diff --git a/.gitea/workflows/crowdsec.yaml b/.gitea/workflows/crowdsec.yaml
new file mode 100644
index 0000000..01c9abc
--- /dev/null
+++ b/.gitea/workflows/crowdsec.yaml
@@ -0,0 +1,61 @@
+---
+# template source: https://github.com/bretfisher/docker-build-workflow/blob/main/templates/call-docker-build.yaml
+name: Crowdsec
+
+on: #[push,pull_request]
+  workflow_dispatch: {}
+  push: &crowdsecPaths
+    paths:
+      - 'crowdsec/**/*.tf'
+  pull_request: *crowdsecPaths
+
+# cancel any previously-started, yet still active runs of this workflow on the same branch
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+.vault_step: &vault_step
+  name: read vault secret
+  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
+  id: vault-secrets
+  with:
+    url: https://vault.arcodange.duckdns.org
+    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+    role: gitea_cicd_crowdsec
+    method: jwt
+    path: gitea_jwt
+    secrets: |
+        kvv1/google/credentials credentials | GOOGLE_BACKEND_CREDENTIALS ;
+
+jobs:
+  gitea_vault_auth:
+    name: Auth with gitea for vault
+    runs-on: ubuntu-latest
+    outputs:
+      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
+    steps:
+
+      - name: Auth with gitea for vault
+        id: gitea_vault_jwt
+        run: |
+          echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash
+
+  tofu:
+    name: Tofu - Vault IAC
+    needs:
+      - gitea_vault_auth
+    runs-on: ubuntu-latest
+    env:
+      OPENTOFU_VERSION: 1.8.2
+      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+    steps:
+      - *vault_step
+      - uses: actions/checkout@v4
+      # - uses: dflook/terraform-plan@v1
+      #   with:
+      #     path: hashicorp-vault/iac
+      - name: terraform apply
+        uses: dflook/terraform-apply@v1
+        with:
+          path: crowdsec/iac
+          auto_approve: true
\ No newline at end of file
diff --git a/crowdsec/iac/backend.tf b/crowdsec/iac/backend.tf
new file mode 100644
index 0000000..b04101f
--- /dev/null
+++ b/crowdsec/iac/backend.tf
@@ -0,0 +1,6 @@
+terraform {
+  backend "gcs" {
+    bucket = "arcodange-tf"
+    prefix = "tools/crowdsec/main"
+  }
+}
\ No newline at end of file
diff --git a/crowdsec/iac/main.tf b/crowdsec/iac/main.tf
new file mode 100644
index 0000000..f918b77
--- /dev/null
+++ b/crowdsec/iac/main.tf
@@ -0,0 +1,5 @@
+module "app_roles" {
+  source = "git::ssh://git@192.168.1.202:2222/arcodange-org/tools.git//hashicorp-vault/iac/modules/app_roles?depth=1&ref=main"
+  name = "crowdsec"
+  service_account_namespaces = ["tools"]
+}
\ No newline at end of file
diff --git a/crowdsec/iac/providers.tf b/crowdsec/iac/providers.tf
new file mode 100644
index 0000000..e4a09d2
--- /dev/null
+++ b/crowdsec/iac/providers.tf
@@ -0,0 +1,16 @@
+terraform {
+  required_providers {
+    vault = {
+      source  = "vault"
+      version = "4.4.0"
+    }
+  }
+}
+
+provider "vault" {
+  address = "https://vault.arcodange.duckdns.org"
+  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+    mount = "gitea_jwt"
+    role  = "gitea_cicd_crowdsec"
+  }
+}
\ No newline at end of file
diff --git a/crowdsec/templates/serviceaccount.yaml b/crowdsec/templates/serviceaccount.yaml
new file mode 100644
index 0000000..53c928f
--- /dev/null
+++ b/crowdsec/templates/serviceaccount.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: crowdsec
+  namespace: {{ .Release.Namespace }}
+automountServiceAccountToken: true
\ No newline at end of file
diff --git a/crowdsec/templates/vaultauth.yaml b/crowdsec/templates/vaultauth.yaml
new file mode 100644
index 0000000..fc2db79
--- /dev/null
+++ b/crowdsec/templates/vaultauth.yaml
@@ -0,0 +1,13 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: crowdsec
+  namespace: {{ .Release.Namespace }}
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: crowdsec
+    serviceAccount: crowdsec
+    audiences:
+      - vault
\ No newline at end of file
diff --git a/crowdsec/templates/vaultdynamicsecret.yaml b/crowdsec/templates/vaultdynamicsecret.yaml
new file mode 100644
index 0000000..9d9a408
--- /dev/null
+++ b/crowdsec/templates/vaultdynamicsecret.yaml
@@ -0,0 +1,25 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: crowdsec-db-credentials
+  namespace: {{ .Release.Namespace }}
+spec:
+
+  # Mount path of the secrets backend
+  mount: postgres
+
+  # Path to the secret
+  path: creds/crowdsec
+
+  # Where to store the secrets, VSO will create the secret
+  destination:
+    create: true
+    name: crowdsec-db-credentials
+
+  # Restart these pods when secrets rotated
+  rolloutRestartTargets:
+  - kind: Deployment
+    name: crowdsec-lapi
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: crowdsec
\ No newline at end of file
diff --git a/crowdsec/values.yaml b/crowdsec/values.yaml
index be83896..4e5179c 100644
--- a/crowdsec/values.yaml
+++ b/crowdsec/values.yaml
@@ -29,6 +29,16 @@ crowdsec: &crowdsec_config
         value: "homelab"
       - name: ENROLL_TAGS
         value: "k3s rpi test"
+      - name: DB_USER
+        valueFrom:
+          secretKeyRef:
+            name: crowdsec-db-credentials
+            key: username
+      - name: DB_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: crowdsec-db-credentials
+            key: password
   appsec:
     enabled: true
     acquisitions:
@@ -48,6 +58,25 @@ crowdsec: &crowdsec_config
       requests:
         cpu: "100m"
         memory: "200Mi"
+  config:
+    config.yaml.local: |
+      db_config:
+        type:     postgresql
+        user:     ${DB_USER}
+        password: ${DB_PASSWORD}
+        db_name:  crowdsec
+        host:     pgbouncer.tools
+        port:     5432
+      api:
+        server:
+          auto_registration: # Activate if not using TLS for authentication
+            enabled: true
+            token: "${REGISTRATION_TOKEN}"  # /!\ do not change
+            allowed_ranges: # /!\ adapt to the pod IP ranges used by your cluster
+              - "127.0.0.1/32"
+              - "192.168.0.0/16"
+              - "10.42.0.0/16"
+              - "172.16.0.0/12"
 
 tool:
   # kind: 'SubChart' or 'HelmChart', if subchart then uncomment Chart.yaml dependency, else comment and use tool library with helm chart template
diff --git a/hashicorp-vault/iac/terraform.tfvars b/hashicorp-vault/iac/terraform.tfvars
index 1b0a15c..1945736 100644
--- a/hashicorp-vault/iac/terraform.tfvars
+++ b/hashicorp-vault/iac/terraform.tfvars
@@ -6,4 +6,8 @@ applications = [
     ops_policies               = ["factory__cf_r2_arcodange_tf"]
     service_account_names = ["cloudflared"]
   },
+  {
+    name = "crowdsec"
+    service_account_namespaces = ["tools"]
+  },
 ]
\ No newline at end of file