diff --git a/applications/30-domain-names/certmanager.yaml b/applications/30-domain-names/certmanager.yaml
index 95511fd..83befe8 100644
--- a/applications/30-domain-names/certmanager.yaml
+++ b/applications/30-domain-names/certmanager.yaml
@@ -1,37 +1,38 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: jetstack
-  namespace: flux-system
-spec:
-  url: https://charts.jetstack.io
-  interval: 1h
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
+# 1. cert-manager Helm chart
+apiVersion: argoproj.io/v1alpha1
+kind: Application
 metadata:
   name: cert-manager
-  namespace: home-server
+  namespace: argocd
 spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: cert-manager
-      version: v1.18.2
-      sourceRef:
-        kind: HelmRepository
-        name: jetstack
-        namespace: flux-system
-  install:
-    crds: CreateReplace
-    createNamespace: true
-  values:
-    installCRDs: true
-    extraArgs:
-      - --dns01-recursive-nameservers-only
-      - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
+  project: default
+  source:
+    repoURL: "https://charts.jetstack.io"
+    chart: "cert-manager"
+    targetRevision: "v1.18.2"
+    helm:
+      releaseName: "cert-manager"
+      values: |
+        installCRDs: true
+        extraArgs:
+          - --dns01-recursive-nameservers-only
+          - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: home-server
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - SkipHooks=false
+      - SyncWave=0   # ensure cert-manager is installed first
+
 ---
+# 2. ClusterIssuer
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
@@ -40,19 +41,20 @@ spec:
   acme:
     email: admin@hxme.net
     server: https://acme-v02.api.letsencrypt.org/directory
-    #server: https://acme-staging-v02.api.letsencrypt.org/directory
     privateKeySecretRef:
       name: letsencrypt-rfc2136
     solvers:
-    - dns01:
-        rfc2136:
-          nameserver: hawke.hxst.com.au:53
-          tsigKeyName: "hxme-update-key"
-          tsigAlgorithm: HMACSHA512
-          tsigSecretSecretRef:
-            name: hxme-update-key
-            key:  hxme-update-key
+      - dns01:
+          rfc2136:
+            nameserver: hawke.hxst.com.au:53
+            tsigKeyName: "hxme-update-key"
+            tsigAlgorithm: HMACSHA512
+            tsigSecretSecretRef:
+              name: hxme-update-key
+              key: hxme-update-key
+
 ---
+# 3. Certificate
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -71,3 +73,4 @@ spec:
   dnsNames:
     - "hxme.net"
     - "*.hxme.net"
+