diff --git a/argocd/manager-app.yaml b/argocd/manager-app.yaml
new file mode 100644
index 0000000..1197c62
--- /dev/null
+++ b/argocd/manager-app.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: manager
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git-ssh.lunarfront.tech/ryan/lunarfront-charts.git
+    targetRevision: main
+    path: manager
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/manager/deployment.yaml b/manager/deployment.yaml
new file mode 100644
index 0000000..cf2aca4
--- /dev/null
+++ b/manager/deployment.yaml
@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: manager
+  namespace: manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: manager
+  template:
+    metadata:
+      labels:
+        app: manager
+    spec:
+      serviceAccountName: manager
+      containers:
+        - name: manager
+          image: git.lunarfront.tech/ryan/lunarfront-manager:latest
+          ports:
+            - containerPort: 3000
+          env:
+            - name: PORT
+              value: "3000"
+            - name: DO_API_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: do-api-token
+            - name: DO_DB_CLUSTER_ID
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: do-db-cluster-id
+            - name: GIT_SSH_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: git-ssh-key
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: database-url
+            - name: DOADMIN_DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: manager-secrets
+                  key: doadmin-database-url
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 256Mi
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 3000
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 3000
+            initialDelaySeconds: 5
+            periodSeconds: 10
diff --git a/manager/ingress.yaml b/manager/ingress.yaml
new file mode 100644
index 0000000..333fdf4
--- /dev/null
+++ b/manager/ingress.yaml
@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: manager
+  namespace: manager
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/whitelist-source-range: "173.174.129.105/32"
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: manager.lunarfront.tech
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: manager
+                port:
+                  number: 3000
+  tls:
+    - secretName: manager-lunarfront-tech-tls
+      hosts:
+        - manager.lunarfront.tech
diff --git a/manager/rbac.yaml b/manager/rbac.yaml
new file mode 100644
index 0000000..50246dc
--- /dev/null
+++ b/manager/rbac.yaml
@@ -0,0 +1,62 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: manager
+  namespace: manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-pgbouncer
+  namespace: pgbouncer
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["pgbouncer-config"]
+    verbs: ["get", "patch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["pgbouncer-userlist"]
+    verbs: ["get", "patch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    resourceNames: ["pgbouncer"]
+    verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: manager-pgbouncer
+  namespace: pgbouncer
+subjects:
+  - kind: ServiceAccount
+    name: manager
+    namespace: manager
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: manager-pgbouncer
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-argocd
+  namespace: argocd
+rules:
+  - apiGroups: ["argoproj.io"]
+    resources: ["applications"]
+    verbs: ["get", "create", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: manager-argocd
+  namespace: argocd
+subjects:
+  - kind: ServiceAccount
+    name: manager
+    namespace: manager
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: manager-argocd
diff --git a/manager/service.yaml b/manager/service.yaml
new file mode 100644
index 0000000..8e83b60
--- /dev/null
+++ b/manager/service.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: manager
+  namespace: manager
+spec:
+  selector:
+    app: manager
+  ports:
+    - port: 3000
+      targetPort: 3000