diff --git a/.gitea/workflows/terraform-plan.yml b/.gitea/workflows/terraform-plan.yml
new file mode 100644
index 0000000..33a8c77
--- /dev/null
+++ b/.gitea/workflows/terraform-plan.yml
@@ -0,0 +1,56 @@
+name: Terraform Plan
+
+on:
+  pull_request:
+    paths:
+      - 'terraform/**'
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+env:
+  TF_CLOUD_ORGANIZATION: homelab_terraform
+  TF_WORKSPACE: homelab
+
+jobs:
+  terraform-plan:
+    name: Terraform Plan
+    runs-on: gitea-runner-hestia
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Terraform
+        run: |
+          TERRAFORM_VERSION=1.10.0
+          curl -fsSL "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" -o /tmp/terraform.zip
+          unzip -o /tmp/terraform.zip -d /usr/local/bin/
+          chmod +x /usr/local/bin/terraform
+          terraform version
+
+      - name: Write Terraform Cloud credentials
+        env:
+          TF_CLOUD_TOKEN: ${{ secrets.TF_CLOUD_TOKEN }}
+        run: |
+          mkdir -p ~/.terraform.d/credentials
+          cat > ~/.terraform.d/credentials/tfcred.tfrc << EOF
+credentials "app.terraform.io" {
+  token = "$TF_CLOUD_TOKEN"
+}
+EOF
+          echo "TF credentials configured"
+
+      - name: Terraform Init
+        working-directory: ./terraform
+        run: |
+          terraform init \
+            -backend=true \
+            -backend-config="organization=$TF_CLOUD_ORGANIZATION" \
+            -backend-config="workspaces.name=$TF_WORKSPACE" \
+            -reconfigure
+
+      - name: Terraform Plan
+        working-directory: ./terraform
+        run: |
+          terraform plan -no-color 2>&1 | tee /tmp/plan_output.txt