diff --git a/.gitea/workflows/terraform-apply.yml b/.gitea/workflows/terraform-apply.yml
new file mode 100644
index 0000000..84da4e2
--- /dev/null
+++ b/.gitea/workflows/terraform-apply.yml
@@ -0,0 +1,55 @@
+name: Terraform Apply
+
+on:
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'PR Number to comment on'
+        required: false
+        type: string
+
+env:
+  TF_CLOUD_ORGANIZATION: homelab_terraform
+  TF_WORKSPACE: homelab
+
+jobs:
+  terraform-apply:
+    name: Terraform Apply
+    runs-on: gitea-runner-hestia
+    environment: production
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Terraform
+        run: |
+          TERRAFORM_VERSION=1.10.0
+          curl -fsSL "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" -o /tmp/terraform.zip
+          unzip -o /tmp/terraform.zip -d /usr/local/bin/
+          chmod +x /usr/local/bin/terraform
+          terraform version
+
+      - name: Write Terraform Cloud credentials
+        env:
+          TF_CLOUD_TOKEN: ${{ secrets.TF_CLOUD_TOKEN }}
+        run: |
+          mkdir -p ~/.terraform.d/credentials
+          cat > ~/.terraform.d/credentials/tfcred.tfrc << EOF
+credentials "app.terraform.io" {
+  token = "$TF_CLOUD_TOKEN"
+}
+EOF
+
+      - name: Terraform Init
+        working-directory: ./terraform
+        run: |
+          terraform init \
+            -backend=true \
+            -backend-config="organization=$TF_CLOUD_ORGANIZATION" \
+            -backend-config="workspaces.name=$TF_WORKSPACE" \
+            -reconfigure
+
+      - name: Terraform Apply
+        working-directory: ./terraform
+        run: |
+          terraform apply -auto-approve -no-color 2>&1
diff --git a/.gitea/workflows/terraform-plan.yml b/.gitea/workflows/terraform-plan.yml
new file mode 100644
index 0000000..4255365
--- /dev/null
+++ b/.gitea/workflows/terraform-plan.yml
@@ -0,0 +1,61 @@
+name: Terraform Plan
+
+on:
+  pull_request:
+    paths:
+      - 'terraform/**'
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+env:
+  TF_CLOUD_ORGANIZATION: homelab_terraform
+  TF_WORKSPACE: homelab
+
+jobs:
+  terraform-plan:
+    name: Terraform Plan
+    runs-on: gitea-runner-hestia
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Terraform
+        run: |
+          TERRAFORM_VERSION=1.10.0
+          curl -fsSL "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" -o /tmp/terraform.zip
+          unzip -o /tmp/terraform.zip -d /usr/local/bin/
+          chmod +x /usr/local/bin/terraform
+          terraform version
+
+      - name: Write Terraform Cloud credentials
+        env:
+          TF_CLOUD_TOKEN: ${{ secrets.TF_CLOUD_TOKEN }}
+        run: |
+          mkdir -p ~/.terraform.d/credentials
+          cat > ~/.terraform.d/credentials/tfcred.tfrc << 'EOF'
+credentials "app.terraform.io" {
+  token = "$TF_CLOUD_TOKEN"
+}
+EOF
+          echo "TF credentials configured"
+
+      - name: Terraform Init
+        working-directory: ./terraform
+        run: |
+          terraform init \
+            -backend=true \
+            -backend-config="organization=$TF_CLOUD_ORGANIZATION" \
+            -backend-config="workspaces.name=$TF_WORKSPACE" \
+            -reconfigure
+
+      - name: Terraform Plan
+        working-directory: ./terraform
+        run: |
+          terraform plan -no-color 2>&1 | tee /tmp/plan_output.txt
+
+      - name: Upload Plan Output
+        if: always()
+        run: |
+          cat /tmp/plan_output.txt || echo "No plan output"