diff --git a/docker/rustical/docker-compose.yml b/docker/rustical/docker-compose.yml
new file mode 100644
index 0000000..662a7df
--- /dev/null
+++ b/docker/rustical/docker-compose.yml
@@ -0,0 +1,17 @@
+---
+services:
+  rustical:
+    image: ghcr.io/lennart-k/rustical:0.10.5
+    ports:
+      - '4000:4000'
+    volumes:
+      - "${RUSTICAL_DATA_VOLUME:-/mnt/nas1/shared/rustical/:/var/lib/rustical/}"
+    environment:
+      RUSTICAL_OIDC__NAME: ${RUSTICAL_OIDC_NAME:-Authentik}
+      RUSTICAL_OIDC__ISSUER: ${RUSTICAL_OIDC_ISSUER:-https://auth.fukurokuju.dev/application/o/rustical/}
+      RUSTICAL_OIDC__CLIENT_ID: ${RUSTICAL_OIDC_CLIENT_ID}
+      RUSTICAL_OIDC__CLIENT_SECRET: ${RUSTICAL_OIDC_CLIENT_SECRET}
+      RUSTICAL_OIDC__CLAIM_USERID: ${RUSTICAL_OIDC_CLAIM_USERID:-preferred_username}
+      RUSTICAL_OIDC__SCOPES: '["openid", "profile", "groups"]'
+      RUSTICAL_OIDC__ALLOW_SIGN_UP: "true"
+      RUSTICAL_FRONTEND__ALLOW_PASSWORD_LOGIN: ${RUSTICAL_FRONTED_ALLOW_PASSWORD_LOGIN:-false}
diff --git a/k8s/argo-apps/renovate.yaml b/k8s/argo-apps/renovate.yaml
index de204f9..e93f779 100644
--- a/k8s/argo-apps/renovate.yaml
+++ b/k8s/argo-apps/renovate.yaml
@@ -13,7 +13,7 @@ spec:
   sources:
     - chart: renovate
       repoURL: https://docs.renovatebot.com/helm-charts
-      targetRevision: 45.9.*
+      targetRevision: 45.11.*
       helm:
         valuesObject:
           renovate:
diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf
index 5c0ffef..c062e8f 100644
--- a/tofu/authentik/main.tf
+++ b/tofu/authentik/main.tf
@@ -42,6 +42,7 @@ resource "authentik_group" "ftp" {
   is_superuser = false
 }
 
+
 module "gitea" {
   source              = "../modules/authentik-oidc"
   app_name            = "Gitea"
@@ -199,7 +200,6 @@ module "netbird" {
   app_name            = "netbird"
   app_slug            = "netbird"
   client_id           = var.netbird_client_id
-  client_secret       = var.netbird_client_secret
   client_type         = "public"
   app_access_group_id = authentik_group.vpn.id
   redirect_uris = [
@@ -223,4 +223,15 @@ module "netbird" {
   ]
   app_icon              = "https://vpn.fukurokuju.dev/apple-icon.png"
   access_token_validity = "days=10"
+  client_secret         = ""
+}
+
+module "rustical" {
+  source              = "../modules/authentik-oidc"
+  app_name            = "rustical"
+  app_slug            = "rustical"
+  client_id           = var.rustical_client_id
+  client_secret       = var.rustical_client_secret
+  redirect_uris       = [{ matching_mode = "strict", url = "https://cal.roboces.dev/frontend/login/oidc/callback" }]
+  app_access_group_id = ""
 }
diff --git a/tofu/authentik/vars.tf b/tofu/authentik/vars.tf
index 50cba45..3dca992 100644
--- a/tofu/authentik/vars.tf
+++ b/tofu/authentik/vars.tf
@@ -44,10 +44,6 @@ variable "netbird_client_id" {
   type        = string
 }
 
-variable "netbird_client_secret" {
-  description = "Netbird client secret"
-  type        = string
-}
 
 variable "sftpgo_client_id" {
   description = "SFTPGo client ID"
@@ -58,3 +54,13 @@ variable "sftpgo_client_secret" {
   description = "SFTPGo client secret"
   type        = string
 }
+
+variable "rustical_client_id" {
+  description = "Radicale client ID"
+  type        = string
+}
+
+variable "rustical_client_secret" {
+  description = "Radicale client secret"
+  type        = string
+}