diff --git a/.gitea/workflows/apply-kubernetes.yml b/.gitea/workflows/apply-kubernetes.yml
index 0432fbb..68db561 100644
--- a/.gitea/workflows/apply-kubernetes.yml
+++ b/.gitea/workflows/apply-kubernetes.yml
@@ -50,6 +50,13 @@ jobs:
           kubectl apply -f kubernetes/homepage/
           kubectl rollout restart deployment/homepage -n homepage
 
+      - name: gitea
+        env:
+          CLOUDFLARED_GITEA_TOKEN: ${{ secrets.CLOUDFLARED_GITEA_TOKEN }}
+        run: |
+          for file in kubernetes/gitea/*.yml; do
+            cat "$file" | envsubst | kubectl apply -f -
+          done
 
   notify-on-failure:
     runs-on: home-server
diff --git a/kubernetes/gitea/gitea-cloudflare.yml b/kubernetes/gitea/gitea-cloudflare.yml
new file mode 100644
index 0000000..d8f19c2
--- /dev/null
+++ b/kubernetes/gitea/gitea-cloudflare.yml
@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflared-gitea-token
+  namespace: gitea
+type: Opaque
+stringData:
+  token: $CLOUDFLARED_GITEA_TOKEN
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cloudflared-gitea
+  namespace: gitea
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: cloudflared-gitea
+  template:
+    metadata:
+      labels:
+        app: cloudflared-gitea
+    spec:
+      containers:
+        - name: cloudflared
+          image: cloudflare/cloudflared:latest
+          imagePullPolicy: Always
+          args:
+            - tunnel
+            - run
+          env:
+            - name: TUNNEL_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: cloudflared-gitea-token
+                  key: token
+          livenessProbe:
+            httpGet:
+              path: /ready
+              port: 2000
+            failureThreshold: 1
+            initialDelaySeconds: 10
+            periodSeconds: 10