diff --git a/README.md b/README.md
index c0d66aa..6109ca8 100644
--- a/README.md
+++ b/README.md
@@ -8,16 +8,15 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+4SlRIV9wOKYZbBrPuW18K6GGjnDEviCYQvGQuKOm0
 ```
 
 ### Initial setup
-On a running (but otherwise bare) k3s instance run:
+On a running (and sealed-secrets installed) k3s instance run:
 ```
 kubectl apply -k infrastructure/argocd
 ```
 This will install argocd and CRDs in a dedicated namespace along with the app-of-apps configured under `kluster-deployments/`.
 
 The app-of-apps will bootstrap a fully featured cluster with the following components
-- postgres instance
+- postgres instance with backups
 - backup of all nfs PVCs using restic
-- traefik along with metallb as a publicly accessible reverse proxy
+- traefik (along with metallb as a publicly accessible reverse proxy)
 - an nfs-provisioner creating PVCs on-demand
-- the bitnami sealedsecrets-operator
-- a range of selfhosted apps
\ No newline at end of file
+- a range of selfhosted apps
diff --git a/infrastructure/renovate/cronjob.yaml b/infrastructure/renovate/cronjob.yaml
new file mode 100644
index 0000000..413622f
--- /dev/null
+++ b/infrastructure/renovate/cronjob.yaml
@@ -0,0 +1,26 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: renovate
+spec:
+  schedule: '@hourly'
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: renovate
+              # Update this to the latest available and then enable Renovate on
+              # the manifest
+              image: renovate/renovate:35
+              args:
+                - user/repo
+              # Environment Variables
+              env:
+                - name: LOG_LEVEL
+                  value: debug
+              envFrom:
+                - secretRef:
+                    name: renovate-env
+          restartPolicy: Never
diff --git a/infrastructure/renovate/env.sealedsecret.yaml b/infrastructure/renovate/env.sealedsecret.yaml
new file mode 100644
index 0000000..9391cb8
--- /dev/null
+++ b/infrastructure/renovate/env.sealedsecret.yaml
@@ -0,0 +1,28 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "renovate-env",
+    "namespace": "default",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "renovate-env",
+        "namespace": "default",
+        "creationTimestamp": null
+      },
+      "type": "Opaque"
+    },
+    "encryptedData": {
+      "RENOVATE_AUTODISCOVER": "AgBV0yZYR5uoD1u+QBLtg6uMj8SJtWNEnLPQpqa/yDjrcV6nUKjn4gb1CdMDUoUQ1kMytPmNgIGZSxTTUkvKS2+knFGTEBJBXTlh4a1Q8dqmXMLOtN4kSC45vz967a7eN8T8Ra3tTkNyDcTRcY/yuRpQXM8BhgLCkfUPC1eX34YcrEXgElP440ubyWo7/4FFJgLxWpnCrZrghsxL6ThQHzNpfYo/qbMzjD4vW0hlxq2dolHSwVC50GKQhgU9/1NaG9x46QybdcQDWIr1aQfUz28kU0Bmm3GOSoGHHURbZx9FYwwb8zWjrmwWBe0qw5NT/jrbsL81LU/NUgGNDyGTvsOERweI80LSKWrXDNEfGYqDRHbE2sD2XmWCmk9vWNpaICvqXOkrnLx3P61FL1xzNwLc/UZNcjPaCpQhNndCbMRs19pX6CMDkHe/9fAXhhOz28EFWjK1AG9K2xIpfpkKnfJO3lA84T/nWNBXMGnDn8Nb55i4ZaUMDCRy7VjfeRlkeJtLDMdvSaCkswa8fzEHWEVjyNXrMxD3XVTT1pQ9owyaZ2cYd4M0YlOG3D908Wni2SJnBqqu4dQx34Dhixub0qtEaiCqd8xIGjS7yTsvz3woQbPlz1kDq1o5nqUVy6fb3sZYZTdlF9KRN35PD8WCaxkjpPP+Zlq8egNxZsUvZQw50RHO0N/UElGD1E9RZHMg/ICB0w8b",
+      "RENOVATE_ENDPOINT": "AgBTArSvij1PQ6NliQ9RlVmuOs6IV6wt5xbNP/4ZK5Rs+jdBN5iYvBHq9elKtYsYNRJ9hv5FW6dVb721/wyf1hcP2Oi00hX3OQpBGKnZ2nKFIbFO5Tp3FZgCUF5O5AtkNPwx1AkhLNtxkf1ipEHOJ58HpIiIjjXGHVWs+gm/NSes/WsN7aYrUWuPHXSiXRQlTo51Lw8fTwekUXHTBZM2B80tt3UOvCvvJy2uRGxRHOQRMHb+VLA4FrI5NTT8d2oC11AB6KLpKkjAQRV9u3Ie3uuDxYFsBffWyG0+sbi7TdjXqbBosnR2C5syMu2bEbK3L/J3dxz5katdHyH0HWRmFf8RMrwRJlYedUJv/XUgb+0NFgdGy0utQwKVNfQDzRuha6GOA8aQBSNAEQ16vp/zylpTcporxH8/xAov0dY5tYST8F5bXoXJAoGhDKwulMDTq8EYC49w/QM4EtzWD/uZeMuh3SxFBse1ihqfET9QWNWU6qlzitEl0S0rQHlYcCpoFLo8wrgE7fqqP+1eAobBkZcOvgf87L4qqdlnJ6LNDz8IZc2Tiah/LU66qTYmJ8uTesaRjvULCs0taCF++1tdBqdlQV9xC6YRHitvL9ZYmlSR1MsSFjsBUebJ0+B1KojH/aEmQ+pN+WOWH8eEl8WDCLkWkLoQMWQHx6oPahSnCOYLhrmE6wP32f+wrvUY89DK9RZ04lB4Uw0jXFkXzp5gG9V1yBGITzRxlsBuvkE3k7F3SLYY",
+      "RENOVATE_GIT_AUTHOR": "AgBzxbOX4MftIgMpfvge6hYP4jkmUJdjd4bUmeHUQ4+dP2t3Iy7Vulx++/n0K+/bP7Lytu24UAWc7tlWwCWzQ/oU/gCnXjOPP2EbHsjgkTwh/LAWWoakJj4rsOh5efHmoJeGxQqJTM554wEQsrVdtxjdBpy/yhAojDli8X2ZkDwu6FqtJ0RDmkAiq1R/k9afQqvfFzIH/uPR86KFLRjoziOJid2pZchVNBJ88kdjXPeRd4ryx7HyGnU2ONtjeuc7nkF81pH2NEGocZPUz9j2/hiezhVXE0zvBOysp205Xhhjo4I4bjU7WoAzURjDVlV9Z2wuZkMhuD9NOuyOdBnfQXId7b2yGSLcJgR1BlqsreoQMmpTUs3XJvOUU9Ujd0OQz047yKPoC+fqxYUtxrv0u7UV9jWFQoXYI2sRPCr9yb0NI+0gom0uIaO8mq/Nu0lsE3SN2m2XOb/Cct0dC5XJpNM8o/o6EyP9Xkbkf1yNLrCKJxkAPwvegBgx9VXOF1y9cpl8o/BRUEBt1NI+PrXwcFxaFbHFvst0d1efwmUP5JTfleJg1t8HRYGQanEos42ptpOIVMmafh4KTN1m38f3qoEjnLO2ejqSU+QsK6O3sn/QNKSO0DCgp25dELAWKVCqkOMgHYk1tlxFDHzwGTGJSihmus2a3rErvMeo8PlL6nppXukzW07t3J1sUaXOorBQlehF8NDmG73ZdBd5lYB/jO2yAIV87fbQizx97dWS7nqpu5iq",
+      "RENOVATE_GIT_URL": "AgCnTQ8HIFoy5cTJ0/t7hMo5CW7vpzh1JWXEdr/EiQ8qkfopLg168v0MrjHlmXjSnKBu5JzWzBzLRzH0NkVp+4+ThK3o1wE0PG+GL9GKy1/pige3TrZnj8SYYV9Aznn4zQRWgj6dG2NSHaOshIfxTeOGpFXIk95kh2xowm52F4MMp8AxXmBxVnJI2Q8akphv66KtY8TUGq1iMP+obaEKeRQcHdwfDfDoOvA6KQSKC7vGlkqc653iWra9R7qBxeg0uasF7KoiOuf9rrDwE7apVviGzjBLZiFW3fKnrSqO1Jf6rC5W3fz7aGN1PecBzHv8/79JJ6B4J+OY1pEybGohwvZWYJIz2+pONB0j4ZrFhIZxj6Hau5+hmsJCd/87q5pMTUpA4e5BjcjWAAW4LR/RW1UsGaiArLUMJNxlUG0Uy0V+sAxXicgHCgSivp5WP/vJ9IoHWnHaKpHc038FJNLEXQ/jQ4DvF8b217l8yeu9mnjMCY8oCK8bqhHIPg8x1kg8DcxQDzegOl9kDE5OMHAaFxMHWwvNIv8QsiQP9irhckxzdw0wn177YJJHbhek7+7luaq3kfZRqmoS+GGZUkEoyAbPz8U8fIBODkvz9/+gg9eqn2DbIv9k5jysUv87eKOw7O4Sqyvdfvp5E8pF6WmFCBLvS4pmJOHW7tAhDrO2RrgXvQnzhkPdN2P+ZSGaz5GT2UaBg8OJvd2o+A==",
+      "RENOVATE_GIT_USERNAME": "AgBp+zgbf2Dwd40acaPGtf4zvJ2pMi/Fjj1O3pH9Ffc6EolikIAuxCy0Yls7a547sqYW2rmMDNvS9XOUL/GuaTGBXF8X5seCQiydnTbwowj0EifuL7HM5DsBvy5KQTTbCfjEW7xl5kcOf8utW+26TestS21SJdPOEBf9q6Qn0/gUBmbWKDPoX05tzzoOPJX1Y9zEU350b8mxiiVmTCtDU3oveGqLy+cwX1lnP/Bt56gInn1WtpqxxOVy2S73o2/yjuJ6VyWdYXKT/omoAOIcFtd/7r+86QSHYti5xkU8jM7r8oYbRuN3+mh34Wnx9XeCf9kFMBIJ6XVCZMZIddqDpzd8CnnNSw+iElJ2cYaSEpgYzRxQZiirVw3iOgzDkKlT0lquvSKmQZP/B2fjxR5SBKUtAj3SPpniVyglTzTZBTAwH05b4p5taQYAcy8lVBcxW+PMpgskkt8wXI/2u39AFFeFUGq+2MLVYxfOcFIUUIk5BtOXZBKrJTABJjEI8TVDjJqxcabZYNG1158hQD7tx6lhchwuh7/RveLaWNN+RzH/epsQw2gxqnTAMwdmLkqyQ6eugON2l1Pj73GTD/1zV9oSKWSCJW84rA0OayjImJa64c+0aD1D5pu9zGP46+XidIl81XVM/J7ngvBA8NYmOpKRI/peTQ5xOYQpZxi2UVY6ZrXqlMeFiAdczhSzCbOI99oCBAFJGyX72g==",
+      "RENOVATE_PLATFORM": "AgANRjXksDrKrXnoxqzAsozjkLNG+FaFfTgGYYLI1j1ZkhZbN7w02Z97+SIjOz/cYvKqRscWzPECjEeGvBF87Et33XfI+HXT0BzKo+1sPZffx8wq/S6Xj+224X91hDdZbLVFDntgJ+ibVQ9or7MWUXP2Pr/x+U3Yy6Hgg3v1/EhDRjlqI8YDSmxWKzoVz3nP7kAQMFADamuR4DBPQlpInwfkp5IfeWZVE2g/I+i5PgpieyOZDCKzSY5fDXyc27tgSHXfVJICgcO9STfMRUEMAyK1FG9X98eVpU6C9QRYLk6oo6Za+UMT5yljeuuIAZuRqhF7SGNeKnVKDGKz2hNkaRMNJsIyQAZkEpu0SDTu+PggFGe1BPYsPgbvWU2SbE+VYzNavA9Xbb+vpbgSfJS1wQXtfQojLF2pyYUl4+ddu89+kCoSComygSSFgundIF2XbbeMxje0hMCI87sHyWgJVtjEIE6OdR+Vn8WaMpIJjgsQErENqRU6FMQm5R3x3yzM5iytbU7Jvsg/ndZmBU1/kZaI51OkylPQ0rsdJm2Re6daU9LggDtQzTTEgysRVMm1iAknH7vJqXX8qv21RvcbqAKyjBKdwMQC803u+mYb4Usvgdaih3of4iRDkZYzPY1XiXKSU8LBNmB1H5NGWPWkATGw0C8NaurLVAZxBNNZeQCbyksEKOGuC1dDsx88BNHHZCh6sk493Q==",
+      "RENOVATE_TOKEN": "AgAl8Jk90zIEfukSXDpkx4ekaf63er/MwsAxU0EP0/Z8nbFAvZIuuXs3P8X4kdMwn76mmeLkb9G47D8wuGRS71qNNkU8qZi24CX+LBnWzedZV2mwklfyS9rzFiv2F6Fo0ZlfEM9tgzoEYEysVxmZ2qWYaplXU6/pGoOqTdPA2feZc47D5rvpLBYfv+asLQprXQUYGceBWWA5QmQm5rexAkoceRe+lAypBo4wMXQ0wFnF2FeBaYjxvNshKIY79tAb7p5XgkRXgKFKv4pP9iKUf+mb+1c/6B49u6ogkcxyElnv1TzLPER35lYammvQpQxlGhs7aQDK/UXkEmB3glxrzaH6u4v5u0nvnBtBKdTKFE1o0ocy70vcMjjM2tjX8zqRl5JTsTxA7KWTJ4rsUn+LaEUykafDSppV1tyhh5Q2w+6akhgaYAYtkgenj24j4zEFIZQZ8ylNucgFf4AAEM7IiMMIqFPYEsOSqeIWG4xXXRB/xkG81vJfhNHc8OUaB0+OC0yilGS7CBmBqMeoHDBTYvkEhxqQfFpgrKlicUD+tMrNNoe7dVNVw17RgMbNYHosMvYIhNYoaYTqgekyXJxWwKiiCdHGRQnEPgoNfHi164syN05FgA/VLAbttcero4HzJRShxZjiXo0WQrKy9+tOFqYmbArySp+IxjAo0ywYRky5UFRTn2tlRGq+f9tFS6iftM1UlbitN6xQHxk1ct+KQM2JySa4h6ATxLtZ32ROWg6qfe+mFGTFCf4N"
+    }
+  }
+}
diff --git a/infrastructure/renovate/kustomization.yaml b/infrastructure/renovate/kustomization.yaml
new file mode 100644
index 0000000..5db485e
--- /dev/null
+++ b/infrastructure/renovate/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+- namespace.yaml
+- env.sealedsecret.yaml
+- cronjob.yaml
+
+namespace: renovate
diff --git a/infrastructure/renovate/namespace.yaml b/infrastructure/renovate/namespace.yaml
new file mode 100644
index 0000000..1b07d0d
--- /dev/null
+++ b/infrastructure/renovate/namespace.yaml
@@ -0,0 +1,5 @@
+# namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder
diff --git a/kluster-deployments/kustomization.yaml b/kluster-deployments/kustomization.yaml
index d6f2d4c..23a2abe 100644
--- a/kluster-deployments/kustomization.yaml
+++ b/kluster-deployments/kustomization.yaml
@@ -9,7 +9,8 @@ resources:
   - projects.yaml
   - nfs/
   - backup/
-  - argocd-imageupdate/
+  # - argocd-imageupdate/
+  - renovate/
   - traefik/
 
   # simple apps
diff --git a/kluster-deployments/renovate/application.yaml b/kluster-deployments/renovate/application.yaml
new file mode 100644
index 0000000..8a27abe
--- /dev/null
+++ b/kluster-deployments/renovate/application.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: renovate-application
+  namespace: argocd
+
+spec:
+  project: infrastructure
+  source:
+    repoURL: https://github.com/moll-re/k3s-infra.git
+    targetRevision: main
+    path: infrastructure/renovate
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
diff --git a/kluster-deployments/renovate/kustomization.yaml b/kluster-deployments/renovate/kustomization.yaml
new file mode 100644
index 0000000..0b082ba
--- /dev/null
+++ b/kluster-deployments/renovate/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- application.yaml
\ No newline at end of file