diff --git a/.gitignore b/.gitignore
index d1cdd50..1802146 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 secrets.yaml
+!apps/template/secrets.yaml
 infra/*/tailscale.patch.yaml
 .DS_Store
diff --git a/apps/template/configmap.yaml b/apps/template/configmap.yaml
new file mode 100644
index 0000000..e8d6f08
--- /dev/null
+++ b/apps/template/configmap.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: app-configmap
+data:
+  
\ No newline at end of file
diff --git a/apps/template/deployment.yaml b/apps/template/deployment.yaml
new file mode 100644
index 0000000..4ee8222
--- /dev/null
+++ b/apps/template/deployment.yaml
@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app
+  labels:
+    app.kubernetes.io/name: app
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: app
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: app
+    spec:
+      volumes:
+        - name: mountName
+          persistentVolumeClaim:
+            claimName: app-pvc
+      containers:
+        - name: containerName
+          image: image
+          envFrom:
+            - configMapRef:
+                name: configMap
+            - secretRef:
+                name: secrets
+          ports:
+            - containerPort: 1234
+              name: http
+          volumeMounts:
+          - name: mountName
+            mountPath: "/"
+          livenessProbe:
+            exec:
+              command:
+              - /app/pocket-id
+              - healthcheck
+            httpGet:
+              path: /healthz
+              port: 8080
+            initialDelaySeconds: 10
+            failureThreshold: 3
+            periodSeconds: 90
+          startupProbe:
+            exec:
+              command:
+              - /app/pocket-id
+              - healthcheck
+            httpGet:
+              path: /healthz
+              port: 8080
+            failureThreshold: 30
+            periodSeconds: 10
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+      dnsPolicy: "ClusterFirst"
+      dnsConfig:
+        nameservers:
+          - 100.96.226.96
diff --git a/apps/template/pvc.yaml b/apps/template/pvc.yaml
new file mode 100644
index 0000000..762239a
--- /dev/null
+++ b/apps/template/pvc.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: app-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: nfs-csi|hcloud-volumes
\ No newline at end of file
diff --git a/apps/template/secrets.yaml b/apps/template/secrets.yaml
new file mode 100644
index 0000000..ade18c8
--- /dev/null
+++ b/apps/template/secrets.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: app-secrets
+type: Opaque
+stringData:
+  
\ No newline at end of file
diff --git a/apps/template/svc.yaml b/apps/template/svc.yaml
new file mode 100644
index 0000000..9fce686
--- /dev/null
+++ b/apps/template/svc.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: app
+spec:
+  type: NodePort
+  selector:
+    app.kubernetes.io/name: app
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 1234
+      name: http
\ No newline at end of file