diff --git a/README.rst b/README.rst
index de4e519..bd4d877 100644
--- a/README.rst
+++ b/README.rst
@@ -160,7 +160,7 @@ ArgoCD bootstrap
 
   .. code-block:: bash
 
-    argocd login --grpc-web argocd.ioot.xyz
+    argocd login --grpc-web argocd.ioot.xyz --sso
     argocd repo add git@github.com:amkartashov/gf-k8s --ssh-private-key-path ~/.ssh/argocd.ioot.xyz
 
 
@@ -204,10 +204,23 @@ ArgoCD bootstrap
       argocd app set argocd/grafana --parameter githubClientSecret=REPLACE
       argocd app set argocd/grafana --parameter adminPassword=`pwgen -1 12`
 
-* Reset forgejo password
+* Create new Oauth application https://github.com/settings/applications/new:
 
-  .. code-block:: bash
-    argocd app set argocd/forgejo --parameter adminPassword=`pwgen -1 12`
+  * Application name: git.ioot.xyz
+  * Homepage URL: https://git.ioot.xyz/
+  * Authorization callback URL: https://git.ioot.xyz/user/oauth2/GitHub/callback
+  * Update client secret and admin password:
+
+    .. code-block:: bash
+
+      argocd app set argocd/forgejo --parameter 'gitea.oauth[0].key=REPLACE'
+      argocd app set argocd/forgejo --parameter 'gitea.oauth[0].secret=REPLACE'
+      argocd app set argocd/forgejo --parameter gitea.admin.password=`pwgen -1 12`
+      argocd app set argocd/forgejo --parameter gitea.config.database.PASSWD=$(\
+        kubectl --context gullfaxi -n forgejo get secret \
+        postgresql-app -o jsonpath='{.data.password}' \
+        | base64 -d \
+      )
 
 
 * Remove secret ``kubectl --context gullfaxi -n argocd delete secret argocd-initial-admin-secret``.
diff --git a/state/gullfaxi/apps/cloudnative-pg/application.yaml b/state/gullfaxi/apps/cloudnative-pg/application.yaml
index 7039f27..dcb6833 100644
--- a/state/gullfaxi/apps/cloudnative-pg/application.yaml
+++ b/state/gullfaxi/apps/cloudnative-pg/application.yaml
@@ -2,6 +2,8 @@ apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: cloudnative-pg
+  labels:
+    app-type: operator
 spec:
   destination:
     server: https://kubernetes.default.svc
diff --git a/state/gullfaxi/apps/forgejo/application.yaml b/state/gullfaxi/apps/forgejo/application.yaml
index be29829..c2851a3 100644
--- a/state/gullfaxi/apps/forgejo/application.yaml
+++ b/state/gullfaxi/apps/forgejo/application.yaml
@@ -29,41 +29,50 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-  sources:
-    - repoURL: codeberg.org/forgejo-contrib
-      chart: forgejo
-      targetRevision: 0.12.1
-      helm:
-        valuesObject:
-          memcached:
-            enabled: false
-          postgresql:
-            enabled: false
-          test:
-            enabled: false
-          ingress:
+  source:
+    repoURL: codeberg.org/forgejo-contrib
+    chart: forgejo
+    targetRevision: 0.12.1
+    helm:
+      valuesObject:
+        memcached:
+          enabled: false
+        postgresql:
+          enabled: false
+        test:
+          enabled: false
+        ingress:
+          enabled: true
+          className: nginx
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt
+          hosts:
+            - host: git.ioot.xyz
+              paths:
+                - path: /
+                  pathType: Prefix
+          tls:
+            - secretName: forgejo-tls
+              hosts:
+                - git.ioot.xyz
+        gitea:
+          admin:
+            username: amkartashov
+            # password: reset_in_argocd
+            email: "a@ioot.xyz"
+          oauth:
+            - name: GitHub
+              provider: github
+          config:
+            database:
+              DB_TYPE: postgres
+              HOST: postgresql-rw
+              NAME: gitea
+              USER: gitea
+              # PASSWD: reset_in_argocd
+            service:
+              DISABLE_REGISTRATION: "true"
+          metrics:
             enabled: true
-            className: nginx
-            annotations:
-              kubernetes.io/tls-acme: "true"
-            hosts:
-              - host: git.ioot.xyz
-                paths:
-                  - path: /
-                    pathType: Prefix
-            tls:
-              - secretName: forgejo-tls
-                hosts:
-                  - git.ioot.xyz
-          gitea:
-            admin:
-              username: admin
-              password: reset_in_argocd
-              email: "a@ioot.xyz"
-            metrics:
+            serviceMonitor:
               enabled: true
-              serviceMonitor:
-                enabled: true
-    - repoURL: git@github.com:amkartashov/gf-k8s.git
-      targetRevision: main
-      path: state/gullfaxi/apps/forgejo/manifests
diff --git a/state/gullfaxi/apps/forgejo/postgresql/application.yaml b/state/gullfaxi/apps/forgejo/postgresql/application.yaml
new file mode 100644
index 0000000..354111c
--- /dev/null
+++ b/state/gullfaxi/apps/forgejo/postgresql/application.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: forgejo-postgres
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: forgejo
+  project: apps
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  source:
+    repoURL: git@github.com:amkartashov/gf-k8s.git
+    targetRevision: main
+    path: state/gullfaxi/apps/forgejo/postgresql/manifests
diff --git a/state/gullfaxi/apps/forgejo/manifests/postgresql.yaml b/state/gullfaxi/apps/forgejo/postgresql/manifests/postgresql.yaml
similarity index 63%
rename from state/gullfaxi/apps/forgejo/manifests/postgresql.yaml
rename to state/gullfaxi/apps/forgejo/postgresql/manifests/postgresql.yaml
index 4ab4b13..cfc2267 100644
--- a/state/gullfaxi/apps/forgejo/manifests/postgresql.yaml
+++ b/state/gullfaxi/apps/forgejo/postgresql/manifests/postgresql.yaml
@@ -8,3 +8,8 @@ spec:
   primaryUpdateStrategy: unsupervised
   storage:
     size: 10Gi
+  bootstrap:
+    initdb:
+      database: gitea
+      localeCollate: en_US.UTF-8
+      localeCType: en_US.UTF-8