaCount: 2
+
+config:
+  issuer: https://auth.adm.hel1.obx
+  storage:
+    type: postgres
+    config:
+      host: dex-db-rw
+      port: 5432
+      database: app
+      user: $DEX_DB_USER
+      password: $DEX_DB_PASSWORD
+      ssl:
+        mode: disable
+  web:
+    http: 0.0.0.0:5556
+  oauth2:
+    skipApprovalScreen: true
+  expiry:
+    idTokens: "12h"
+    authRequests: "30m"
+    refreshTokens:
+      validIfNotUsedFor: "168h"
+      absoluteLifetime: "720h"
+
+  connectors:
+  - type: microsoft
+    id: microsoft
+    name: Microsoft
+    config:
+      clientID: "43667ac0-37e1-422f-99fc-50a699bb255c"
+      clientSecret: $MICROSOFT_CLIENT_SECRET
+      redirectURI: https://auth.adm.hel1.obx/callback
+
+  staticClients:
+  - id: dex
+    name: Dex
+    secret: $CLIENT_SECRET_DEX
+    redirectURIs:
+    - https://idp.beta.oceanbox.io/dex/callback
+    - https://idp.dev.oceanbox.io/dex/callback
+    - https://idp.oceanbox.io/dex/callback
+    - https://idp.srv.oceanbox.io/dex/callback
+
+  - id: atlantis
+    name: Atlantis
+    secret: $CLIENT_SECRET_ATLANTIS
+    redirectURIs:
+    - https://maps.beta.oceanbox.io/signin-oidc
+    - https://codex.adm.oceanbox.io/signin-oidc
+    - https://maps.oceanbox.io/signin-oidc
+    - https://oceanbox.app/signin-oidc
+    - https://atlantis.srv.oceanbox.io/signin-oidc
+
+  - id: atlantis_dev
+    name: Atlantis (dev)
+    secret: $CLIENT_SECRET_ATLANTIS_DEV
+    redirectURIs:
+    - https://maps.dev.oceanbox.io/signin-oidc
+    - https://atlantis.local.oceanbox.io:8080/signin-oidc
+    - https://codex.local.oceanbox.io:8080/signin-oidc
+    - https://simkir-maps.dev.oceanbox.io/signin-oidc
+    - https://jonas-atlantis.dev.oceanbox.io/signin-oidc
+    - https://atlantis.beta.oceanbox.io/signin-oidc
+    - https://stig-atlantis.dev.oceanbox.io/signin-oidc
+    - https://codex.local.oceanbox.io:10380/signin-oidc
+    - https://ole-atlantis.dev.oceanbox.io/signin-oidc
+    - https://bast-atlantis.dev.oceanbox.io/signin-oidc
+    - https://mrtz-atlantis.dev.oceanbox.io/signin-oidc
+    - https://codex.dev.tos.obx/signin-oidc
+    - https://simkir-codex.dev.oceanbox.io/signin-oidc
+    - https://simkir-atlantis.dev.oceanbox.io/signin-oidc
+    - https://codex.dev.oceanbox.io/signin-oidc
+
+  - id: sorcerer
+    name: Sorcerer
+    secret: $CLIENT_SECRET_SORCERER
+    redirectURIs:
+    - https://sorcerer.vtn.oceanbox.io/signin-oidc
+    - https://sorcerer.beta.ekman.oceanbox.io/signin-oidc
+    - https://sorcerer.ekman.oceanbox.io/signin-oidc
+    - https://sorcerer.data.oceanbox.io/signin-oidc
+
+  - id: sorcerer_dev
+    name: Sorcerer (dev)
+    secret: $CLIENT_SECRET_SORCERER_DEV
+    redirectURIs:
+    - https://simkir-sorcerer.ekman.oceanbox.io/signin-oidc
+    - https://jonas-sorcerer.ekman.oceanbox.io/signin-oidc
+    - https://stig-sorcerer.dev.vtn.obx/signin-oidc
+    - https://simkir-sorcerer.dev.vtn.obx/signin-oidc
+    - https://ole-sorcerer.ekman.oceanbox.io/signin-oidc
+    - https://sorcerer.vtn.oceanbox.io/signin-oidc
+    - https://mrtz-sorcerer.dev.vtn.obx/signin-oidc
+    - https://sorcerer.ekman.oceanbox.io/signin-oidc
+    - https://bast-sorcerer.ekman.oceanbox.io/signin-oidc
+    - https://sorcerer.data.oceanbox.io/signin-oidc
+    - https://ole-sorcerer.dev.vtn.obx/signin-oidc
+    - https://stig-sorcerer.ekman.oceanbox.io/signin-oidc
+
+envVars:
+- name: DEX_DB_USER
+  valueFrom:
+    secretKeyRef:
+      name: dex-db-app
+      key: username
+- name: DEX_DB_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: dex-db-app
+      key: password
+- name: MICROSOFT_CLIENT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: dex-microsoft
+      key: clientSecret
+- name: CLIENT_SECRET_DEX
+  valueFrom:
+    secretKeyRef:
+      name: dex-clients
+      key: dex
+- name: CLIENT_SECRET_ATLANTIS
+  valueFrom:
+    secretKeyRef:
+      name: dex-clients
+      key: atlantis
+- name: CLIENT_SECRET_ATLANTIS_DEV
+  valueFrom:
+    secretKeyRef:
+      name: dex-clients
+      key: atlantis_dev
+- name: CLIENT_SECRET_SORCERER
+  valueFrom:
+    secretKeyRef:
+      name: dex-clients
+      key: sorcerer
+- name: CLIENT_SECRET_SORCERER_DEV
+  valueFrom:
+    secretKeyRef:
+      name: dex-clients
+      key: sorcerer_dev
+
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: ca-issuer
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+  hosts:
+  - host: auth.adm.hel1.obx
+    paths:
+    - path: /
+      pathType: ImplementationSpecific
+  tls:
+  - secretName: auth.adm.hel1.obx-tls
+    hosts:
+    - auth.adm.hel1.obx
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
diff --git a/values/pocket-id/values/values.yaml b/values/pocket-id/values/values.yaml
deleted file mode 100644
index 5e4f376d..00000000
--- a/values/pocket-id/values/values.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-ingress:
-  enabled: true
-  className: nginx
-  annotations:
-    cert-manager.io/cluster-issuer: ca-issuer
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-  host: auth.adm.hel1.obx
-  paths:
-    - path: /
-      pathType: ImplementationSpecific
-  tls:
-    - secretName: auth.adm.hel1.obx-tls
-      hosts:
-        - auth.adm.hel1.obx
-
-persistence:
-  data:
-    enabled: true
-    accessMode: ReadWriteOnce
-    size: 5Gi
-
-resources:
-  limits:
-    cpu: 500m
-    memory: 512Mi
-  requests:
-    cpu: 100m
-    memory: 128Mi