diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index da9eb27..65c6d45 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -190,6 +190,8 @@ jobs:
             -e "tailscale_oauth_client_secret=${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }}" \
             -e "doppler_hetznerterra_service_token=${{ secrets.DOPPLER_HETZNERTERRA_SERVICE_TOKEN }}" \
             -e "doppler_openstaticfish_microservices_service_token=${{ secrets.DOPPLER_MICROSERVICES_SERVICE_TOKEN }}" \
+            -e "ghcr_username=${{ secrets.GHCR_USERNAME }}" \
+            -e "ghcr_read_token=${{ secrets.GHCR_READ_TOKEN }}" \
             -e "tailscale_api_key=${{ secrets.TAILSCALE_API_KEY }}" \
             -e "grafana_admin_password=${{ secrets.GRAFANA_ADMIN_PASSWORD }}" \
             -e "cluster_name=k8s-cluster"
diff --git a/ansible/roles/doppler-bootstrap/tasks/main.yml b/ansible/roles/doppler-bootstrap/tasks/main.yml
index 9393867..c04eab9 100644
--- a/ansible/roles/doppler-bootstrap/tasks/main.yml
+++ b/ansible/roles/doppler-bootstrap/tasks/main.yml
@@ -5,10 +5,21 @@
       - doppler_hetznerterra_service_token | length > 0
     fail_msg: doppler_hetznerterra_service_token must be provided for External Secrets bootstrap.
 
+- name: Ensure GHCR pull credentials are provided
+  assert:
+    that:
+      - ghcr_username | default("") | length > 0
+      - ghcr_read_token | default("") | length > 0
+    fail_msg: ghcr_username and ghcr_read_token must be provided for private MicroServices image pulls.
+
 - name: Ensure external-secrets namespace exists
   shell: kubectl create namespace external-secrets --dry-run=client -o yaml | kubectl apply -f -
   changed_when: true
 
+- name: Ensure microservices namespace exists
+  shell: kubectl create namespace microservices --dry-run=client -o yaml | kubectl apply -f -
+  changed_when: true
+
 - name: Apply Doppler service token secret
   shell: >-
     kubectl -n external-secrets create secret generic doppler-hetznerterra-service-token
@@ -26,6 +37,19 @@
   no_log: true
   when: doppler_openstaticfish_microservices_service_token | default("") | length > 0
 
+- name: Apply GHCR pull secret for private MicroServices images
+  shell: >-
+    kubectl -n microservices create secret docker-registry ghcr-pull-secret
+    --docker-server=ghcr.io
+    --docker-username='{{ ghcr_username | default("") }}'
+    --docker-password='{{ ghcr_read_token | default("") }}'
+    --dry-run=client -o yaml | kubectl apply -f -
+  changed_when: true
+  no_log: true
+  when:
+    - ghcr_username | default("") | length > 0
+    - ghcr_read_token | default("") | length > 0
+
 - name: Note pending Doppler ClusterSecretStore bootstrap
   debug:
     msg: >-
diff --git a/apps/microservices/scraper-deployment.yaml b/apps/microservices/scraper-deployment.yaml
index 26ff474..eb85d63 100644
--- a/apps/microservices/scraper-deployment.yaml
+++ b/apps/microservices/scraper-deployment.yaml
@@ -15,6 +15,8 @@ spec:
       labels:
         app: scraper
     spec:
+      imagePullSecrets:
+        - name: ghcr-pull-secret
       containers:
         - name: scraper
           image: ghcr.io/openstaticfish/microservices/scraper:main
diff --git a/apps/microservices/site-analyzer-deployment.yaml b/apps/microservices/site-analyzer-deployment.yaml
index 3344c15..78747f0 100644
--- a/apps/microservices/site-analyzer-deployment.yaml
+++ b/apps/microservices/site-analyzer-deployment.yaml
@@ -20,6 +20,8 @@ spec:
       labels:
         app: site-analyzer
     spec:
+      imagePullSecrets:
+        - name: ghcr-pull-secret
       terminationGracePeriodSeconds: 30
       containers:
         - name: site-analyzer