diff --git a/app/inventory/README.md b/app/inventory/README.md
new file mode 100644
index 00000000..40346d08
--- /dev/null
+++ b/app/inventory/README.md
@@ -0,0 +1,3 @@
+# inventory
+
+For app source, see https://code.hackerspace.pl/informatic/spejstore
diff --git a/app/inventory/prod.jsonnet b/app/inventory/prod.jsonnet
new file mode 100644
index 00000000..f7d45104
--- /dev/null
+++ b/app/inventory/prod.jsonnet
@@ -0,0 +1,119 @@
+local kube = import '../../kube/kube.libsonnet';
+local postgres = import '../../kube/postgres_v.libsonnet';
+
+{
+  local top = self,
+  local cfg = top.cfg,
+
+  cfg:: {
+    name: 'inventory',
+    namespace: 'inventory',
+    domain: 'inventory.hackerspace.pl',
+
+    image: 'registry.k0.hswaw.net/palid/spejstore:1694280421',
+    db: {
+      name: 'inventory',
+      username: 'inventory',
+    },
+    oauthClientId: '82fffb65-0bbd-4d18-becd-0ce0b31373cf',
+    storageClassName: 'waw-hdd-redundant-3',
+
+    mediaPath: '/var/www/media',
+  },
+
+  secrets:: {
+    postgres: { secretKeyRef: { name: cfg.name, key: 'postgres_password' } },
+    oauth: { secretKeyRef: { name: cfg.name, key: 'oauth_secret' } },
+  },
+
+  ns: kube.Namespace(cfg.namespace),
+  deployment: top.ns.Contain(kube.Deployment(cfg.name)) {
+    spec+: {
+      template+: {
+        spec+: {
+          volumes_: {
+            media: kube.PersistentVolumeClaimVolume(top.media),
+          },
+          containers_: {
+            default: kube.Container('default') {
+              image: cfg.image,
+              ports_: {
+                web: { containerPort: 8000 },
+              },
+              env_: {
+                SPEJSTORE_ENV: 'prod',
+                SPEJSTORE_DB_NAME: cfg.db.name,
+                SPEJSTORE_DB_USER: cfg.db.username,
+                SPEJSTORE_DB_PASSWORD: top.secrets.postgres,
+                SPEJSTORE_DB_HOST: top.psql.svc.host,
+                SPEJSTORE_DB_PORT: top.psql.svc.port,
+                SPEJSTORE_ALLOWED_HOSTS: cfg.domain,
+                SPEJSTORE_CLIENT_ID: cfg.oauthClientId,
+                SPEJSTORE_SECRET: top.secrets.oauth,
+                SPEJSTORE_MEDIA_ROOT: cfg.mediaPath,
+                SPEJSTORE_REQUIRE_AUTH: 'true',
+                SPEJSTORE_LAN_ALLOWED_ADDRESS_SPACE: '185.236.240.5',
+              },
+              volumeMounts_: {
+                media: { mountPath: cfg.mediaPath },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+
+  media: top.ns.Contain(kube.PersistentVolumeClaim(cfg.name)) {
+    spec+: {
+      storageClassName: cfg.storageClassName,
+      accessModes: ['ReadWriteOnce'],
+      resources: {
+        requests: {
+          storage: '20Gi',
+        },
+      },
+    },
+  },
+
+  psql: postgres {
+    cfg+: {
+      namespace: cfg.namespace,
+      appName: cfg.name,
+      storageClassName: cfg.storageClassName,
+      version: '15.4',
+
+      database: cfg.db.name,
+      username: cfg.db.username,
+      password: top.secrets.postgres,
+    },
+    bouncer: {},
+  },
+
+  service: top.ns.Contain(kube.Service(cfg.name)) {
+    target_pod:: top.deployment.spec.template,
+  },
+
+  ingress: top.ns.Contain(kube.Ingress(cfg.name)) {
+    metadata+: {
+      annotations+: {
+        'kubernetes.io/tls-acme': 'true',
+        'cert-manager.io/cluster-issuer': 'letsencrypt-prod',
+        'nginx.ingress.kubernetes.io/proxy-body-size': '0',
+      },
+    },
+    spec+: {
+      tls: [{ hosts: [cfg.domain], secretName: cfg.name + '-tls' }],
+      rules: [
+        {
+          host: cfg.domain,
+          http: {
+            paths: [
+              { path: '/', backend: top.service.name_port },
+            ],
+          },
+        },
+      ],
+    },
+  },
+}