diff --git a/apps/hq/zitadel.yaml b/apps/hq/zitadel.yaml
new file mode 100644
index 0000000..f46af8e
--- /dev/null
+++ b/apps/hq/zitadel.yaml
@@ -0,0 +1,114 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mareshq-sso
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "50"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: hq
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: hq-sso
+  source:
+    chart: zitadel
+    repoURL: https://charts.zitadel.com
+    targetRevision: 8.5.0
+    helm:
+      releaseName: zitadel
+      valuesObject:
+        ingress:
+          enabled: true
+          className: nginx
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt-dns-production
+            cert-manager.io/issue-temporary-certificate: "true"
+          hosts:
+            - host: sso.mareshq.com
+              paths:
+                - path: /
+                  pathType: Prefix
+          tls:
+            - secretName: sso-mareshq-com-tls
+              hosts:
+                - sso.mareshq.com
+
+        replicaCount: 2
+
+        pdb:
+          enabled: true
+          minAvailable: 1
+
+        initJob:
+          # Once ZITADEL is installed, the initJob can be disabled.
+          enabled: true
+          annotations:
+            argocd.argoproj.io/sync-wave: "14"
+
+        setupJob:
+          annotations:
+            argocd.argoproj.io/sync-wave: "15"
+
+        # Deployment annotations
+        annotations:
+          argocd.argoproj.io/sync-wave: "20"
+
+        configMap:
+          annotations:
+            argocd.argoproj.io/sync-wave: "0"
+
+        masterkeyAnnotations:
+          argocd.argoproj.io/sync-wave: "0"
+
+        serviceAccount:
+          create: true
+          annotations:
+            argocd.argoproj.io/sync-wave: "-1"
+
+        zitadel:
+          # openssl rand -hex 16 (32 characters = 32 bytes)
+          masterkey: 97e7e7f84450f135b28821d5aa49c017
+          configmapConfig:
+            Log:
+              Level: debug
+              Formatter:
+                Format: json
+
+            DefaultInstance:
+              LoginPolicy:
+                DefaultRedirectURI: https://sso.mareshq.com/ui/console
+
+              DomainPolicy:
+                SMTPSenderAddressMatchesInstanceDomain: false
+
+            ExternalPort: 443
+            ExternalSecure: true
+            ExternalDomain: sso.mareshq.com
+            TLS:
+              Enabled: false
+
+            Database:
+              postgres:
+                Host: postgres-rw.postgres.svc
+                Port: 5432
+                Database: zitadel
+                MaxOpenConns: 20
+                MaxIdleConns: 10
+                MaxConnLifetime: 30m
+                MaxConnIdleTime: 5m
+                User:
+                  Username: zitadel_user
+                  Password: atz3xjt6tfb_ecv*KBW
+                  SSL:
+                    Mode: disable
+                Admin:
+                  Username: postgres
+                  Password: postgres
+                  SSL:
+                    Mode: disable