diff --git a/basic/apps/stackspout/do/vikunja-oauth-client.yaml b/basic/apps/stackspout/do/vikunja-oauth-client.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..db05121c5c5e669edb801c852f9cf1048e99bab4
--- /dev/null
+++ b/basic/apps/stackspout/do/vikunja-oauth-client.yaml
@@ -0,0 +1,21 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: vikunja-oauth-client
+  # Has to live in the same namespace as the stackspin-wordpress-oauth-variables secret
+  namespace: flux-system
+spec:
+  # TODO copied from wekan: https://github.com/wekan/wekan/wiki/Keycloak
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-vikunja-oauth-variables
+  redirectUris:
+    - https://do.${domain}/oauth/openid/
+  tokenEndpointAuthMethod: client_secret_post
diff --git a/basic/apps/stackspout/do/vikunja-release.yaml b/basic/apps/stackspout/do/vikunja-release.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..98bc0a236b5e94da818f6e16ba90430e262b64fa
--- /dev/null
+++ b/basic/apps/stackspout/do/vikunja-release.yaml
@@ -0,0 +1,27 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: vikunja
+  namespace: stackspout
+spec:
+  releaseName: vikunja
+  chart:
+    spec:
+      chart: vikunja
+      version: 5.5.3
+      sourceRef:
+        kind: HelmRepository
+        name: k8s-at-home
+        namespace: stackspout
+  interval: 10m
+  valuesFrom:
+    - kind: ConfigMap
+      name: stackspin-vikunja-values
+      optional: false
+    # Allow overriding values by ConfigMap or Secret
+    - kind: ConfigMap
+      name: stackspin-vikunja-override
+      optional: true
+    - kind: Secret
+      name: stackspin-vikunja-override
+      optional: true
diff --git a/basic/apps/stackspout/do/vikunja-values-configmap.yaml b/basic/apps/stackspout/do/vikunja-values-configmap.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..cbc3f2204174c0121c3aa3676801c447671ca0ad
--- /dev/null
+++ b/basic/apps/stackspout/do/vikunja-values-configmap.yaml
@@ -0,0 +1,37 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-vikunja-values
+  namespace: stackspout
+data:
+  # Defaults: https://github.com/k8s-at-home/charts/blob/master/charts/stable/vikunja/values.yaml
+  # Inherits: https://github.com/k8s-at-home/library-charts/blob/main/charts/stable/common/values.yaml
+  values.yaml: |
+    vikunja:
+      config: |-
+        auth:
+          openid:
+            # https://vikunja.io/docs/config-options/#openid
+            # Example: https://github.com/go-vikunja/api/blob/main/config.yml.sample#L289-L312
+            enabled: true
+            providers:
+              - name: Stackspin
+                authurl: "https://sso.${domain}"
+                clientid: vikunja
+                clientsecret: "${client_secret}"
+          local:
+            enabled: false
+    ingress:
+      main:
+        enabled: true
+        primary: false
+        hosts:
+          - host: "https://do.${domain}"
+            paths:
+               - path: /
+                 pathType: Prefix
+        tls:
+          - secretName: vikunja
+            hosts:
+              - "https://do.${domain}"
diff --git a/basic/apps/stackspout/vikunja-release.yaml b/basic/apps/stackspout/vikunja-release.yaml
deleted file mode 100644
index 8995cba3e191ea4cc13c5b35c00cd369dcaf445e..0000000000000000000000000000000000000000
--- a/basic/apps/stackspout/vikunja-release.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: vikunja
-  namespace: stackspout
-spec:
-  releaseName: vikunja
-  chart:
-    spec:
-      chart: vikunja
-      version: 5.5.3
-      sourceRef:
-        kind: HelmRepository
-        name: k8s-at-home
-        namespace: stackspout
-  interval: 10m
-  values:
-    # https://github.com/k8s-at-home/charts/blob/master/charts/stable/vikunja/values.yaml
-    vikunja:
-      # TODO https://vikunja.io/docs/config-options/#openid
-      config: |-
-        auth:
-          local:
-            enabled: true
-          openid:
-            enabled: true
-            providers:
-              - name: Stackspin
-                authurl: "https://sso.${domain}"
-                clientid: vikunja
-                clientsecret: "${client_secret}"
-    ingress:
-      main:
-        enabled: true
-        primary: false
-        hosts:
-          - host: do.ftt.gmbh
-            paths:
-               - path: /
-                 pathType: Prefix
-        tls:
-          - secretName: vikunja
-            hosts:
-              - do.ftt.gmbh
diff --git a/basic/install.sh b/basic/install.sh
index c2a73d00892fc367fc4fecaffd10fc5977980145..93a25ebd7063be2d56f8e501e306bd977628098b 100755
--- a/basic/install.sh
+++ b/basic/install.sh
@@ -16,3 +16,6 @@ flux create kustomization stackspout \
   --path="./basic/clusters/production/" \
   --prune=true \
   --interval=10m
+
+python ../../stackspin/install/generate_secrets.py vikunja
+python ../../stackspin/install/generate_secrets.py gitea