diff --git a/bootstrap/kustomizations/kustomization-roundcube.yaml b/bootstrap/kustomizations/kustomization-roundcube.yaml
new file mode 100644
index 0000000..0738229
--- /dev/null
+++ b/bootstrap/kustomizations/kustomization-roundcube.yaml
@@ -0,0 +1,22 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: roundcube
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./roundcube
+  prune: true # remove any elements later removed from the above path
+  timeout: 2m # if not set, this defaults to interval duration, which is 1h
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  healthChecks:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: roundcubemail
+      namespace: roundcube
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: roundcubedb
+      namespace: roundcube
diff --git a/bootstrap/namespaces/namespace-roundcube.yaml b/bootstrap/namespaces/namespace-roundcube.yaml
new file mode 100644
index 0000000..d1bc720
--- /dev/null
+++ b/bootstrap/namespaces/namespace-roundcube.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: roundcube
diff --git a/roundcube/roundcubedb-deployment.yaml b/roundcube/roundcubedb-deployment.yaml
new file mode 100644
index 0000000..b2f9978
--- /dev/null
+++ b/roundcube/roundcubedb-deployment.yaml
@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: roundcubedb
+  namespace: roundcube
+  labels:
+    service: roundcubedb
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      service: roundcubedb
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        service: roundcubedb
+    spec:
+      containers:
+      - name: roundcubedb
+        image: postgres:alpine
+        imagePullPolicy: ""
+        env:
+        - name: POSTGRES_DB
+          value: roundcube
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: roundcubemail-shared-secret
+              key: DB_USER
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: roundcubemail-shared-secret
+              key: DB_PASSWORD
+        ports:
+        - containerPort: 5432
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          name: roundcubedb-pvc
+      restartPolicy: Always
+      serviceAccountName: ""
+      volumes:
+      - name: roundcubedb-pvc
+        persistentVolumeClaim:
+          claimName: roundcubedb-pvc
diff --git a/roundcube/roundcubedb-pvc.yaml b/roundcube/roundcubedb-pvc.yaml
new file mode 100644
index 0000000..3b08b20
--- /dev/null
+++ b/roundcube/roundcubedb-pvc.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: roundcubedb-pvc
+  namespace: roundcube
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
diff --git a/roundcube/roundcubedb-service.yaml b/roundcube/roundcubedb-service.yaml
new file mode 100644
index 0000000..84c3025
--- /dev/null
+++ b/roundcube/roundcubedb-service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: roundcubedb
+  namespace: roundcube
+  labels:
+    service: roundcubedb
+spec:
+  ports:
+  - port: 5432
+    protocol: TCP
+  selector:
+    service: roundcubedb
diff --git a/roundcube/roundcubemail-cronjob-cleandb.yaml b/roundcube/roundcubemail-cronjob-cleandb.yaml
new file mode 100644
index 0000000..67de8a5
--- /dev/null
+++ b/roundcube/roundcubemail-cronjob-cleandb.yaml
@@ -0,0 +1,22 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cleandb
+  namesapce: roundcube
+spec:
+  schedule: "@daily"
+  concurrencyPolicy: Replace
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          name:  cleandb
+        spec:
+          restartPolicy: OnFailure
+          containers:
+            - name: roundcubemail
+              image: roundcube/roundcubemail:latest-fpm-alpine
+              imagePullPolicy: ""
+              env: *env
+              args:
+                - bin/cleandb.sh
diff --git a/roundcube/roundcubemail-deployment.yaml b/roundcube/roundcubemail-deployment.yaml
new file mode 100644
index 0000000..dc5c336
--- /dev/null
+++ b/roundcube/roundcubemail-deployment.yaml
@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: roundcubemail
+  namespace: roundcube
+  labels:
+    service: roundcubemail
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      service: roundcubemail
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        service: roundcubemail
+    spec:
+      containers:
+      - name: roundcubemail
+        image: roundcube/roundcubemail:latest-fpm-alpine
+        imagePullPolicy: ""
+        env: &env
+        - name: ROUNDCUBEMAIL_DB_TYPE
+          value: pgsql
+        - name: ROUNDCUBEMAIL_DB_HOST
+          value: roundcubedb
+        - name: ROUNDCUBEMAIL_DB_NAME
+          value: roundcube
+        - name: ROUNDCUBEMAIL_DB_USER
+          valueFrom:
+            secretKeyRef:
+              name: roundcubemail-shared-secret
+              key: DB_USER
+        - name: ROUNDCUBEMAIL_DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: roundcubemail-shared-secret
+              key: DB_PASSWORD
+        - name: ROUNDCUBEMAIL_DES_KEY
+          valueFrom:
+            secretKeyRef:
+              name: roundcubemail-shared-secret
+              key: DES_KEY
+        - name: ROUNDCUBEMAIL_DEFAULT_HOST
+          value: tls://mail.michaelthomson.dev
+        - name: ROUNDCUBEMAIL_SMTP_SERVER
+          value: tls://mail.michaelthomson.dev
+        - name: ROUNDCUBEMAIL_SKIN
+          value: elastic
+        - name: ROUNDCUBEMAIL_PLUGINS
+          value: archive,zipdownload,newmail_notifier
+        ports:
+        - containerPort: 9000
+        volumeMounts:
+        - mountPath: /var/www/html
+          name: www-data
+        - mountPath: /tmp/roundcube-temp
+          name: temp-data
+      restartPolicy: Always
+      volumes:
+      - name: www-data
+        persistentVolumeClaim:
+          claimName: roundcubemail-www-pvc
+      - name: temp-data
+        persistentVolumeClaim:
+          claimName: roundcubemail-temp-pvc
diff --git a/roundcube/roundcubemail-dns-endpoint.yaml b/roundcube/roundcubemail-dns-endpoint.yaml
new file mode 100644
index 0000000..68f4a93
--- /dev/null
+++ b/roundcube/roundcubemail-dns-endpoint.yaml
@@ -0,0 +1,16 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: roundcube.michaelthomson.dev
+  namespace: roundcube
+spec:
+  endpoints:
+  - dnsName: roundcube.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+      - michaelthomson.ddns.net
+    providerSpecific:
+      - name: external-dns.alpha.kubernetes.io/cloudflare-proxied
+        value: "false"
+
diff --git a/roundcube/roundcubemail-ingress.yaml b/roundcube/roundcubemail-ingress.yaml
new file mode 100644
index 0000000..8016baa
--- /dev/null
+++ b/roundcube/roundcubemail-ingress.yaml
@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: roundcubemail-ingress
+  namespace: roundcube
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    # traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
+    traefik.ingress.kubernetes.io/router.tls: "true"
+  labels:
+    service: roundcubemail
+spec:
+  rules:
+  - host: roundcube.michaelthomson.dev
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: /
+        backend:
+          service:
+            name: roundcubemail
+            port: 
+              name: http
+  tls:
+    - hosts:
+        - roundcube.michaelthomson.dev
+      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
diff --git a/roundcube/roundcubemail-service.yaml b/roundcube/roundcubemail-service.yaml
new file mode 100644
index 0000000..61eee4f
--- /dev/null
+++ b/roundcube/roundcubemail-service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: roundcubemail
+  namespace: roundcube
+  labels:
+    service: roundcubemail
+spec:
+  ports:
+  - port: 9000
+    protocol: TCP
+    name: http
+  selector:
+    service: roundcubemail
diff --git a/roundcube/roundcubemail-shared-secret-sealed.yaml b/roundcube/roundcubemail-shared-secret-sealed.yaml
new file mode 100644
index 0000000..e0d391d
--- /dev/null
+++ b/roundcube/roundcubemail-shared-secret-sealed.yaml
@@ -0,0 +1,16 @@
+kind: SealedSecret
+apiVersion: bitnami.com/v1alpha1
+metadata:
+  name: roundcubemail-shared-secret
+  namespace: roundcube
+  creationTimestamp: 
+spec:
+  template:
+    metadata:
+      name: roundcubemail-shared-secret
+      namespace: roundcube
+      creationTimestamp: 
+  encryptedData:
+    DB_PASSWORD: AgAQFytD8tTEQitB8aFQyfWCwT5tvlDNXb+s+nyMkwQIk6jxNXcjG4hoxwVfkr7XTbxJFM5a+jr2kVDXAjRMS7jcTAJ51foEyjOpCu6fDJqmtcf3NxM5TckDf/KgL8oxfX4qBCyw4bsd9BUNuWzdxX2Ds6BvEAIldLTLzDMBwhuuRaJreN2paUXkTfQ7WUhTXveYpyj1pZfmtTBH5dmiixkpAFSZXPTTuqlniEc1vkyMB+i1aPTIZ3HQgT5NL3vZE9mcUsShzGrgjW0xudR51HPFZlaQDjFUIN7Hw19TQ1l1HuiCkQmxRm1+tKBfmk4tkAQlPqyfcFx1zqCOucE8+Wsq4VP/p216QHCftVgHfBncway/5WncO6WW4F0RkhlGuxFbyMn5tfrmpYyBzKO/McAxoOw93od0rNjG+UwI4zHARV6Rx6AbQ5HMBDVprW4en4WVy280a+15eazOTo+MNRuC2vhNrn6FzvfOUX41u65SZiR2XbE+ilN4n1uxMNxAwaNNQfK4AfSGz5xuyvKguyVmn5CIhwS6kmOkus8wgVdZfpmqMJrUaYBsajvtEOlzIamR2+wLalJTBtuxmeh7jzmlsAdcUk0Larz/zbLKqqIe3cpxM3Ph65rElneZuR1Jg/hrT29l7wqg9vjCXz0/mbCAU2rvcmBEhSI6E6WsQR+hFWK7Y/FpRRW1DXYUvj2aIR7dOq2zr8Q74FHrx8hCvdkTGFOZNb4ZVl9GnWI=
+    DB_USER: AgBEYaAj58I62GNWycn0D9oMpjmWlvvpNI9guc166EGKsw3bxft9D+sxyxR39YW/9QVLL8dLE7UHwrhurNLQq7o2ij+uWGLoY9fKic/afX2Cn5egESgr2Vw8baQtROuwcJX9ZPgQSXr09Bz6d9HklygWSnu4sq8mWc8WZ+SB2E4SvpL9kRG9Y8A9lUZWg1Hv9LkOvtmjfzblGkRF0PbW2OCE++a5FWpms/yYtmWjll7/BeRCpVnqWPNa4q+TE/d1L6JJfTs5BdUvc77bTgYfogqkrPAHD+RjmwPqMtOvTQcXuQBT4OCNS31jHcP483B8Ky6/SL6PJhdYA7h6uFgaLc6lYcHBwesAUMeg4+vG5BWatS2rxsv2bVvn1kQfwstvL2e+I+Rs71fAfmKcuE93E4yXSMQT95hLcoPq5JIp8NY2CBkBEpB/KcJfDNfDUs0Dr8qyQPkJVdjL6qfaq+23MLCHXIu1fHcsqpfG5x3NVmi29GzqDdkDzNDaxIv93iTwlSyiGdY++z/1IP6iCPT6ogO0e1ptYmFmrX6mHo3p6dIcna3laSvVoJ2LgJ49W3obVOxWYrh83uKagM4WWRB3RwDtW4ipB5bz+w/YcPVec0bjacOJbk+QLiJFYip9qLsAyErB/m66rgIzs2EtzAD8glr5J/7+pdT8O/rxY29aeS3DWWG3mfLupmbBk3okdalr7VcYBh2JLlyzxUU=
+    DES_KEY: AgCEwv0WDCrEHdlZhYyUo0h5+W0DRr8zMTUrjtFgSfDJ7p/Fz+22ZPPy7IoVA++MhjMCHJxICX6HR9dyoUBLwGTbjSUU/P90W4ecf3DNr85Y+Pc9ZiwPbXMlNMVVFfXSaAic4fCJ4knioNYz+jLj72pVlE4RIqnRMpkmu9mIx0HgUICoC2SRpqUkk1wXTIcMYBuekwzLQD4/CcxD2P/kuypBKGnDrKL55CtSHDHH2U9YWE/a3q7a8DNn4U6Xi7/3VzuwH89IPHBw/Fok71Z4/l1nTzWca45ZoAkubvRrLkQHUbLZTTVZUvApjqna4uqsAVTFhlw9uRO9VRiBDCs7N9SZp6y9rHQkrhu6IlOfOApLecELlLe2i12t07n2uEvXli0olGhLuFQFYGdB31H+bTzMn1br29ho/WaHTOi4xwvc7QYcwFwUTWBAA/nl4hnNuTfjVyruwXPmkSPPTO8wF3CBdEJ1FlPCaXaI9pMkIWVJ8s1fbIj8oZbbO5B9u0AGr+/vRjDY08EOUEQjzgY61fajcUUVIgx1ZScBeMxzc4v8bLWy7BnErC9AgXKzuNLSHWDDSMRyDQvtzrHfvMH9pwI/RaWYbiXLrMBRBO/2LB0GGuNvu9vLhLsAWUVsEPjeBs8Lm7S0sxUO2uR5OEPzD8aVVgNwQMmHqyd4WXvQ70I57CCHykobP/8jJrLifc0B5EJBSnaZNhzdj+OtBUszmAm/GkpcjfQY9Q8yr60=
diff --git a/roundcube/roundcubemail-temp-pvc.yaml b/roundcube/roundcubemail-temp-pvc.yaml
new file mode 100644
index 0000000..e5529c7
--- /dev/null
+++ b/roundcube/roundcubemail-temp-pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: roundcubemail-temp-pvc
+  namespace: roundcube
+spec:
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
diff --git a/roundcube/roundcubemail-www-pvc.yaml b/roundcube/roundcubemail-www-pvc.yaml
new file mode 100644
index 0000000..c19d7d9
--- /dev/null
+++ b/roundcube/roundcubemail-www-pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: roundcubemail-www-pvc
+  namespace: roundcube
+spec:
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 200Mi