diff --git a/main.tf b/main.tf
index 73da04a9..4cd26c2a 100644
--- a/main.tf
+++ b/main.tf
@@ -96,6 +96,7 @@ variable "public_ip" {}
 variable "cloudflare_proxied_names" {}
 variable "cloudflare_non_proxied_names" {}
 variable "cloudflare_tunnel_token" {}
+variable "owntracks_credentials" {}
 
 # data "terraform_remote_state" "foo" {
 #   backend = "kubernetes"
@@ -400,6 +401,8 @@ module "kubernetes_cluster" {
   cloudflare_proxied_names     = var.cloudflare_proxied_names
   cloudflare_non_proxied_names = var.cloudflare_non_proxied_names
   cloudflare_tunnel_token      = var.cloudflare_tunnel_token
+
+  owntracks_credentials = var.owntracks_credentials
 }
 
 
diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf
index ccd81fd4..c2b62735 100644
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@@ -75,6 +75,7 @@ variable "cloudflare_tunnel_id" {}
 variable "public_ip" {}
 variable "cloudflare_proxied_names" {}
 variable "cloudflare_non_proxied_names" {}
+variable "owntracks_credentials" {}
 
 resource "null_resource" "core_services" {
   # List all the core modules that must be provisioned first
@@ -556,3 +557,9 @@ module "actualbudget" {
   source          = "./actualbudget"
   tls_secret_name = var.tls_secret_name
 }
+
+module "owntracks" {
+  source                = "./owntracks"
+  tls_secret_name       = var.tls_secret_name
+  owntracks_credentials = var.owntracks_credentials
+}
diff --git a/modules/kubernetes/nginx-ingress/main.tf b/modules/kubernetes/nginx-ingress/main.tf
index 57be5bf7..366ae809 100644
--- a/modules/kubernetes/nginx-ingress/main.tf
+++ b/modules/kubernetes/nginx-ingress/main.tf
@@ -328,8 +328,8 @@ resource "kubernetes_config_map" "ingress_nginx_controller" {
         setvar:tx.block_harvester_ip=1,\
         setvar:tx.block_spammer_ip=1"
         EOT
-    plugins = "crowdsec"
-    # plugins          = ""
+    # plugins = "crowdsec"
+    plugins          = ""
     lua-shared-dicts = "crowdsec_cache: 50m"
     http-snippet : <<-EOT
       proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=static-cache:2m max_size=100m inactive=7d use_temp_path=off;
diff --git a/modules/kubernetes/owntracks/main.tf b/modules/kubernetes/owntracks/main.tf
new file mode 100644
index 00000000..07dddec4
--- /dev/null
+++ b/modules/kubernetes/owntracks/main.tf
@@ -0,0 +1,161 @@
+variable "tls_secret_name" {}
+variable "owntracks_credentials" {
+  type = map(string)
+  default = {
+    "foo" = "bar" // example format for username and password
+  }
+}
+
+resource "kubernetes_namespace" "owntracks" {
+  metadata {
+    name = "owntracks"
+    labels = {
+      "istio-injection" : "disabled"
+    }
+  }
+}
+
+module "tls_secret" {
+  source          = "../setup_tls_secret"
+  namespace       = "owntracks"
+  tls_secret_name = var.tls_secret_name
+}
+
+locals {
+  username = "owntracks"
+  htpasswd = join("\n", [for name, pass in var.owntracks_credentials : "${name}:${bcrypt(pass, 10)}"])
+}
+
+resource "kubernetes_secret" "basic_auth" {
+  metadata {
+    name      = "basic-auth-secret"
+    namespace = "owntracks"
+  }
+
+  data = {
+    auth = local.htpasswd
+  }
+
+  type = "Opaque"
+}
+
+resource "kubernetes_deployment" "owntracks" {
+  metadata {
+    name      = "owntracks"
+    namespace = "owntracks"
+    labels = {
+      app = "owntracks"
+    }
+    annotations = {
+      "reloader.stakater.com/search" = "true"
+    }
+  }
+  spec {
+    replicas = 1
+    strategy {
+      type = "Recreate"
+    }
+    selector {
+      match_labels = {
+        app = "owntracks"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "owntracks"
+        }
+        annotations = {
+          "diun.enable"       = "true"
+          "diun.include_tags" = "^\\d+(?:\\.\\d+)?(?:\\.\\d+)?$"
+        }
+      }
+      spec {
+
+        container {
+          image = "owntracks/recorder:0.9.9"
+          name  = "owntracks"
+          port {
+            name           = "https"
+            container_port = 8083
+          }
+          env {
+            name  = "OTR_PORT"
+            value = "0"
+          }
+
+          volume_mount {
+            name       = "data"
+            mount_path = "/store"
+          }
+        }
+        volume {
+          name = "data"
+          nfs {
+            path   = "/mnt/main/owntracks"
+            server = "10.0.10.15"
+          }
+        }
+      }
+    }
+  }
+}
+
+
+resource "kubernetes_service" "owntracks" {
+  metadata {
+    name      = "owntracks"
+    namespace = "owntracks"
+    labels = {
+      "app" = "owntracks"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "owntracks"
+    }
+    port {
+      name        = "https"
+      port        = 443
+      target_port = 8083
+      protocol    = "TCP"
+    }
+  }
+}
+
+resource "kubernetes_ingress_v1" "owntracks" {
+  metadata {
+    name      = "owntracks"
+    namespace = "owntracks"
+    annotations = {
+      "kubernetes.io/ingress.class"             = "nginx"
+      "nginx.ingress.kubernetes.io/auth-type"   = "basic" # support only basic auth; can't use authentik
+      "nginx.ingress.kubernetes.io/auth-secret" = kubernetes_secret.basic_auth.metadata[0].name
+      "nginx.ingress.kubernetes.io/auth-realm"  = "Authentication Required"
+    }
+  }
+
+  spec {
+    tls {
+      hosts       = ["owntracks.viktorbarzin.me"]
+      secret_name = var.tls_secret_name
+    }
+    rule {
+      host = "owntracks.viktorbarzin.me"
+      http {
+        path {
+          path = "/"
+          backend {
+            service {
+              name = "owntracks"
+              port {
+                number = 443
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/terraform.tfstate b/terraform.tfstate
index 6fce4445..8a54ca01 100644
Binary files a/terraform.tfstate and b/terraform.tfstate differ
diff --git a/terraform.tfvars b/terraform.tfvars
index f05a44f0..fdf4afaf 100644
Binary files a/terraform.tfvars and b/terraform.tfvars differ