diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a7d709f..9579248 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -26,6 +26,7 @@ jobs:
           GLPA_C0_GH_REF: ${{ github.ref }}
           GLPA_TF_VAR_cloudflare_api_token: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           GLPA_TF_VAR_cloudflare_account_id: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          GLPA_TF_VAR_gitlab_api_token: ${{ secrets.GL_API_TOKEN }}
 
       - name: Find existing comment
         uses: peter-evans/find-comment@v3
diff --git a/domain/docs.tf b/domain/docs.tf
new file mode 100644
index 0000000..12f1bf7
--- /dev/null
+++ b/domain/docs.tf
@@ -0,0 +1,43 @@
+//noinspection MissingProperty
+data "gitlab_project" "telescopium" {
+  path_with_namespace = "code0-tech/telescopium"
+}
+
+resource "cloudflare_record" "docs_gitlab_pages" {
+  name     = "docs"
+  type     = "CNAME"
+  zone_id  = data.cloudflare_zone.main_domain.id
+  value    = "docs-code0-tech-c91f18c0d2259c041bf05138b194e6bb082059fe38eff2e.gitlab.io"
+  proxied  = true
+  comment  = "Managed by Terraform"
+}
+
+module "pages_certificate" {
+  source = "../modules/cloudflare/certificate"
+
+  hostname = cloudflare_record.docs_gitlab_pages.hostname
+}
+
+data "cloudflare_origin_ca_root_certificate" "cloudflare_root" {
+  algorithm = "rsa"
+}
+
+resource "gitlab_pages_domain" "docs" {
+  project = data.gitlab_project.telescopium.id
+  domain  = cloudflare_record.docs_gitlab_pages.hostname
+
+  key         = module.pages_certificate.private_key
+  certificate = <<-EOF
+    ${module.pages_certificate.certificate}
+    ${data.cloudflare_origin_ca_root_certificate.cloudflare_root.cert_pem}
+  EOF
+}
+
+//noinspection HILUnresolvedReference
+resource "cloudflare_record" "docs_gitlab_pages_verification" {
+  name = "_gitlab-pages-verification-code.docs"
+  type = "TXT"
+  zone_id = data.cloudflare_zone.main_domain.id
+  value = gitlab_pages_domain.docs.verification_code
+  comment  = "Managed by Terraform"
+}
diff --git a/domain/main.tf b/domain/main.tf
index d64aa8c..cd5b370 100644
--- a/domain/main.tf
+++ b/domain/main.tf
@@ -4,6 +4,10 @@ terraform {
       source  = "cloudflare/cloudflare"
       version = "4.24.0"
     }
+    gitlab = {
+      source = "gitlabhq/gitlab"
+      version = "16.8.1"
+    }
   }
 }
 
@@ -11,3 +15,11 @@ data "cloudflare_zone" "main_domain" {
   account_id = var.cloudflare_account_id
   name       = "code0.tech"
 }
+
+resource "cloudflare_zone_settings_override" "main" {
+  zone_id = data.cloudflare_zone.main_domain.id
+
+  settings {
+    ssl = "strict"
+  }
+}
diff --git a/main.tf b/main.tf
index 9b0cf9d..ef590b3 100644
--- a/main.tf
+++ b/main.tf
@@ -6,6 +6,10 @@ terraform {
       source  = "cloudflare/cloudflare"
       version = "4.24.0"
     }
+    gitlab = {
+      source = "gitlabhq/gitlab"
+      version = "16.8.1"
+    }
   }
 }
 
@@ -13,6 +17,11 @@ provider "cloudflare" {
   api_token = var.cloudflare_api_token
 }
 
+provider "gitlab" {
+  token = var.gitlab_api_token
+  base_url = "https://gitlab.com/api/v4/"
+}
+
 module "domain" {
   source = "./domain"
   cloudflare_account_id = var.cloudflare_account_id
diff --git a/modules/cloudflare/certificate/main.tf b/modules/cloudflare/certificate/main.tf
new file mode 100644
index 0000000..adb61bd
--- /dev/null
+++ b/modules/cloudflare/certificate/main.tf
@@ -0,0 +1,47 @@
+terraform {
+  required_providers {
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "4.24.0"
+    }
+  }
+}
+
+variable "hostname" {
+  type = string
+}
+
+resource "tls_private_key" "this" {
+  algorithm = "RSA"
+}
+
+// the key_algorithm property is read-only
+//noinspection MissingProperty
+resource "tls_cert_request" "this" {
+  private_key_pem = tls_private_key.this.private_key_pem
+
+  subject {
+    common_name  = ""
+    organization = "Code0"
+  }
+}
+
+resource "cloudflare_origin_ca_certificate" "this" {
+  csr                  = tls_cert_request.this.cert_request_pem
+  hostnames            = [ var.hostname ]
+  request_type         = "origin-rsa"
+  requested_validity   = 365
+  min_days_for_renewal = 90
+}
+
+output "hostname" {
+  value = var.hostname
+}
+
+output "certificate" {
+  value = cloudflare_origin_ca_certificate.this.certificate
+}
+
+output "private_key" {
+  value = tls_private_key.this.private_key_pem
+}
diff --git a/variables.tf b/variables.tf
index 44e72bd..51a1616 100644
--- a/variables.tf
+++ b/variables.tf
@@ -7,3 +7,8 @@ variable "cloudflare_account_id" {
   type      = string
   sensitive = true
 }
+
+variable "gitlab_api_token" {
+  type      = string
+  sensitive = true
+}