diff --git a/renovate/renovate-config.yaml b/renovate/renovate-config.yaml
new file mode 100644
index 0000000..762658f
--- /dev/null
+++ b/renovate/renovate-config.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: renovate-config
+data:
+  config.json: |-
+    {
+      "repositories": ["infrastructure/core-apps","infrastructure/db-operators","infrastructure/weyma-talos"]
+    }
diff --git a/renovate/renovate-cronjob.yaml b/renovate/renovate-cronjob.yaml
new file mode 100644
index 0000000..fdf8ee8
--- /dev/null
+++ b/renovate/renovate-cronjob.yaml
@@ -0,0 +1,49 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: renovate-bot
+spec:
+  schedule: '@hourly'
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - image: renovate/renovate:40.14.6
+              name: renovate-bot
+              env: # For illustration purposes, please use secrets.
+                - name: RENOVATE_PLATFORM
+                  value: 'gitea'
+                - name: RENOVATE_ENDPOINT
+                  value: 'https://git.dubyatp.xyz/api/v1'
+                - name: RENOVATE_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      key: gitea-pat
+                      name: renovate-gitea-token
+                - name: RENOVATE_GITHUB_COM_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      key: github-com-pat
+                      name: renovate-github-com-token
+                - name: RENOVATE_AUTODISCOVER
+                  value: 'false'
+                - name: RENOVATE_BASE_DIR
+                  value: '/tmp/renovate/'
+                - name: RENOVATE_CONFIG_FILE
+                  value: '/opt/renovate/config.json'
+                - name: LOG_LEVEL
+                  value: debug
+              volumeMounts:
+                - name: config-volume
+                  mountPath: /opt/renovate/
+                - name: work-volume
+                  mountPath: /tmp/renovate/
+          restartPolicy: Never
+          volumes:
+            - name: config-volume
+              configMap:
+                name: renovate-config
+            - name: work-volume
+              emptyDir: {}
\ No newline at end of file
diff --git a/renovate/renovate-gitea-token.yaml b/renovate/renovate-gitea-token.yaml
new file mode 100644
index 0000000..00ff3a3
--- /dev/null
+++ b/renovate/renovate-gitea-token.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: renovate-gitea-token
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: weyma-vault
+    kind: ClusterSecretStore
+  target:
+    name: renovate-gitea-token
+    creationPolicy: Owner
+  data:
+    - secretKey: gitea-pat
+      remoteRef:
+        key: renovate
+        property: gitea-pat
\ No newline at end of file
diff --git a/renovate/renovate-github-token.yaml b/renovate/renovate-github-token.yaml
new file mode 100644
index 0000000..9bfef16
--- /dev/null
+++ b/renovate/renovate-github-token.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: renovate-github-com-token
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: weyma-vault
+    kind: ClusterSecretStore
+  target:
+    name: renovate-github-com-token
+    creationPolicy: Owner
+  data:
+    - secretKey: github-com-pat
+      remoteRef:
+        key: renovate
+        property: github-com-pat
\ No newline at end of file