diff --git a/stacks/tuya-bridge/main.tf b/stacks/tuya-bridge/main.tf
index 02ec817d..85b1a0b5 100644
--- a/stacks/tuya-bridge/main.tf
+++ b/stacks/tuya-bridge/main.tf
@@ -1,8 +1,3 @@
-variable "tls_secret_name" {
-  type      = string
-  sensitive = true
-}
-
 resource "kubernetes_namespace" "tuya-bridge" {
   metadata {
     name = "tuya-bridge"
@@ -77,9 +72,13 @@ resource "kubernetes_deployment" "tuya-bridge" {
         }
       }
       spec {
+        image_pull_secrets {
+          name = "registry-credentials"
+        }
         container {
-          image = "viktorbarzin/tuya_bridge:latest"
-          name  = "tuya-bridge"
+          image             = "forgejo.viktorbarzin.me/viktor/tuya_bridge:${var.image_tag}"
+          image_pull_policy = "IfNotPresent"
+          name              = "tuya-bridge"
           port {
             container_port = 8080
           }
diff --git a/stacks/tuya-bridge/variables.tf b/stacks/tuya-bridge/variables.tf
new file mode 100644
index 00000000..5c2be4d3
--- /dev/null
+++ b/stacks/tuya-bridge/variables.tf
@@ -0,0 +1,10 @@
+variable "tls_secret_name" {
+  type      = string
+  sensitive = true
+}
+
+variable "image_tag" {
+  type        = string
+  default     = "latest"
+  description = "tuya_bridge image tag pushed to forgejo.viktorbarzin.me/viktor/tuya_bridge. Each Woodpecker run does `kubectl set image` to the 8-char git SHA; this variable is only used on initial create / TF recreate (image is in lifecycle.ignore_changes)."
+}