diff --git a/apps/design-kustomization.yaml b/apps/design-kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6b2ca020b39cdc49046d4a55a0a443569097c9b6
--- /dev/null
+++ b/apps/design-kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: add-design
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  path: ./apps/design
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
diff --git a/apps/design/kustomization.yaml b/apps/design/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..60568458f0ab03227a1412e69a7432250cabf2b4
--- /dev/null
+++ b/apps/design/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - penpot-kustomization.yaml
+  - penpot-secrets-kustomization.yaml
diff --git a/apps/design/penpot-kustomization.yaml b/apps/design/penpot-kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..47db6283db478c3db10f809643bf26473d6c43a9
--- /dev/null
+++ b/apps/design/penpot-kustomization.yaml
@@ -0,0 +1,35 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: penpot
+  namespace: flux-system
+spec:
+  interval: 5m
+  retryInterval: 2m
+  timeout: 10m
+  wait: true
+  prune: true
+  path: ./apps/design/penpot
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: local-path-provisioner
+    - name: penpot-secrets
+    - name: nginx
+    - name: single-sign-on
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-cluster-variables
+      - kind: ConfigMap
+        name: stackspin-penpot-kustomization-variables
+      - kind: Secret
+        name: stackspin-penpot-variables
+      # OIDC
+      - kind: Secret
+        name: stackspin-penpot-oauth-variables
+      - kind: ConfigMap
+        name: stackspin-single-sign-on-kustomization-variables
diff --git a/apps/design/penpot-secrets-kustomization.yaml b/apps/design/penpot-secrets-kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..3e3495ca0571ec71a0e4e89cb083fa5cdd69f7f4
--- /dev/null
+++ b/apps/design/penpot-secrets-kustomization.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: penpot-secrets
+  namespace: flux-system
+spec:
+  interval: 5m
+  timeout: 4m
+  wait: true
+  prune: true
+  path: ./apps/design/penpot-secrets
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: secrets-controller
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-cluster-variables
diff --git a/apps/design/penpot-secrets/penpot-kustomization-variables.yaml b/apps/design/penpot-secrets/penpot-kustomization-variables.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..294ee38500ea343c977a53dde7f43996432adca9
--- /dev/null
+++ b/apps/design/penpot-secrets/penpot-kustomization-variables.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-penpot-kustomization-variables
+  namespace: flux-system
+data:
+  penpot_domain: design.${domain}
diff --git a/apps/design/penpot-secrets/penpot-oauth-secret.yaml b/apps/design/penpot-secrets/penpot-oauth-secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..4fe94bfa46743a0a638e7e3ba992a59d3b0876ce
--- /dev/null
+++ b/apps/design/penpot-secrets/penpot-oauth-secret.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-penpot-oauth-variables
+  namespace: flux-system
+spec:
+  data:
+    client_id: penpot
+  fields:
+  - fieldName: client_secret
+    length: "32"
diff --git a/apps/design/penpot-secrets/penpot-variables.yaml b/apps/design/penpot-secrets/penpot-variables.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b89df98fabed95c695a61f5ba45f4883ac3bc314
--- /dev/null
+++ b/apps/design/penpot-secrets/penpot-variables.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-penpot-variables
+  namespace: flux-system
+spec:
+  fields:
+  - fieldName: password
diff --git a/apps/design/penpot/penpot-oauth-client.yaml b/apps/design/penpot/penpot-oauth-client.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d3312a7785a22f1c6cd0f8d002f5ebc1337a6838
--- /dev/null
+++ b/apps/design/penpot/penpot-oauth-client.yaml
@@ -0,0 +1,21 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: penpot-oauth-client
+  # Has to live in the same namespace as the stackspin-penpot-oauth-variables secret
+  namespace: flux-system
+spec:
+  # TODO copied from wekan: https://github.com/wekan/wekan/wiki/Keycloak
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-penpot-oauth-variables
+  #redirectUris:
+  #  - https://${penpot_domain}/oauth/openid/
+  #tokenEndpointAuthMethod: client_secret_post
diff --git a/apps/design/penpot/penpot-pvc.yaml b/apps/design/penpot/penpot-pvc.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..24c63e2bc9377f51d11074383fc334810430909c
--- /dev/null
+++ b/apps/design/penpot/penpot-pvc.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: penpot-data
+  namespace: stackspout
+  labels:
+    stackspin.net/backupSet: "penpot"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: local-path
diff --git a/apps/design/penpot/penpot-release.yaml b/apps/design/penpot/penpot-release.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d5a81cdac6320edce53fe13eb32a82b96d89936f
--- /dev/null
+++ b/apps/design/penpot/penpot-release.yaml
@@ -0,0 +1,27 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: penpot
+  namespace: stackspout
+spec:
+  releaseName: penpot
+  chart:
+    spec:
+      chart: penpot
+      version: 4.0.12
+      sourceRef:
+        kind: HelmRepository
+        name: truecharts
+        namespace: flux-system
+  interval: 5m
+  valuesFrom:
+    - kind: ConfigMap
+      name: stackspin-penpot-values
+      optional: false
+    # Allow overriding values by ConfigMap or Secret
+    - kind: ConfigMap
+      name: stackspin-penpot-override
+      optional: true
+    - kind: Secret
+      name: stackspin-penpot-override
+      optional: true
diff --git a/apps/design/penpot/penpot-values-configmap.yaml b/apps/design/penpot/penpot-values-configmap.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a6eb3610c2750116341de3d85bba3dd0f23e70d1
--- /dev/null
+++ b/apps/design/penpot/penpot-values-configmap.yaml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-penpot-values
+  namespace: stackspout
+data:
+  values.yaml: |
+    # TODO verify structure matches chart
+    commonLabels:
+      stackspin.net/backupSet: "penpot"
+    podLabels:
+      stackspin.net/backupSet: "penpot"
+    # TODO Configure PVC for data & database including backup labels
+    podAnnotations:
+      backup.velero.io/backup-volumes: "data"
+    persistence:
+      enabled: true
+      existingClaim: "penpot-data"
+
+    ingress:
+      main:
+        enabled: true
+        annotations:
+          kubernetes.io/tls-acme: "true"
+        hosts:
+          - host: "${penpot_domain}"
+            paths:
+               - path: /
+                 pathType: Prefix
+        tls:
+          - secretName: penpot-tls
+            hosts:
+              - "${penpot_domain}"
+        integrations:
+          certManager:
+            enabled: true
+    penpot:
+      public_uri: "https://${penpot_domain}"
+      #registration_domain_whitelist: []
+      #flags:
+      #  backend_api_doc: false
+      #  cors: false
+      #  demo_users: false
+      #  demo_warning: false
+      #  insecure_register: false
+      #  log_emails: false
+      #  log_invitation_token: false
+      #  login: true
+      #  mail_verification: true
+      #  registration: true
+      #  secure_session_cookies: true
+      #  user_feedback: false
+      identity_providers:
+        oidc:
+          enabled: true
+          client_id: "${client_id}"
+          client_secret: "${client_secret}"
+          base_uri: "https://${hydra_domain}"
+          #autoDiscoverUrl: 'https://${hydra_domain}/.well-known/openid-configuration'
+      smtp:
+        enabled: "${outgoing_mail_enabled}"
+        host: "${outgoing_mail_smtp_host}"
+        port: "${outgoing_mail_smtp_port}"
+        username: "${outgoing_mail_smtp_user}"
+        pass: "${outgoing_mail_smtp_password}"
+        default_from: "${outgoing_mail_from_address}"
+        default_reply_to: "${outgoing_mail_from_address}"
+
+    persistence:
+      assets:
+        enabled: true
+        mountPath: /opt/data/assets
+        targetSelectAll: true
diff --git a/apps/kustomization.yaml b/apps/kustomization.yaml
index 6f591fe5e5af67110280c9bdf07a61f37a0768bf..9d4d9f76699bb3b735d8910e96705a5041bb8ae1 100644
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@@ -8,6 +8,6 @@ resources:
   - flow-kustomization.yaml
   - meet-kustomization.yaml
   - status-kustomization.yaml
-  #- design-kustomization.yaml #to be configured
+  - design-kustomization.yaml
   #- sprint-kustomization.yaml #charts outdated
   #- video-kustomization.yaml #missing storage