diff --git a/kubernetes/argocd/09_privacy/linkwarden.yaml b/kubernetes/argocd/09_privacy/linkwarden.yaml
new file mode 100644
index 000000000..3c010d4ce
--- /dev/null
+++ b/kubernetes/argocd/09_privacy/linkwarden.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: linkwarden
+  namespace: argocd
+spec:
+  destination:
+    name: ''
+    namespace: privacy
+    server: 'https://kubernetes.default.svc'
+  source:
+    path: kubernetes/cluster/privacy/linkwarden
+    repoURL: 'https://github.com/maxim-mityutko/home-infra.git'
+    targetRevision: main
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/kubernetes/cluster/privacy/linkwarden/ingress.yaml b/kubernetes/cluster/privacy/linkwarden/ingress.yaml
new file mode 100644
index 000000000..cac9d87ba
--- /dev/null
+++ b/kubernetes/cluster/privacy/linkwarden/ingress.yaml
@@ -0,0 +1,39 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: linkwarden
+  namespace: privacy
+  labels:
+    app.kubernetes.io/name: linkwarden
+  annotations:
+    kubernetes.io/ingress.class: public
+    cert-manager.io/cluster-issuer: lets-encrypt
+spec:
+  rules:
+    - host: bookmarks.brhd.io
+      http:
+        paths:
+          - pathType: Prefix
+            path: /
+            backend:
+              service:
+                name: linkwarden
+                port:
+                  number: 80
+  tls:
+    - hosts:
+        - bookmarks.brhd.io
+---
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: bookmarks.brhd.io
+  namespace: privacy
+spec:
+  endpoints:
+    - dnsName: bookmarks.brhd.io
+      recordTTL: 86400
+      recordType: CNAME
+      targets:
+        - casa.brhd.io
diff --git a/kubernetes/cluster/privacy/linkwarden/kustomization.yaml b/kubernetes/cluster/privacy/linkwarden/kustomization.yaml
new file mode 100644
index 000000000..7ce34c8b1
--- /dev/null
+++ b/kubernetes/cluster/privacy/linkwarden/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - secret.yaml
+  - linkwarden.yaml
+  - ingress.yaml
+  - volumes.yaml
diff --git a/kubernetes/cluster/privacy/linkwarden/linkwarden.yaml b/kubernetes/cluster/privacy/linkwarden/linkwarden.yaml
new file mode 100644
index 000000000..96ce9eac2
--- /dev/null
+++ b/kubernetes/cluster/privacy/linkwarden/linkwarden.yaml
@@ -0,0 +1,88 @@
+# Service: Linkwarden
+# Ingress: bookmarks.brhd.io
+# Label: app.kubernetes.io/name: linkwarden
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: linkwarden
+  namespace: privacy
+  labels:
+    app.kubernetes.io/name: linkwarden
+spec:
+  type: ClusterIP
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 3000
+  selector:
+    app.kubernetes.io/name: linkwarden
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: linkwarden
+  namespace: privacy
+  labels:
+    app.kubernetes.io/name: linkwarden
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: linkwarden
+  strategy:
+    type: Recreate
+  revisionHistoryLimit: 1
+  template:
+    metadata:
+      namespace: privacy
+      labels:
+        app.kubernetes.io/name: linkwarden
+    spec:
+      restartPolicy: Always
+      containers:
+        - name: linkwarden
+          image: ghcr.io/linkwarden/linkwarden:v2.8.4
+          resources:
+            requests:
+              memory: 100Mi
+              cpu: 50m
+            limits:
+              cpu: 800m
+              memory: 1Gi
+          ports:
+            - containerPort: 3000
+          envFrom:
+            - secretRef:
+                name: linkwarden
+            - configMapRef:
+                name: linkwarden
+          volumeMounts:
+            - name: linkwarden-data
+              mountPath: /data/assets
+      volumes:
+        - name: linkwarden-data
+          persistentVolumeClaim:
+            claimName: linkwarden-data
+      nodeSelector:
+        kubernetes.io/node-size: large
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: linkwarden
+  namespace: privacy
+  labels:
+    app.kubernetes.io/name: linkwarden
+data:
+  STORAGE_FOLDER: /assets
+  RE_ARCHIVE_LIMIT: "1440" # 1 day
+  ARCHIVE_TAKE_COUNT: "1"
+
+  NEXT_PUBLIC_DISABLE_REGISTRATION: "true"
+  NEXT_PUBLIC_CREDENTIALS_ENABLED: "false"
+  DISABLE_NEW_SSO_USERS: "false"
+
+  NEXT_PUBLIC_AUTHENTIK_ENABLED: "true"
+  AUTHENTIK_CUSTOM_NAME: Authentik
+  NEXTAUTH_URL: https://bookmarks.brhd.io/api/v1/auth
diff --git a/kubernetes/cluster/privacy/linkwarden/secret.yaml b/kubernetes/cluster/privacy/linkwarden/secret.yaml
new file mode 100644
index 000000000..7eb2c8ce9
--- /dev/null
+++ b/kubernetes/cluster/privacy/linkwarden/secret.yaml
@@ -0,0 +1,19 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: linkwarden
+  namespace: privacy
+spec:
+  encryptedData:
+    AUTHENTIK_CLIENT_ID: AgC70R47L9xMrI/g3Vy2JWeD1IX+nmq9Sg8SE98YE00qHRZ/f1fds8dodPAG7eZZooEW7cwqcCBq8J1EtKoQP5jCppXR9AIbi9Bdzq6hRwKyXFZVDJRoPXfSWd14qs9xLCaPwBHd1nHSXeTmlzuHJ0g7B5gWAfUSZ4O14cdv33xDEPrwRUhaviVneb0wBFywGuRHrgJfrFN0Fw7M+i5lTPWw2+11huwGKYiyc2N/yTjvs+LpL/+mX54T60uYcrMb0n4dy43164ed3VPbpaCw9Mz/tG9XmOcZ0kEqHHZw/vkmPttsXSOGxO2XHYd+cZ2VIUUMFoqllEK9cB/DoTZLNyhvRMiR57r3xGHT8d6bnV9oSfj6kjpcoeXY2PEm8MhK48y/GnPUXVlQghCR9AV3LcFldDOT/6pkTgQorLqOSLPLu03LmhB35lQg5bdApiE0eEzBhGbhaYBnDmagtfgvBTCCpX7krJirXAwMOGTJgdR6ncI+jzRyzI7G2BtHaEy2n61Ldg91cOnmQOSr3PKEjHTcQUAqrFikUfF0jAhH9184GT9NcqOhnb9T1WLo/IvjUUQy5bP5b0vWN5YO0lQYZvSgIWkOUmUUF1EcR9a9FJzslCaJS4qG+WdMP5QKUJPilib+SRLOFbwpvL3JtaedGTGesCMyZwH2pJdl1sreDaYjpg6twL3yWcl1V6P+xV03XEYxI60cI6cXI64iXC+QmE91XD6LnNFJxrdCUe6fLmvlP19zpxuOxuYE
+    AUTHENTIK_CLIENT_SECRET: AgBBZ5DWOjxVmJMzkc0N5FsUBQ8Z4RPvmvKopeusCYzrOeyrLsj9mAYp6uKtfjRsXRg90yn5vSTbnycwaThzYMzQr2s0eyP7wRIJ2w6oEJjcYaDbkHdSf8LBuqU25hlDxuC6mydQudxeuxN0ifPs+Qb65C297PtIhcGO5mw22zEm5J04WY/ngR/T+dtBO4/rMy6jJXb6LljF0+1ixI1xmwWbyKncym0MA2okISTiUgOIU+6je2ll1lsOSZw9NdwNLWL2rTfyQA/Zx8yamrhZM/OTPazGzMLjNrayCiaQnG1umy3lxRNeqMA1Zyw0NL+FP1kkkZv6A+qPmwVOAT/7lBi2wGU3bH9O1VKRYjPG1BtrjzDCD8f0Hj59GuUJ1igEZwhVsYQQZRyJZt2NZz2J+8irPg9s4irq4PvxTDc00BHSqoQszK8WFFyR+p9TWH+7RcVF5o4L/ln8SEtavAQlyac6M2Tx0eYaratCtM94WFM4K84O2BrFnAVRbRXvAQHPmkaULLgpRW2p2kNYvDxCSAh7k0Fe4nSO44fdrzxoKeqUqw0gBnn3/8cb3amAezlLRbcI9ifBduo7sifHXNuiIeffDRiieHxiVVtuSlv1F/IRS+e+TlkZV8HV4cVYKT8zTr1TzXhdhoYwVWwblkhlcOLTngdKz+ap58CLNkOyXgDEps2fpnz7wSAb6aTwkUO5E8Nbj6Blp5icsgoLUdOt28CeNvt5YfmXz0lhp62mwW4RufENbqrkeUcN0InY1H6+zMgWdHTirZ8CEbjJdBA1ePNAxXJPK5Vr8+1b29z82Z0Pdx7C86KYLGr6Jl6m0e2CEbLh5qOxLpmYaKH+Vz+1ChnWTHQJJXJWSMtGLi5GmTy4bQ==
+    AUTHENTIK_ISSUER: AgC6Fw3DXZ2L1u7vKyBA1LBtuR8WLrmJ77bRRZbAo3qMmrG0fdU/kvh8+XdBPNbFG6aG7co+EudKl8IB+Mp7XswQMqYIcgfPVZVFSESWiYOCh0buqNAryh50WTUWmIyrQWkLzqZP6ABicmWZKHsnxyQvMUURHAtsb42dYKHBr9ddZLYXyCDJvA1WehVcYcvzLCAN6HqOmdvUByTe8rSC8F1tkP17uoxCdbc0B6mu4w1PRAlFjUy92c+7tiVuqgo+GAcnuQ8dOb+hXVsQHiCMJm3ucNzEQwUFhkTYq8h4yc/HUd9ieZo2w1V18Q3CN56IpAgKf9DvWTDTZzlNIQIpsf1cUkqQ9+00NbEx0yceVUR08CdlhhUGFiLKLXZYtJHum3dfOyGU3895nb1xrn6I3beYuyMkENgkvEyg+hiDpX7H+WdDrJW/RwKIEIl00I5vhg2Kkp9HLtp9Uz/7FcusM8CdnqvzBh98Io3EwB+K3AYBTeOuT7byDRDc2Ap9gKCHYkkQwASR7huezM0N/ObUPFLR4S9j758+SzHHEvcdgNKQpwCAgB7Xxq0oB7NEChdG4bq8Ga//Hr/AzIuls+Hqj6SxC+62nVRnF6HUBhGr4lcTq4p5HylPqj/ti9EyTBw/5SBJt8cfV7+8qDcCE8BLvtYFsnYAgc7hy8ai0vsuJ0nf4rdwNfPI7IjXr+Laz89p1J7CXVHXGvEFQ1GfrgsOhhoiyfFPmKwLsrOWGxU/2uZYEGUmg/9SWK3oDPsrjOA=
+    DATABASE_URL: AgBU/onOgkULCcN2dw15cm/OXIQwlc1hZSbVCeQtBSfSNmJlUjMA99r8zAnYG5sSfBEMFMxXnBzbTIca40anPhJcNaNjehSwvQYdven24xvOPRLB4Dxsc8erfDFbxhM+X86mFGCfoDGm7Rv1444bdOzAZL6kjsBpNhLZ7rYI9+1TPYyyViKBxNlv9rUGL/gTR4ESFlpqMNRe4R1xessPG9XYW8md7K8apNP8xT7qVA+pmF62TFFEy14dtfKBeYlj3KnSuB9LWMeHQLrXqZ7GWiN5d2CjZKM/7kZL7dz24FDw/As6hP+pniCQN36lwwARAPYZRwZYf1siOB0G4cXEx8XVx33GEYIfsZ5cJF272LDvaqP++/OJG79bb8t2ecu9UcyxMV1jX7Eb/S1LbYAuTvu4gLIMp/LKXTVi1w+UqJNfklSjNTccMwjiP8fG7mt05s/9p9mHhJm3DW8H4Y3AnOtGDA2k3t6NbjNdg1QIniBI1xumhK5+qwU64PubsOiWJedAvpeShONEkH6LTWCfQN6fWiaGs8rsr8QVBNSfCgXLRj/vMOyK5zA88dWob/fd5AKz23+k4d8CnpfcXN0zb55GG73+crWwOpzrHNKrrEpyIYedVJl1/uHDxL7b0zhwOMLtoXVMi0afp0PKWDQeDA5tsULAVSzVjYIH6pSV3KulFCuT9FUj8/gUDwXcCUKVsqwD2Ewe6Cng/YW7V7NDL7YnuOK/W/ryU640bV2C0tVH2FnARCC1EIAtBIvnbT57IpbEYMUZnl1kS8WWQ6OWDgv0OjubV5pB16LKIj8oTlBbOTPG8qbmZoUYSUT76iVMOkBKz0tz3DhF
+    NEXTAUTH_SECRET: AgA8EyyaIc0Xf+dznUFu/H+RNuPPvFetfIcmz1Ff4yBn0FU3CIDOiS2Uxx2jpTrFWVuSWzuYpHL+OiBQLphnPnPQ6d8w0+BG10eOq8rUXtwCEkeswd7iwx+opv+oQtDI+vooYfNLgtkMoCY+qbHVUQvxAzVkLHyhHdzvMT1Y8G7Tx8MchV6tkqVAxqY1BLn8CDQr3klDQs09Xw5xTNDZMLSXPp/qW0fGPVwHYi67SnzMRkLnSwHuCMLR1xPzjOszpJSNmZPzbrWbY28IX7LRa1Y7HwyoWj+ydAFhRG97bVEmN0D9dJ8zcdSy2SRIVObo8lIMsJiNf9VO2hEVsbFxELlcoFqdBCzCV+pEcwLDnIYdikLTV1B1cYWZYz7V7spdrBzpJkfmYOShLlngFG4aQYXJQ7LwqRglPtyODmOmOJRCv4Bf+oloYb3Q7hK82RfkZCCyYg25+O4U9NFEogVwDDzIUjFdNyI40aVaM4WBXIpWBTdVH6GUM54+qpYUlNrLbIE6+6yYWKFntvihIRgWJDALwJvI4GZbvwp7lMAtebZWlia4VKcMeu4S1r2iG3piYyKZsjiwOanh1/0WA5UzXviydINmmRmGh26J2Rt+eKF/2CrIl20Ih66cC/CDC+oB3KgteLTR9r1W2DHOKnfY3emu5u3TPXc+ZIW7KeZafzSJ4JIUEOzgd+Z6/wxwEsV/PE8mZROo7Ge6a6qbJLFuUPhnLUgvCq3i0+Lvtfa0OMt17c67AgLa8ZW01RVKrXdM+Yft+PlCBhPANVt/ZIZnAcZ7bcT3sTj5iWUD/ZGy41tKB00nt8bYDi3dkjM=
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: linkwarden
+      name: linkwarden
+      namespace: privacy
+    type: Opaque
diff --git a/kubernetes/cluster/privacy/linkwarden/volumes.yaml b/kubernetes/cluster/privacy/linkwarden/volumes.yaml
new file mode 100644
index 000000000..170f2e89e
--- /dev/null
+++ b/kubernetes/cluster/privacy/linkwarden/volumes.yaml
@@ -0,0 +1,16 @@
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: linkwarden-data
+  namespace: privacy
+  labels:
+    app.kubernetes.io/name: linkwarden
+spec:
+  accessModes:
+  - ReadWriteOnce
+  - ReadOnlyMany
+  storageClassName: nfs-subdir
+  resources:
+    requests:
+      storage: 100M