diff --git a/helmfile.d/pocket-id.yaml.gotmpl b/helmfile.d/pocket-id.yaml.gotmpl
new file mode 100644
index 00000000..abada7f3
--- /dev/null
+++ b/helmfile.d/pocket-id.yaml.gotmpl
@@ -0,0 +1,45 @@
+# yaml-language-server: $schema=https://www.schemastore.org/helmfile.json
+
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+repositories:
+- name: anza-labs
+  url: https://anza-labs.github.io/charts
+
+commonLabels:
+  tier: system
+
+releases:
+- name: pocket-id
+  namespace: pocket-id
+  chart: anza-labs/pocket-id
+  version: 1.7.6
+  condition: pocket_id.enabled
+  values:
+  - ../values/pocket-id/values/values.yaml
+  - ../values/pocket-id/values/values-{{ .Environment.Name }}.yaml
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/pocket-id/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: pocket-id
+  chart: manifests
+  condition: pocket_id.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/pocket-id/env.yaml.gotmpl
+  - ../values/pocket-id/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/pocket-id/manifests
+    - manifests
diff --git a/npins/default.nix b/npins/default.nix
index 884fc8cc..64a22799 100644
--- a/npins/default.nix
+++ b/npins/default.nix
@@ -1,3 +1,4 @@
+_:
 /*
   This file is provided under the MIT licence:
 
diff --git a/shell.nix b/shell.nix
index 575f88e7..934ec381 100644
--- a/shell.nix
+++ b/shell.nix
@@ -35,12 +35,15 @@ pkgs.mkShellNoCC {
     # pkgs.renovate
     # pkgs.graphviz
     # pkgs.hubble
-    # pkgs.dapr-cli
+    pkgs.cilium-cli
+    pkgs.dapr-cli
   ];
 
   # Environment variables
-  ARGOCD_ENV_CLUSTER_NAME = "ekman";
+  ARGOCD_ENV_CLUSTER_NAME = "hel1";
   HELM_GIT_ACCESS_TOKEN = "glpat-xxx";
+  API_SERVER_IP = "localhost";
+  API_SERVER_PORT = "7445";
 
   # Alternative shells
   passthru = pkgs.lib.mapAttrs (name: value: pkgs.mkShellNoCC (value // { inherit name; })) {
diff --git a/values/pocket-id/env-hel1.yaml.gotmpl b/values/pocket-id/env-hel1.yaml.gotmpl
new file mode 100644
index 00000000..69b00a01
--- /dev/null
+++ b/values/pocket-id/env-hel1.yaml.gotmpl
@@ -0,0 +1,2 @@
+pocket_id:
+  enabled: true
diff --git a/values/pocket-id/env.yaml.gotmpl b/values/pocket-id/env.yaml.gotmpl
new file mode 100644
index 00000000..8217e93f
--- /dev/null
+++ b/values/pocket-id/env.yaml.gotmpl
@@ -0,0 +1,4 @@
+pocket_id:
+  enabled: false
+  autosync: {{ if eq .Environment.Name "prod" }} false {{ else }} true {{ end }}
+  env: {{ .Environment.Name }}
diff --git a/values/pocket-id/manifests/pocket-id.yaml b/values/pocket-id/manifests/pocket-id.yaml
new file mode 100644
index 00000000..d389a6d6
--- /dev/null
+++ b/values/pocket-id/manifests/pocket-id.yaml
@@ -0,0 +1,42 @@
+{{- if .Values.clusterConfig.argo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ .Values.pocket_id.env }}-pocket-id
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: pocket-id
+    server: https://kubernetes.default.svc
+  project: aux
+  sources:
+  - repoURL: {{ .Values.clusterConfig.manifests }}
+    targetRevision: HEAD
+    path: helmfile.d
+    plugin:
+      name: helmfile-cmp
+      env:
+      - name: CLUSTER_NAME
+        value: {{ .Values.clusterConfig.cluster }}
+      - name: HELMFILE_ENVIRONMENT
+        value: {{ .Values.pocket_id.env }}
+      - name: HELMFILE_FILE_PATH
+        value: pocket-id.yaml.gotmpl
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      # - ServerSideApply=true
+    {{- if .Values.pocket_id.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{- end }}
diff --git a/values/pocket-id/values/values-prod.yaml b/values/pocket-id/values/values-prod.yaml
new file mode 100644
index 00000000..5e4f376d
--- /dev/null
+++ b/values/pocket-id/values/values-prod.yaml
@@ -0,0 +1,29 @@
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: ca-issuer
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+  host: auth.adm.hel1.obx
+  paths:
+    - path: /
+      pathType: ImplementationSpecific
+  tls:
+    - secretName: auth.adm.hel1.obx-tls
+      hosts:
+        - auth.adm.hel1.obx
+
+persistence:
+  data:
+    enabled: true
+    accessMode: ReadWriteOnce
+    size: 5Gi
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
diff --git a/values/pocket-id/values/values.yaml b/values/pocket-id/values/values.yaml
new file mode 100644
index 00000000..9c60e566
--- /dev/null
+++ b/values/pocket-id/values/values.yaml
@@ -0,0 +1,2 @@
+ingress:
+  enabled: false