diff --git a/.gitea/workflows/apply-kubernetes.yml b/.gitea/workflows/apply-kubernetes.yml
index f68bc0a..5be2b2f 100644
--- a/.gitea/workflows/apply-kubernetes.yml
+++ b/.gitea/workflows/apply-kubernetes.yml
@@ -37,4 +37,9 @@ jobs:
           KUBECONFIG: /home/gitea-runner/.kube/config
         working-directory: /home/gitea-runner/infrastructure
         run: |
+          kubectl create secret generic copilot-secret \
+            -n copilot \
+            --from-literal=token=${{ secrets.COPILOT_SECRET }} \
+            --dry-run=client -o yaml | kubectl apply -f -
+
           kubectl apply -f kubernetes/copilot/
diff --git a/kubernetes/copilot/copilot-dep.yml b/kubernetes/copilot/copilot-dep.yml
index c41e234..c612c57 100644
--- a/kubernetes/copilot/copilot-dep.yml
+++ b/kubernetes/copilot/copilot-dep.yml
@@ -50,12 +50,28 @@ spec:
     port: 4444
     targetPort: 4444
 ---
-apiVersion: v1
-kind: Secret
+apiVersion: networking.k8s.io/v1
+kind: Ingress
 metadata:
-  name: copilot-secret
+  name: copilot-api-ingress
   namespace: copilot
-type: Opaque
-stringData:
-  token: "YOUR_COPILOT_TOKEN_HERE"
+  annotations:
+    cert-manager.io/cluster-issuer: cloudflare-issuer
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - copilot.alexmickelson.guru
+    secretName: copilot-api-tls-cert
+  rules:
+  - host: copilot.alexmickelson.guru
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: copilot-api
+            port:
+              number: 4444
 ---