diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..da426a7
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,66 @@
+default:
+  image: ghcr.io/vojtechmares/container-images/tfenv:latest
+  cache:
+    key: dot-terraform
+    paths:
+      - .terraform
+
+stages:
+  - init
+  - format
+  - validate
+  - plan
+  - apply
+
+variables:
+  PLAN: plan.cache
+  PLAN_JSON: plan.json
+
+init:
+  stage: init
+  script:
+    - terraform init
+
+format:
+  stage: format
+  script:
+    - terraform fmt -check -recursive -diff
+
+validate:
+  stage: validate
+  script:
+    - terraform validate
+
+plan:
+  stage: plan
+  variables:
+    TF_VAR_cloudflare_email: $CLOUDFLARE_EMAIL
+    TF_VAR_cloudflare_api_key: $CLOUDFLARE_API_KEY
+    TF_VAR_hcloud_token: $HCLOUD_TOKEN
+  before_script:
+    - apt-get update && apt-get install -y jq
+    - shopt -s expand_aliases
+    - alias convert_report="jq -r '([.resource_changes[]?.change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
+  script:
+    - terraform plan -out=$PLAN
+    - terraform show --json $PLAN | convert_report > $PLAN_JSON
+  artifacts:
+    name: plan
+    paths:
+      - plan.cache
+    reports:
+      terraform: $PLAN_JSON
+
+apply:
+  stage: apply
+  variables:
+    TF_VAR_cloudflare_email: $CLOUDFLARE_EMAIL
+    TF_VAR_cloudflare_api_key: $CLOUDFLARE_API_KEY
+    TF_VAR_hcloud_token: $HCLOUD_TOKEN
+  script:
+    - terraform apply -auto-approve
+  dependencies:
+    - plan
+  rules:
+    - if: $CI_COMMIT_BRANCH == 'main'
+      when: manual