diff --git a/20-post-k8s/backup.tf b/20-post-k8s/backup.tf
new file mode 100644
index 0000000..1c17b55
--- /dev/null
+++ b/20-post-k8s/backup.tf
@@ -0,0 +1,46 @@
+resource "b2_bucket" "cowley-tech-home-backup" {
+  bucket_name = "cowley-tech-home-backup"
+  bucket_type = "allPrivate"
+}
+
+resource "b2_application_key" "user" {
+  for_each = toset(["timothy", "nicolas", "nadege"])
+
+  key_name = "cowley-tech-${each.key}-backup"
+  bucket_id = b2_bucket.cowley-tech-home-backup.id
+  capabilities       = [
+        "deleteFiles",
+        "listBuckets",
+        "listFiles",
+        "readBuckets",
+        "readFiles",
+        "writeFiles",
+    ]
+}
+
+resource "b2_application_key" "admin" {
+
+  key_name = "cowley-tech-admin-backup"
+  bucket_id = b2_bucket.cowley-tech-home-backup.id
+  capabilities       = [
+        "deleteFiles",
+        "listBuckets",
+        "listFiles",
+        "readBuckets",
+        "readFiles",
+        "writeFiles",
+    ]
+}
+#
+resource "kubernetes_secret" "b2-backup" {
+  for_each = toset(["timothy", "nicolas", "nadege"])
+
+  metadata {
+    name = "b2-backup-credentials-${each.key}"
+    namespace = "default"
+  }
+  data = {
+    B2_APPLICATION_KEY_ID = b2_application_key.user[each.key].application_key_id
+    B2_APPLICATION_KEY = b2_application_key.user[each.key].application_key
+  }
+}
diff --git a/authentik/.terraform.lock.hcl b/authentik/.terraform.lock.hcl
index 1df64a4..0f7aa76 100644
--- a/authentik/.terraform.lock.hcl
+++ b/authentik/.terraform.lock.hcl
@@ -2,24 +2,24 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/goauthentik/authentik" {
-  version     = "2024.6.0"
-  constraints = "2024.6.0"
+  version     = "2024.8.2"
+  constraints = "2024.8.2"
   hashes = [
-    "h1:S9p9njz1sEpXMOY7vL6YGqOVMfYsX1AbUy2GhJ121C0=",
-    "zh:1faa2890439a76b18b05f6c7c753502615de5e34157dc77a2d2d4bbfd6ab4dc8",
-    "zh:288ce51c155380b55eb5b6cd82158b1d7e7193cede072f8be4735a4d6b1421fe",
-    "zh:397e2a61f36fadbcf7e07f914d27139c3d828323c77445194e6e6721e5f4fb3b",
-    "zh:3bdff2f4131fdc70eb5d0ae88f28e0c470b8dbde00735b239603347a451a2df0",
-    "zh:3c959ad7d3f4645e942ae4f33ab8736781df44e12f7185e35622e00625ee6f96",
-    "zh:66f8e918229a0b4d9654244d6bca921547ea7ee6582d302c37d96db3252315a3",
-    "zh:68b098049de3818290978c5db855a6fc52618dea9f7c180c5e4e322144a9d801",
-    "zh:6986198640803382504afeaac069a3f7c89262f44e03f6916005766095f4ac80",
-    "zh:6edfe344fa96e55de95dba04d58d08b332b59dadf93c822d38e321f4cb6fe4f5",
-    "zh:a4325ae5bed223665f39534397cfae9b4f9364b98523d200200f240deaf7f797",
-    "zh:cb60056969297c1aaaf213a477080780ef957926ec64913fab1db33409bc4c08",
-    "zh:e744a42dc4dba812846a837fc328f73e390531a64c16a1e280a5c1fea4c7e176",
-    "zh:f1ea072c1d3a7becdc4579bc85903642532639f134c8cf7e49e2e0f3bad5aee3",
-    "zh:f4a0c5a664d131d5c6a00e194b855e76ac5e6f0e0404e85e6fc3fa95029b10c1",
+    "h1:+RVux9TSmkUsxIinptup4oOdfzObeXLaOnc0oi0Vat4=",
+    "zh:1a08cf73a35237bf84e8761eb026b4175bc34bab4c6a206110cb9a3d06c86391",
+    "zh:1f5807c2ab22e21a9f4c1d19bc64c52150ac003c6a90417315d8fafb6cbfd09d",
+    "zh:20237b247cbee340d03629f3bb4e156e8ccf65db246eeffb4cad3dabe34f26bb",
+    "zh:416ee251d684360e993ea3bdd7b9b3abb869f1d27d3bfe7c53731d444493bad3",
+    "zh:4d76186b29969509fb950ddce03b80eba9bc3409b6bbd20f8a9e7623d84b63c0",
+    "zh:588bbeb5768dc0e6d6b3e7bc67709ef7bc4a7f48eeb659801bc8511d646141ac",
+    "zh:5f95796b207c90e4dcf5d9f2945929351c5709754ce66839279e87279a04204f",
+    "zh:60263694ce7e107f3f78d5cc727d6143082e0eaa97b15727af83aaed8305d351",
+    "zh:6ecc4bd586e37987cfa057fc3a3f87bd461e3215d9efb5654fdd639a8d5318e9",
+    "zh:9e05d3d930a92f160cd788a699b3e11c80b59cb67b5f0b4a9970a1f7e9b08045",
+    "zh:c6ecaafa4176f12c8930fe2225c34a6d64eb9eb9774b50df17714d2ae338068d",
+    "zh:d781b9de7ce45a0b67b177705f755746b3afb11c4cac9171825bd9ace4017da6",
+    "zh:df6d9bc87b752c4e75f5246b32a98049a3253762389fd8476a9b4f96729f9cdd",
+    "zh:ef6c1ce79965e212929674063de6280abae5ee5c064049880ab81ca0e27b7434",
   ]
 }
 
diff --git a/authentik/chat.tf b/authentik/chat.tf
index bedac97..ca85085 100644
--- a/authentik/chat.tf
+++ b/authentik/chat.tf
@@ -1,50 +1,50 @@
-resource "random_id" "chat_client_id" {
-  byte_length = 16
-}
-
-resource "authentik_provider_oauth2" "chat" {
-  name = "Chat"
-  #  Required. You can use the output of:
-  #     $ openssl rand -hex 16
-  client_id = random_id.chat_client_id.id
-
-  # Optional: will be generated if not provided
-  # client_secret = "my_client_secret"
-
-  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
-
-  redirect_uris = [
-    "https://chat.lab.cowley.tech/oauth/oidc/callback"
-  ]
-  property_mappings = [
-    data.authentik_scope_mapping.scope-openid.id,
-    data.authentik_scope_mapping.scope-email.id,
-    data.authentik_scope_mapping.scope-profile.id,
-  ]
-  lifecycle {
-    ignore_changes = [
-      signing_key,
-      authentication_flow,
-    ]
-  }
-}
-
-resource "authentik_application" "chat" {
-  name              = "Chat"
-  slug              = "chat"
-  protocol_provider = authentik_provider_oauth2.chat.id
-}
-
-resource "kubernetes_secret" "chat" {
-  metadata {
-    name      = "open-webui-authentik"
-    namespace = "ollama"
-  }
-  data = {
-    OAUTH_CLIENT_ID     = authentik_provider_oauth2.chat.client_id
-    OAUTH_CLIENT_SECRET = authentik_provider_oauth2.chat.client_secret
-    OPENID_PROVIDER_URL = "https://auth.lab.cowley.tech/application/o/chat/.well-known/openid-configuration"
-    OAUTH_PROVIDER_NAME = "Authentik"
-    OAUTH_SCOPES        = "openid email profile"
-  }
-}
+#resource "random_id" "chat_client_id" {
+#  byte_length = 16
+#}
+#
+#resource "authentik_provider_oauth2" "chat" {
+#  name = "Chat"
+#  #  Required. You can use the output of:
+#  #     $ openssl rand -hex 16
+#  client_id = random_id.chat_client_id.id
+#
+#  # Optional: will be generated if not provided
+#  # client_secret = "my_client_secret"
+#
+#  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
+#
+#  redirect_uris = [
+#    "https://chat.lab.cowley.tech/oauth/oidc/callback"
+#  ]
+#  property_mappings = [
+#    data.authentik_scope_mapping.scope-openid.id,
+#    data.authentik_scope_mapping.scope-email.id,
+#    data.authentik_scope_mapping.scope-profile.id,
+#  ]
+#  lifecycle {
+#    ignore_changes = [
+#      signing_key,
+#      authentication_flow,
+#    ]
+#  }
+#}
+#
+#resource "authentik_application" "chat" {
+#  name              = "Chat"
+#  slug              = "chat"
+#  protocol_provider = authentik_provider_oauth2.chat.id
+#}
+#
+#resource "kubernetes_secret" "chat" {
+#  metadata {
+#    name      = "open-webui-authentik"
+#    namespace = "ollama"
+#  }
+#  data = {
+#    OAUTH_CLIENT_ID     = authentik_provider_oauth2.chat.client_id
+#    OAUTH_CLIENT_SECRET = authentik_provider_oauth2.chat.client_secret
+#    OPENID_PROVIDER_URL = "https://auth.lab.cowley.tech/application/o/chat/.well-known/openid-configuration"
+#    OAUTH_PROVIDER_NAME = "Authentik"
+#    OAUTH_SCOPES        = "openid email profile"
+#  }
+#}
diff --git a/authentik/dashy.tf b/authentik/dashy.tf
new file mode 100644
index 0000000..c623c25
--- /dev/null
+++ b/authentik/dashy.tf
@@ -0,0 +1,40 @@
+resource "random_id" "dashy_client_id" {
+  byte_length = 16
+}
+
+resource "authentik_provider_oauth2" "dashy" {
+  name = "Dashy"
+  #  Required. You can use the output of:
+  #     $ openssl rand -hex 16
+  client_id = random_id.dashy_client_id.id
+  authentication_flow = data.authentik_flow.default-authentication-flow.id
+  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
+
+  client_type = "public"
+
+  redirect_uris = [
+    "https://dash.lab.cowley.tech/",
+    ".*"
+  ]
+
+  sub_mode = "user_email"
+
+  property_mappings = [
+    data.authentik_property_mapping_provider_scope.scope-email.id,
+    data.authentik_property_mapping_provider_scope.scope-profile.id,
+    data.authentik_property_mapping_provider_scope.scope-openid.id,
+  ]
+  lifecycle {
+    ignore_changes = [
+      signing_key,
+      authentication_flow,
+    ]
+  }
+}
+
+resource "authentik_application" "dashy" {
+  name              = "Dashy"
+  slug              = "dashy"
+  protocol_provider = authentik_provider_oauth2.dashy.id
+  open_in_new_tab = true
+}
diff --git a/authentik/data.tf b/authentik/data.tf
new file mode 100644
index 0000000..d19828e
--- /dev/null
+++ b/authentik/data.tf
@@ -0,0 +1,18 @@
+data "authentik_flow" "default-provider-authorization-implicit-consent" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+data "authentik_flow" "default-authentication-flow" {
+  slug = "default-authentication-flow"
+}
+data "authentik_property_mapping_provider_scope" "scope-email" {
+  name = "authentik default OAuth Mapping: OpenID 'email'"
+}
+
+data "authentik_property_mapping_provider_scope" "scope-profile" {
+  name = "authentik default OAuth Mapping: OpenID 'profile'"
+}
+
+data "authentik_property_mapping_provider_scope" "scope-openid" {
+  name = "authentik default OAuth Mapping: OpenID 'openid'"
+}
diff --git a/authentik/forgejo.tf b/authentik/forgejo.tf
new file mode 100644
index 0000000..07eff5d
--- /dev/null
+++ b/authentik/forgejo.tf
@@ -0,0 +1,53 @@
+resource "random_id" "forgejo_client_id" {
+  byte_length = 16
+}
+
+resource "authentik_provider_oauth2" "forgejo" {
+  name = "Forgejo"
+  #  Required. You can use the output of:
+  #     $ openssl rand -hex 16
+  client_id = random_id.forgejo_client_id.id
+
+  # Optional: will be generated if not provided
+  # client_secret = "my_client_secret"
+
+  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
+
+  redirect_uris = [
+    "https://code.lab.cowley.tech/user/oauth2/authentik/callback"
+  ]
+  property_mappings = [
+    data.authentik_property_mapping_provider_scope.scope-email.id,
+    data.authentik_property_mapping_provider_scope.scope-profile.id,
+    data.authentik_property_mapping_provider_scope.scope-openid.id,
+  ]
+  lifecycle {
+    ignore_changes = [
+      signing_key,
+      authentication_flow,
+    ]
+  }
+}
+
+resource "authentik_application" "forgejo" {
+  name              = "ForgeJo"
+  slug              = "forgejo"
+  protocol_provider = authentik_provider_oauth2.forgejo.id
+}
+
+resource "authentik_group" "forgejo-admins" {
+  name = "gitadmin"
+}
+resource "authentik_group" "forgejo-users" {
+  name = "gituser"
+}
+resource "kubernetes_secret" "forgejo-oauth" {
+  metadata {
+    name      = "forgejo-oauth"
+    namespace = "forgejo"
+  }
+  data = {
+    "key" = authentik_provider_oauth2.forgejo.client_id
+    "secret" =  authentik_provider_oauth2.forgejo.client_secret
+  }
+}
diff --git a/authentik/grafana.tf b/authentik/grafana.tf
index 9f4a5f3..38370ea 100644
--- a/authentik/grafana.tf
+++ b/authentik/grafana.tf
@@ -1,18 +1,3 @@
-data "authentik_flow" "default-provider-authorization-implicit-consent" {
-  slug = "default-provider-authorization-implicit-consent"
-}
-
-data "authentik_scope_mapping" "scope-email" {
-  name = "authentik default OAuth Mapping: OpenID 'email'"
-}
-
-data "authentik_scope_mapping" "scope-profile" {
-  name = "authentik default OAuth Mapping: OpenID 'profile'"
-}
-
-data "authentik_scope_mapping" "scope-openid" {
-  name = "authentik default OAuth Mapping: OpenID 'openid'"
-}
 
 resource "random_id" "client_id" {
   byte_length = 16
@@ -34,9 +19,9 @@ resource "authentik_provider_oauth2" "grafana" {
   ]
 
   property_mappings = [
-    data.authentik_scope_mapping.scope-email.id,
-    data.authentik_scope_mapping.scope-profile.id,
-    data.authentik_scope_mapping.scope-openid.id,
+    data.authentik_property_mapping_provider_scope.scope-email.id,
+    data.authentik_property_mapping_provider_scope.scope-profile.id,
+    data.authentik_property_mapping_provider_scope.scope-openid.id,
   ]
 
   lifecycle {
diff --git a/authentik/groups.tf b/authentik/groups.tf
index 0dd38e9..20129db 100644
--- a/authentik/groups.tf
+++ b/authentik/groups.tf
@@ -1,3 +1,7 @@
 data "authentik_group" "admins" {
   name = "authentik Admins"
 }
+
+resource "authentik_group" "arr-users" {
+  name = "arr_users"
+}
diff --git a/authentik/immich.tf b/authentik/immich.tf
index 162cdd6..60a026d 100644
--- a/authentik/immich.tf
+++ b/authentik/immich.tf
@@ -2,15 +2,15 @@
 #  slug = "default-provider-authorization-implicit-consent"
 #}
 #
-#data "authentik_scope_mapping" "scope-email" {
+#data "authentik_property_mapping_provider_scope" "scope-email" {
 #  name = "authentik default OAuth Mapping: OpenID 'email'"
 #}
 #
-#data "authentik_scope_mapping" "scope-profile" {
+#data "authentik_property_mapping_provider_scope" "scope-profile" {
 #  name = "authentik default OAuth Mapping: OpenID 'profile'"
 #}
 #
-#data "authentik_scope_mapping" "scope-openid" {
+#data "authentik_property_mapping_provider_scope" "scope-openid" {
 #  name = "authentik default OAuth Mapping: OpenID 'openid'"
 #}
 #
@@ -30,14 +30,14 @@ resource "authentik_provider_oauth2" "immich" {
   authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
 
   redirect_uris = [
-    "app.immich:/",
+    "app.immich:///oauth-callback",
     "https://photos.lab.cowley.tech/auth/login",
     "https://photos.lab.cowley.tech/user-settings",
   ]
   property_mappings = [
-    data.authentik_scope_mapping.scope-email.id,
-    data.authentik_scope_mapping.scope-profile.id,
-    data.authentik_scope_mapping.scope-openid.id,
+    data.authentik_property_mapping_provider_scope.scope-email.id,
+    data.authentik_property_mapping_provider_scope.scope-profile.id,
+    data.authentik_property_mapping_provider_scope.scope-openid.id,
   ]
   lifecycle {
     ignore_changes = [
diff --git a/authentik/jellyfin.tf b/authentik/jellyfin.tf
new file mode 100644
index 0000000..e824fe8
--- /dev/null
+++ b/authentik/jellyfin.tf
@@ -0,0 +1,42 @@
+resource "random_id" "jellyfin_client_id" {
+  byte_length = 16
+}
+
+resource "authentik_provider_oauth2" "jellyfin" {
+  name = "Jellyfin"
+  client_id = random_id.jellyfin_client_id.id
+
+  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
+
+  redirect_uris = [
+    "https://jellyfin.lab.cowley.tech/sso/OID/start/authentik"
+  ]
+
+  property_mappings = [
+    data.authentik_property_mapping_provider_scope.scope-email.id,
+    data.authentik_property_mapping_provider_scope.scope-profile.id,
+    data.authentik_property_mapping_provider_scope.scope-openid.id,
+  ]
+  lifecycle {
+    ignore_changes = [
+      signing_key,
+      authentication_flow,
+    ]
+  }
+}
+
+resource "authentik_application" "jellyfin" {
+  name              = "Jellyfin"
+  slug              = "jellyfin"
+  protocol_provider = authentik_provider_oauth2.jellyfin.id
+  meta_launch_url = "https://jellyfin.lab.cowley.tech/sso/OID/start/authentik"
+}
+resource "kubernetes_secret" "jellyfin_oidc" {
+  metadata {
+    name = "jellyfin-oidc"
+    namespace = "jellyfin"
+  }
+  data = {
+    client-secret = authentik_provider_oauth2.jellyfin.client_secret
+  }
+}
diff --git a/authentik/lidarr.tf b/authentik/lidarr.tf
new file mode 100644
index 0000000..f1e610c
--- /dev/null
+++ b/authentik/lidarr.tf
@@ -0,0 +1,20 @@
+#resource "authentik_provider_proxy" "lidarr" {
+#  name = "lidarr"
+#  internal_host = "http://lidarr.jellyfin:8686"
+#  external_host = "https://lidarr.lab.cowley.tech"
+#  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
+#}
+#
+#resource "authentik_outpost" "lidarr" {
+#  name = "lidarr-outpost"
+#  protocol_providers = [
+#    authentik_provider_proxy.lidarr.id
+#  ]
+#}
+#
+#resource "authentik_application" "lidarr" {
+#  name = "Lidarr"
+#  slug = "lidarr"
+#
+#  protocol_provider = authentik_provider_proxy.lidarr.id
+#}
diff --git a/authentik/nextcloud.tf b/authentik/nextcloud.tf
index 307e4a1..7c89026 100644
--- a/authentik/nextcloud.tf
+++ b/authentik/nextcloud.tf
@@ -1,7 +1,7 @@
-#data "authentik_scope_mapping" "nextcloud" {
+#data "authentik_property_mapping_provider_scope" "nextcloud" {
 #  name = "Nextcloud Profile"
 #}
-resource "authentik_scope_mapping" "nextcloud-scope" {
+resource "authentik_property_mapping_provider_scope" "nextcloud-scope" {
   name       = "Nextcloud Profile"
   scope_name = "profile"
   expression = <<EOF
@@ -48,8 +48,8 @@ resource "authentik_provider_oauth2" "nextcloud" {
   ]
 
   property_mappings = [
-    data.authentik_scope_mapping.scope-email.id,
-    authentik_scope_mapping.nextcloud-scope.id
+    data.authentik_property_mapping_provider_scope.scope-email.id,
+    authentik_property_mapping_provider_scope.nextcloud-scope.id
   ]
 
   lifecycle {
diff --git a/authentik/paperless-ngx.tf b/authentik/paperless-ngx.tf
index 68cbd37..a53234b 100644
--- a/authentik/paperless-ngx.tf
+++ b/authentik/paperless-ngx.tf
@@ -15,9 +15,9 @@ resource "authentik_provider_oauth2" "paperless" {
   ]
 
   property_mappings = [
-    data.authentik_scope_mapping.scope-email.id,
-    data.authentik_scope_mapping.scope-profile.id,
-    data.authentik_scope_mapping.scope-openid.id,
+    data.authentik_property_mapping_provider_scope.scope-email.id,
+    data.authentik_property_mapping_provider_scope.scope-profile.id,
+    data.authentik_property_mapping_provider_scope.scope-openid.id,
   ]
   lifecycle {
     ignore_changes = [
diff --git a/authentik/provider.tf b/authentik/provider.tf
index ff19ac0..5e03cc4 100644
--- a/authentik/provider.tf
+++ b/authentik/provider.tf
@@ -10,7 +10,7 @@ terraform {
     }
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2024.6.0"
+      version = "2024.8.2"
     }
   }
 }
diff --git a/authentik/users.tf b/authentik/users.tf
index 909dbf5..e34db6b 100644
--- a/authentik/users.tf
+++ b/authentik/users.tf
@@ -20,6 +20,7 @@ resource "authentik_user" "chris" {
     data.authentik_group.admins.id,
     authentik_group.grafana_admins.id,
     authentik_group.nextcloud_admins.id,
+    authentik_group.arr-users.id
   ]
 #  attributes = jsonencode(
 #    {
diff --git a/forgejo/.terraform.lock.hcl b/forgejo/.terraform.lock.hcl
new file mode 100644
index 0000000..758644d
--- /dev/null
+++ b/forgejo/.terraform.lock.hcl
@@ -0,0 +1,25 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/go-gitea/gitea" {
+  version     = "0.1.0"
+  constraints = "0.1.0"
+  hashes = [
+    "h1:idV0H0z0z4SL5aaDaZTLUYz77LwXBHQSqHAZ1wGuwoY=",
+    "zh:039c743351f4bb17bb423a28a507a3d9b87267ce04e127dbb4ad1a80450a280b",
+    "zh:175b5d60b7e13abd477e82ccc2f53973c60cbcdcd88f49746aa76e452ba9af6d",
+    "zh:2cbf2f51ec50b1be06b2ffbb6e5bb4f57b9da9a730a626c26804ec8a7efd1f94",
+    "zh:3126714438319e1cfc20d100905443ce96fd6c68d77760f65107b2a69b369e54",
+    "zh:4709f799dbfa2629b61b0a4480e71dee2421ecc0539be6e402e87e734717c220",
+    "zh:6c4ca036adb3c958f5526a07d9254f0fb682e74e37741abcce033ddb7178afea",
+    "zh:7076b1f2e0052df6195e4ed7e57314524739d348d02b15aebbe874d1f1625c15",
+    "zh:8875b2d45ba7b1bd8cbfd2049961eb00f12de2b7a71a3a038a1f7f1c2a518e9d",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9d13957c3bf2f8efdd64fb61fbc8a725d1844a7cc08930e601bcee94361988cc",
+    "zh:aff674f42a61dc3f629c8f5335cd85597767f283cae0fa367f402f5a9e9f714c",
+    "zh:c4c44488ccd284a622d982891f2948396fa781a02341426e9d159bb2309b050c",
+    "zh:c696f7481d7545ed305d43e8bdb5eff692af6d2f67a9b41ad22691c84e6651c4",
+    "zh:e28e01407386c324ef9ef2a8f5765aa13d6a1876bbcc50b77b30ce29bbbca3cd",
+    "zh:e9b5b0925391a8752c8af20855d00a376a89d038cf665e12b74c0de9eef2110e",
+  ]
+}
diff --git a/forgejo/Makefile b/forgejo/Makefile
new file mode 100644
index 0000000..9d23b4e
--- /dev/null
+++ b/forgejo/Makefile
@@ -0,0 +1,8 @@
+init:
+	@tofu init
+
+plan:
+	@tofu plan -out tfplan
+
+apply:plan
+	@tofu apply tfplan
diff --git a/forgejo/main.tf b/forgejo/main.tf
new file mode 100644
index 0000000..e55e915
--- /dev/null
+++ b/forgejo/main.tf
@@ -0,0 +1,6 @@
+data "gitea_user" "admin" {
+  username = "forgejoadmin"
+}
+data "gitea_user" "chris" {
+  username = "chris"
+}
diff --git a/forgejo/provider.tf b/forgejo/provider.tf
new file mode 100644
index 0000000..6f0c57a
--- /dev/null
+++ b/forgejo/provider.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    gitea = {
+      source = "go-gitea/gitea"
+      version = "0.1.0"
+    }
+  }
+}
+
+provider "gitea" {
+  base_url = var.gitea_url 
+}
diff --git a/forgejo/variables.tf b/forgejo/variables.tf
new file mode 100644
index 0000000..04d4c84
--- /dev/null
+++ b/forgejo/variables.tf
@@ -0,0 +1,5 @@
+variable "gitea_url" {
+  type = string
+
+  default = "https://code.lab.cowley.tech"
+}