diff --git a/apps/linkwarden.yaml b/apps/karakeep.yaml
similarity index 84%
rename from apps/linkwarden.yaml
rename to apps/karakeep.yaml
index c54c44e..ac2af9b 100644
--- a/apps/linkwarden.yaml
+++ b/apps/karakeep.yaml
@@ -1,17 +1,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: linkwarden
+  name: karakeep
   namespace: argocd
 spec:
   project: default
   source:
     repoURL: https://github.com/gwg313/homelab-gitops
     targetRevision: main
-    path: linkwarden
+    path: karakeep
   destination:
     server: https://kubernetes.default.svc
-    namespace: linkwarden
+    namespace: karakeep
   syncPolicy:
     automated:
       selfHeal: true
diff --git a/karakeep/certificate.yaml b/karakeep/certificate.yaml
new file mode 100644
index 0000000..74019c7
--- /dev/null
+++ b/karakeep/certificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: karakeep-cert
+  namespace: istio-system
+spec:
+  secretName: karakeep-cert
+  issuerRef:
+    name: letsencrypt-dns
+    kind: ClusterIssuer
+  dnsNames:
+    - bookmarks.gwg313.xyz
diff --git a/karakeep/chrome-deployment.yaml b/karakeep/chrome-deployment.yaml
new file mode 100644
index 0000000..69115cd
--- /dev/null
+++ b/karakeep/chrome-deployment.yaml
@@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: chrome
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: chrome
+  template:
+    metadata:
+      labels:
+        app: chrome
+    spec:
+      containers:
+        - name: chrome
+          image: gcr.io/zenika-hub/alpine-chrome:124
+          command:
+            - chromium-browser
+            - --headless
+            - --no-sandbox
+            - --disable-gpu
+            - --disable-dev-shm-usage
+            - --remote-debugging-address=0.0.0.0
+            - --remote-debugging-port=9222
+            - --hide-scrollbars
diff --git a/karakeep/chrome-service.yaml b/karakeep/chrome-service.yaml
new file mode 100644
index 0000000..e08355a
--- /dev/null
+++ b/karakeep/chrome-service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: chrome
+spec:
+  selector:
+    app: chrome
+  ports:
+    - protocol: TCP
+      port: 9222
+      targetPort: 9222
+  type: ClusterIP
diff --git a/karakeep/data-pv.yaml b/karakeep/data-pv.yaml
new file mode 100644
index 0000000..7503bad
--- /dev/null
+++ b/karakeep/data-pv.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: karakeep-data-pv
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  iscsi:
+    targetPortal: truenas.local.gwg313.xyz:3260
+    iqn: iqn.2005-10.org.freenas.ctl:karakeep-data
+    lun: 0
+    fsType: ext4
+    chapAuthDiscovery: true
+    chapAuthSession: true
+    secretRef:
+      name: karakeep-iscsi-auth
+  claimRef:
+    namespace: karakeep
+    name: karakeep-data-pvc
diff --git a/karakeep/data-pvc.yaml b/karakeep/data-pvc.yaml
new file mode 100644
index 0000000..1009bc8
--- /dev/null
+++ b/karakeep/data-pvc.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: karakeep-data-pvc
+  namespace: karakeep
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: manual
+  volumeName: karakeep-data-pv
diff --git a/karakeep/gateway.yaml b/karakeep/gateway.yaml
new file mode 100644
index 0000000..2f2ae76
--- /dev/null
+++ b/karakeep/gateway.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: karakeep-gateway
+  namespace: karakeep
+spec:
+  selector:
+    istio: gateway
+  servers:
+    - port:
+        number: 443
+        name: https
+        protocol: HTTPS
+      tls:
+        mode: SIMPLE
+        credentialName: karakeep-cert
+      hosts:
+        - bookmarks.gwg313.xyz
diff --git a/karakeep/iscsi-sealed.yaml b/karakeep/iscsi-sealed.yaml
new file mode 100644
index 0000000..f699aa6
--- /dev/null
+++ b/karakeep/iscsi-sealed.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: karakeep-iscsi-auth
+  namespace: karakeep
+spec:
+  encryptedData:
+    discovery.sendtargets.auth.password: AgAEYlFdPOc6eKV422ZizbztUST+9lrOvdwFMfQdaSFEtZwjI2ZKa48vNbJo+GRsMySXKBkeyCXcSlmjjpKzJhuurDfKrYRfiu3h/zZr90qCRSZVOPe+56WAvoJyyIoUdapnc8ivpTKujgVYatqnGupiysK0zfVKVlT+ZQfhFfGjc9Srxy/mwLWCanvJrPa6SNftOQnyI2We5eMisSeIStGuIxSeTTL9nPIFe5UKVQsKoJgWJw1S6CwFxzrCUlzAZ7wUsnAcSi3FuE+irIjsu4wPIlkIqPLi0Km9RHGUw6zwcHVzDNhUNul6A/nHFZ09gexuUHlF8P5jC4oOjc7RvzxOdhOljZ1+S+HIzgawI6jERuogzVT2wTmpHVUs+tXQKpYYJMIn4N2QpFcEyhQ+uP1rXx2aSnPDxjSkrkTdq8K71qJA/po668em0j9Sz8Z1F9UyS46FjVPun4Wfa1vBgO+iwV4k1nKiyldXZaheWNbjpzJrwM9cmMqFvj2vynlWvTFd7HeZ9pSV3OkbMcSBb5J5c+LXxrfCQrlY7/epjU/5dLRQaI/9kaFxb9g7vVM8zqPuFXw4xTy0dLc2eta0wktQB3/5w3q2p8YK05kic+euHU54IkwfZIlhEVyJAvefQ7B5B41OhMlFDNzioU6Q/5FxIeAM7Xz6WrZARsW60aidDZD/VFGIx4yMIfVGqu1a7AOEAIeRksHFzhYxAXOo2eJz
+    discovery.sendtargets.auth.username: AgB8E0aaZud27PYxMUS6XOqqoOJIXyOByrDOIJJvDMfTz1oW7zT19QM0GsUYV5rgyyvXnocuA86dGhg7DsqO5pXIlnuc7DU16nI3H/6j2J82EzcO72tXj5+G+3V0sha3XEn/r1jHw73mtv0ZNVKpeH+TVBE1sl+rsjOYQ1fo2K5NntmmAkpHeBUydbHEUp9rIV3GlKiS1n+xmKDm6lHAsZh3ajFvJL0dqhuaCMxJSwgLuVjD7gMUIIvKpA0wgVXTLhIYWkPUPazyHZvTiN2IjlxmaD5+U7eN+Mj9//Mw6jIpytEpEtByfSjDOKzm+T6suFXPaswMF6qlUjvOTJfK4i+OD9RcARFUrOdcG1IUQAu8UZExAGcs8ElLV0JGm8vm03tDmcY8URp57mjEi4AxQSfFtTPkI02CUvIQ4+WC+gZdHW4pbKzQ7hbpIKvt4lDZdw71AIdp1M8n1sUM729qWWmDQPkIiu+FfeyNccL582NiMrQFTm+5VyGQMISywbw7XqcbJKeh6gBN7U4weuJfIwoZBr4KNI5bpGtMBE1AdmIJgdLu7KNMLZjtSlr+vX5l4KK9R6gKIZh/nXUJJ8QCQwrahlh1RqkaUfPQ7kFwtU6JkrcouMGnKJH6frJUKehUaqSf439q+d00gdmhf/xywhOSoPVvVqKrpZKQLe60MsvREdUAM5H7+qtjaV3y312LxxWh7ZhOu6d0ew==
+    node.session.auth.password: AgAbhRWTHh9yLdRp8wHoqSst3CqVTQeI0T3f4jzKkTwEy6uLXE8/YDu3wl0T9fonUG+snZ2yRRmr2KkyouyQf89l974SqQGjxLDf/kDubTtlFuvsA5mqSVNUAysyDk38yFf4pFGjOjOJM6xh3IyJAmWsTb9awkLuQVOcWHHJMUajsHLTj1z734GusymDFNOPN5GPxYZmEG6UH4TJQ/gD6o21yzTcl5lWAzCilkXa2OQDndpjVhkToHGi1UBb7i4AgPIN1/twX+oRiEqCQ27ygsTGX3BCqjXQMP5H2l0ELRpE4KUG9N+y2v/vJMMXTznisiK55ShprjGAel5z1TSFYC/GfO40zno+GCA0qcj/JodQAQ0Ievzag/6EqGOb3Oh4/f0u2MATT8zbrrvaiSe1szO394UOiJ3CBdqMIWHD4HR4hcvWMyYIWSf2E1BpzygdHqP8okUiUavxXGyo1wcGoDgsQ27kJV64yyg3QLWG1+5xEKwQ61n9Doc0L3u0iSjj6nSrNAF8WishE2K7sFE2DN9rNqiKYswU4N78dhKV7F/CQK535PTYdUoky46uUuX7HpHmJ1X6C7d+m4o5vktt3OkbQvpSRgo9EFlSJUcCpOkplnKh5xkZLbXkbRXkY8RCymv6VzrWmf5+uPRD+n9aTlZJUmfdFM3OHNkgpQFdVwcrM5vZ9c1+SJ3GWVatGmRPoeoFh2WIBp7tn0nLkc1EAV3O
+    node.session.auth.username: AgCocUUTWHquwanS8XFfzhy1NIwnWDp67TJm8lA1Hzk2qbari4DXpZo9eypwOuqzUE8Y0g5s+Odwg8NrTxCRsipBqi2OHSukKOxtKfJpUvJ9Ad76vkMAq5wrHWMWfslw5kMFJDZ/ZBTvJxbzBMP0+v9r5mLx3kOoPKhoPXLMKuQX4l0ezapoSfrtz/hhKS5NkgWezx6O1WYUQbwqIUkErA4aquNbte14+OuwtOZKLIhoWZItg6tOALRgBArvVOP4hwP/127+ZRmC5xno4qFF/ReU07pc1zK4cFOkjikP3d32ZIr38MYDefC6AdVx17ClO7RPuWhf318XyvwoJ/IaPiR1vrPMiwDHuBSoXRzagVcMq2qm0hXwimQ94fpA5htIP07fdRmP8VeaPwq34cu/YjzbY+3iyy2DqghHI6AQ1qg7Pw8BpGY0948ozLa9tG9fG0vQuF2b+rkewZAPCa+HWcSZdZxtfrgwRfrrNRL+UHhuJiLR6FeH0qRVFCyMPSuymLpypkngQR1m9ujRL2Iy6au8SecpICo68+vVKyyruj3zifX5QVSh/MAOkT/3dTsKM+15GlvUNoWqC+YoifXQPT/XDO4htEEQb8kF3OArfBIrZuv01Z9i71cxEp5+Dsg9r6nQJZNjRGbgkbXMGTsfUI0hNCeMkpiUO+8OYz8jDjufRCLGooNiQtvgq/Tzb1iBVRH4wijMXgoZUw==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: karakeep-iscsi-auth
+      namespace: karakeep
+    type: kubernetes.io/iscsi-chap
diff --git a/karakeep/karakeep-configmap.yaml b/karakeep/karakeep-configmap.yaml
new file mode 100644
index 0000000..28411ec
--- /dev/null
+++ b/karakeep/karakeep-configmap.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: karakeep-configuration
+  namespace: karakeep
+data:
+  NEXTAUTH_URL: "https://bookmarks.gwg313.xyz"
+  KARAKEEP_VERSION: "release"
diff --git a/karakeep/karakeep-secrets-sealed.yaml b/karakeep/karakeep-secrets-sealed.yaml
new file mode 100644
index 0000000..78135d3
--- /dev/null
+++ b/karakeep/karakeep-secrets-sealed.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: karakeep-secrets
+  namespace: karakeep
+spec:
+  encryptedData:
+    MEILI_MASTER_KEY: AgAzZ+PeOkjVx8AWy66cv47//45eV6LTW0BxiNZxKKgOVsAt43Qu0KHHgxPD4bqNzzawibYEdIc7lC+uh7ymXImErFjBeeyow2ACBQEhim7L/+7+Ho9WPWIT1oX03PkFtLVOx9fqJkOPx9MDh7md7RwGG7fWPZeQF8ITwzMiFUy45roHTCwW12v1vYk/I7liE8p1v66GeLFEYBlkuI9/pYGjlxKh+onKzLvZegAkz9qQ1iFG5Fjg8WuCVrK7MWSB55hBSnX6C8ZU7Vnibp4gOSmxcBPv/ByGvUmI2bR4b1NN0zYfoUI2O2q91sxbzxfvphksFdBSeDh7Nsd6AUHmviiywmJVFmEBhDv7yOoCz/y8VuxneA8TglSlaCEEZV2e3vWjgpAFQerHjSbvg9WZ4Ju+162mM/YqIqZ0cn0wVf1WdjUBqcKAYHvCPIdkxLVcRBRSiVFT6VSLycls1aIN5nUmmgWntseVRiadxqnq0mDxjMVRlDj8u+d7qAdHQdXBDvva305mCpnkZhdlmUEGUtIOhMUYZKOw6WyN85hv8HoJ59KQcNs5NPG5IEim72BaTbd2JY/R8DpJY0rSVJXf9feX0jYKHwjFNME5SKCOk7sPnki4v5a/47cl6hpfTNEt48mC2dfGRLQXh44mfngED18aRedw0838nhO+ygqpf+i1v9K0fGjXdmj0ZwWxMznuvgZ59uqAPdSlHtzL8FaO8TBq
+    NEXT_PUBLIC_SECRET: AgCjOcEZDOdjBdsirl8x2x0jlMgUEOl2X0WdL9BgLcvs1ZTlc6WrXMJGoBtYc9fUAXMTbLDtGbbCzOR3SQljreY8r0T5RfU/eysB0w1bTBL9VcdO/0Rq8CLomCKMXikG8Yt36s0QGSW9romggGEmh0JYIwq3zdifk9RRjennSqs8Bk3gvyCAnGpiqufl7dNUKWaTFGTcvTCL25VrHxK7qleTe3CaNdAMPMFhiZfpMShwae2wEv+a+ZAmjeAtbarmle8/+gxxFgYUAXIcCn/XGtBfKr40qTEvYKsgfliSXZPvfabCHYNBcUqAHF7CQBitddvGzhSld8tmp1P12La/vJyXTBNb7Vs+dzDxT736QsaJC/BLwT4XiJpmv050XsWER2ZrbNoORe3Ez9eOxfMsBk65rjutS09NK5V6NgspWc2zR2EkGymZz5Xfj4vlscumxQfgdncab031rppZNsQAX/6TclQpwY+bmeRVM1/qOFyJNc1lt0Ad43SWK4QUryt/QMuoVt6GvOdCEjZdQkZUXA5d3dx1R7qptRnyHZkXfYe9eQdwUV6yssUECvUYxWX2XLvFtP1IFbmgQ1ygYIeUnHNrVUmckEFNV89v18iO96yeamu9x9ZtAFLOgTFt/ULTLgDkk2xc1iiLl0mxWSmMo3QLBkQK4rgN6sfxzsUaiaZCnnHV6LBTjFEJAxLGJX8XMbOkoy0WIytUcGlr7pAFwbJ7
+    NEXTAUTH_SECRET: AgCk7UnQ1Vstj5g8iVj4BTt9tsSahbVxVmaGmvAhqv81OPemMbLZtl3Uu6S/Apqi2OvY4D8dblmiLu1FZQH2Pbfimjrc9JD088Ar5zmUHw7vGu2WLRQH72FwQKvPOpOOpJo1U/YPw9wQcZKBBJx8KmWPAMy24WZk2hClBaRotSmvut/kc5cW8hliEJ9tuoNxpAVA79GH9VyAvYccZfRnfH/v9lYCZ5Q4Herwk8/do+FPHxfjWMhpPekAvlGRcnpyRvbdcXhxzTLRypQrXsnC7jzmu5muXLiBav5oihpJJXr2tdG0BFd8OlP4VrPPSTwk5MY5xGDU7V3Iyja+NBG4Wpfd/vL3yX9FRiUOpBqW6Vjhz/ViXPZfdC1omfBcVe3VN8iRRTu9u08cDvjpb6sVHV23GvuZmaHbO+PERlTHTABqEw+IscbNzZyvCtO3dy85acyhN2Ahh+JrJp6Z5YXoiutQwixz8966ILuoHVoKhCt11OzYZnrVPFM+qg+3DbQ6KFC8whIg9LQSyGnWy+l4eTBfMfnf14/beVDR25ZC1eVYj98YwcvLL0ZjOAksb48iY8bMAYVptk+ukXuCNgPWbPlSe/yBgQDghgrmbEUPtmbfiZS3vdVi+HKv36xznmfcUmeaV6MIfayWCZMIB3cUQjCLkv+yijCgfPWIGjyvCwASLA5Irm+CVC7UhS70dOy06OxMe8IJxbd1lWLvQewyNNz+
+  template:
+    metadata:
+      creationTimestamp: null
+      name: karakeep-secrets
+      namespace: karakeep
+    type: Opaque
diff --git a/karakeep/meilisearch-deployment.yaml b/karakeep/meilisearch-deployment.yaml
new file mode 100644
index 0000000..cf9ec5d
--- /dev/null
+++ b/karakeep/meilisearch-deployment.yaml
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: meilisearch
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: meilisearch
+  template:
+    metadata:
+      labels:
+        app: meilisearch
+    spec:
+      containers:
+        - name: meilisearch
+          image: getmeili/meilisearch:v1.11.1
+          env:
+            - name: MEILI_NO_ANALYTICS
+              value: "true"
+          volumeMounts:
+            - mountPath: /meili_data
+              name: meilisearch
+          envFrom:
+            - secretRef:
+                name: karakeep-secrets
+            - configMapRef:
+                name: karakeep-configuration
+      volumes:
+        - name: meilisearch
+          persistentVolumeClaim:
+            claimName: karakeep-meilisearch-pvc
diff --git a/karakeep/meilisearch-pv.yaml b/karakeep/meilisearch-pv.yaml
new file mode 100644
index 0000000..3fc2810
--- /dev/null
+++ b/karakeep/meilisearch-pv.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: karakeep-meilisearch-pv
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  iscsi:
+    targetPortal: truenas.local.gwg313.xyz:3260
+    iqn: iqn.2005-10.org.freenas.ctl:karakeep-meilisearch
+    lun: 1
+    fsType: ext4
+    chapAuthDiscovery: true
+    chapAuthSession: true
+    secretRef:
+      name: karakeep-iscsi-auth
+  claimRef:
+    namespace: karakeep
+    name: karakeep-meilisearch-pvc
diff --git a/karakeep/meilisearch-pvc.yaml b/karakeep/meilisearch-pvc.yaml
new file mode 100644
index 0000000..4dd8ca7
--- /dev/null
+++ b/karakeep/meilisearch-pvc.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: karakeep-meilisearch-pvc
+  namespace: karakeep
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: manual
+  volumeName: karakeep-meilisearch-pv
diff --git a/karakeep/meilisearch-service.yaml b/karakeep/meilisearch-service.yaml
new file mode 100644
index 0000000..373384e
--- /dev/null
+++ b/karakeep/meilisearch-service.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: meilisearch
+spec:
+  selector:
+    app: meilisearch
+  ports:
+    - protocol: TCP
+      port: 7700
+      targetPort: 7700
\ No newline at end of file
diff --git a/karakeep/namespace.yaml b/karakeep/namespace.yaml
new file mode 100644
index 0000000..00658da
--- /dev/null
+++ b/karakeep/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: karakeep
diff --git a/karakeep/virtualservice.yaml b/karakeep/virtualservice.yaml
new file mode 100644
index 0000000..e14f736
--- /dev/null
+++ b/karakeep/virtualservice.yaml
@@ -0,0 +1,19 @@
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: karakeep
+  namespace: karakeep
+spec:
+  hosts:
+    - bookmarks.gwg313.xyz
+  gateways:
+    - karakeep-gateway
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: karakeep-web
+            port:
+              number: 80
diff --git a/karakeep/web-deployment.yaml b/karakeep/web-deployment.yaml
new file mode 100644
index 0000000..294a97f
--- /dev/null
+++ b/karakeep/web-deployment.yaml
@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: karakeep-web
+  template:
+    metadata:
+      labels:
+        app: karakeep-web
+    spec:
+      containers:
+        - name: web
+          image: ghcr.io/karakeep-app/karakeep
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 3000
+          env:
+            - name: MEILI_ADDR
+              value: http://meilisearch:7700
+            - name: BROWSER_WEB_URL
+              value: http://chrome:9222
+            - name: DATA_DIR
+              value: /data
+            # Add OPENAI_API_KEY to the ConfigMap if necessary
+          volumeMounts:
+            - mountPath: /data
+              name: data
+          envFrom:
+            - secretRef:
+                name: karakeep-secrets
+            - configMapRef:
+                name: karakeep-configuration
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: karakeep-data-pvc
diff --git a/karakeep/web-service.yaml b/karakeep/web-service.yaml
new file mode 100644
index 0000000..67fb026
--- /dev/null
+++ b/karakeep/web-service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: karakeep-web
+spec:
+  selector:
+    app: karakeep-web
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 3000
+  type: LoadBalancer