diff --git a/apps/immich/kustomization.yaml b/apps/immich/kustomization.yaml
index 06215b6..a2ad357 100644
--- a/apps/immich/kustomization.yaml
+++ b/apps/immich/kustomization.yaml
@@ -14,16 +14,16 @@ namespace: immich
 helmCharts:
   - name: immich
     releaseName: immich
-    version: 0.8.3
+    version: 0.8.4
     valuesFile: values.yaml
     repo: https://immich-app.github.io/immich-charts
 
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.119.0
+    newTag: v1.119.1
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.119.0
+    newTag: v1.119.1
 
 
 patches:
diff --git a/infrastructure/argocd/argocd-cmd-params.configmap.yaml b/infrastructure/argocd/argocd-cmd-params.configmap.yaml
new file mode 100644
index 0000000..c0d45be
--- /dev/null
+++ b/infrastructure/argocd/argocd-cmd-params.configmap.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cmd-params-cm
+data:
+  server.insecure: "true"
\ No newline at end of file
diff --git a/infrastructure/argocd/argocd.configmap.yaml b/infrastructure/argocd/argocd.configmap.yaml
index 3b3466c..5b2345f 100644
--- a/infrastructure/argocd/argocd.configmap.yaml
+++ b/infrastructure/argocd/argocd.configmap.yaml
@@ -3,4 +3,7 @@ kind: ConfigMap
 metadata:
   name: argocd-cm
 data:
-  kustomize.buildOptions: --enable-helm
\ No newline at end of file
+  kustomize.buildOptions: --enable-helm
+  # switch to annotation based resource tracking as per
+  # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_tracking/
+  application.resourceTrackingMethod: annotation+label
diff --git a/infrastructure/argocd/ingress.yaml b/infrastructure/argocd/ingress.yaml
index 4a8fe01..c3e1b55 100644
--- a/infrastructure/argocd/ingress.yaml
+++ b/infrastructure/argocd/ingress.yaml
@@ -9,18 +9,9 @@ spec:
   routes:
     - kind: Rule
       match: Host(`argocd.kluster.moll.re`)
-      priority: 10
-      services:
-      - name: argocd-server
-        port: 443
-        scheme: https
-    - kind: Rule
-      match: Host(`argocd.kluster.moll.re`) && Header(`Content-Type`, `application/grpc`)
-      priority: 11
       services:
       - name: argocd-server
         port: 80
-        scheme: h2c
 
   tls:
     certResolver: default-tls
diff --git a/infrastructure/argocd/kustomization.yaml b/infrastructure/argocd/kustomization.yaml
index e312475..6ba5b76 100644
--- a/infrastructure/argocd/kustomization.yaml
+++ b/infrastructure/argocd/kustomization.yaml
@@ -3,16 +3,19 @@ kind: Kustomization
 
 namespace: argocd
 resources:
-  - https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
   - namespace.yaml
+  - https://raw.githubusercontent.com/argoproj/argo-cd/v2.12.6/manifests/install.yaml
   - ingress.yaml
   - argo-apps.application.yaml
   - bootstrap-repo.sealedsecret.yaml
   - argocd-oauth.sealedsecret.yaml
 
+components:
+  - https://github.com/argoproj-labs/argocd-extensions/manifests
 
 patches:
-  - path: known-hosts.configmap.yaml
   - path: argocd.configmap.yaml
+  - path: known-hosts.configmap.yaml
   - path: argocd-oauth.configmap.yaml
   - path: argocd-rbac.configmap.yaml
+  - path: argocd-cmd-params.configmap.yaml
diff --git a/infrastructure/argocd/namespace.yaml b/infrastructure/argocd/namespace.yaml
index a040f2b..54a3717 100644
--- a/infrastructure/argocd/namespace.yaml
+++ b/infrastructure/argocd/namespace.yaml
@@ -2,3 +2,5 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: argocd
+  labels:
+    pod-security.kubernetes.io/enforce: privileged