diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index c00633d..0a06a9e 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -274,6 +274,22 @@ jobs:
           kubectl -n flux-system wait --for=condition=Ready gitrepository/platform --timeout=180s
           kubectl -n flux-system wait --for=condition=Ready kustomization/infrastructure --timeout=300s
           kubectl -n flux-system wait --for=condition=Ready kustomization/addon-external-secrets --timeout=300s
+          # Create Doppler ClusterSecretStore now that ESO CRDs are available
+          kubectl apply -f - <<'EOF'
+          apiVersion: external-secrets.io/v1
+          kind: ClusterSecretStore
+          metadata:
+            name: doppler-hetznerterra
+          spec:
+            provider:
+              doppler:
+                auth:
+                  secretRef:
+                    dopplerToken:
+                      name: doppler-hetznerterra-service-token
+                      key: dopplerToken
+                      namespace: external-secrets
+          EOF
           # CCM and CSI are suspended for stable baseline - using k3s embedded cloud provider
           # kubectl -n flux-system wait --for=condition=Ready kustomization/addon-ccm --timeout=300s
           # kubectl -n flux-system wait --for=condition=Ready kustomization/addon-csi --timeout=300s