diff --git a/.gitea/workflows/auto-pr-tofu-plan.yml b/.gitea/workflows/auto-pr-tofu-plan.yml
index d052b5a..33f3c3c 100644
--- a/.gitea/workflows/auto-pr-tofu-plan.yml
+++ b/.gitea/workflows/auto-pr-tofu-plan.yml
@@ -6,8 +6,8 @@ on:
     branches-ignore:
       - "main"
       - "renovate/**"
-    paths:
-    - "cloudflare/**"
+    # paths:
+    # - "cloudflare/**"
 env:
   OPENTOFU_VERSION: "1.10.6"
   HC_VAULT_VERSION: "1.20.4"
@@ -192,4 +192,43 @@ jobs:
       #   with:
       #     commenter_type: plan
       #     commenter_input: ${{ steps.tofu_plan.outputs.plan-output }}
-      #     commenter_exitcode: ${{ steps.tofu_plan.outputs.exitcode }}
\ No newline at end of file
+      #     commenter_exitcode: ${{ steps.tofu_plan.outputs.exitcode }}
+  approval:
+    name: Manual Approval
+    needs: plan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Wait for manual approval
+        uses: hmarr/auto-approve-action@v2
+        with:
+          message: "Awaiting manual approval to apply Tofu plan"
+
+  apply:
+    name: Apply Tofu Plan
+    needs: approval
+    runs-on: ubuntu-latest
+    if: ${{ needs.approval.result == 'success' }}
+    env:
+      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup OpenTofu
+        uses: opentofu/setup-opentofu@v1.0.6
+        with:
+          version: ${{ env.OPENTOFU_VERSION }}
+          tofu_wrapper: true
+
+      - name: Export env from Vault
+        run: |
+          set -a
+          source cloudflare/.env
+          set +a
+
+      - name: Run Tofu Apply
+        uses: dnogu/tofu-apply@v1
+        with:
+          working-directory: .
+          chdir: cloudflare
+          plan: cloudflare.tfplan
\ No newline at end of file