diff --git a/apps/actual/deployment.yaml b/apps/actual/deployment.yaml
new file mode 100644
index 0000000..be95425
--- /dev/null
+++ b/apps/actual/deployment.yaml
@@ -0,0 +1,29 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: actual
+  namespace: actual
+spec:
+  selector:
+    matchLabels:
+      app: actual
+  template:
+    metadata:
+      labels:
+        app: actual
+    spec:
+      containers:
+      - name: actual
+        image: docker.io/actualbudget/actual-server:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 5006
+          name: http
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /data
+          name: data
+      volumes:
+      - name: data
+        persistentVolumeClaim: 
+          claimName: actual-data
diff --git a/apps/actual/dns-endpoint.yaml b/apps/actual/dns-endpoint.yaml
new file mode 100644
index 0000000..42dce73
--- /dev/null
+++ b/apps/actual/dns-endpoint.yaml
@@ -0,0 +1,15 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: actual.michaelthomson.dev
+  namespace: actual
+spec:
+  endpoints:
+  - dnsName: actual.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+      - michaelthomson.ddns.net
+    providerSpecific:
+      - name: external-dns.alpha.kubernetes.io/cloudflare-proxied
+        value: "true"
diff --git a/apps/actual/ingress.yaml b/apps/actual/ingress.yaml
new file mode 100644
index 0000000..f1274f7
--- /dev/null
+++ b/apps/actual/ingress.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: actual
+  namespace: actual
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: actual.michaelthomson.dev
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: /
+        backend:
+          service:
+            name: actual
+            port: 
+              name: http
+  tls:
+    - hosts:
+        - actual.michaelthomson.dev
+      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
diff --git a/apps/actual/namespace.yaml b/apps/actual/namespace.yaml
new file mode 100644
index 0000000..11b4358
--- /dev/null
+++ b/apps/actual/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: actual
diff --git a/apps/actual/pvc-data.yaml b/apps/actual/pvc-data.yaml
new file mode 100644
index 0000000..f6aa03e
--- /dev/null
+++ b/apps/actual/pvc-data.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: actual-data
+  namespace: actual
+spec:
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce
diff --git a/apps/actual/service.yaml b/apps/actual/service.yaml
new file mode 100644
index 0000000..cffb3f2
--- /dev/null
+++ b/apps/actual/service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: actual
+  namespace: actual
+spec:
+  selector:
+    app: actual
+  ports:
+  - port: 80
+    targetPort: http
+    name: http
diff --git a/bootstrap/apps/kustomization-actual.yaml b/bootstrap/apps/kustomization-actual.yaml
new file mode 100644
index 0000000..805fdea
--- /dev/null
+++ b/bootstrap/apps/kustomization-actual.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: actual
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./apps/actual
+  prune: true # remove any elements later removed from the above path
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  dependsOn:
+    - name: infra-configs