diff --git a/terraform/doks.tf b/terraform/doks.tf
index 4bf08b2..47c8572 100644
--- a/terraform/doks.tf
+++ b/terraform/doks.tf
@@ -5,17 +5,39 @@ resource "digitalocean_kubernetes_cluster" "main" {
   region  = var.region
   version = var.k8s_version
 
+  # Default pool — scaled to 0, workloads run on system/customer pools
   node_pool {
     name       = "workers"
-    size       = var.k8s_node_size
-    min_nodes  = var.k8s_min_nodes
-    max_nodes  = var.k8s_max_nodes
-    auto_scale = true
+    size       = "s-2vcpu-4gb"
+    node_count = 0
   }
 
   tags = ["lunarfront", "k8s"]
 }
 
+# Customer pool — auto-scales for customer app instances
+resource "digitalocean_kubernetes_node_pool" "system" {
+  cluster_id = digitalocean_kubernetes_cluster.main.id
+  name       = "system"
+  size       = var.k8s_system_node_size
+  node_count = 2
+  labels = {
+    role = "system"
+  }
+}
+
+resource "digitalocean_kubernetes_node_pool" "customers" {
+  cluster_id = digitalocean_kubernetes_cluster.main.id
+  name       = "customers"
+  size       = var.k8s_customer_node_size
+  min_nodes  = 0
+  max_nodes  = var.k8s_max_customer_nodes
+  auto_scale = true
+  labels = {
+    role = "customer"
+  }
+}
+
 # ─── DNS — wildcard for customer subdomains → cluster load balancer ───────────
 # Uncomment after the cluster is up and nginx ingress load balancer IP is known.
 # Set cluster_lb_ip in terraform.tfvars then re-run terraform apply.
diff --git a/terraform/main.tf b/terraform/main.tf
index 031c6b8..ffa3950 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -47,8 +47,8 @@ resource "cloudflare_record" "gitea" {
   name    = "git"
   type    = "A"
   content = var.cluster_lb_ip
-  proxied = true
-  ttl     = 1
+  proxied = false
+  ttl     = 3600
 }
 
 # DNS only — no Cloudflare proxy, for SSH git access
diff --git a/terraform/variables.tf b/terraform/variables.tf
index e1294cb..befb6e4 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -46,22 +46,22 @@ variable "k8s_version" {
   default     = "1.32.13-do.2"
 }
 
-variable "k8s_node_size" {
-  description = "Node pool droplet size"
+variable "k8s_system_node_size" {
+  description = "System node pool droplet size (infra workloads)"
   type        = string
   default     = "s-2vcpu-4gb"
 }
 
-variable "k8s_min_nodes" {
-  description = "Minimum nodes in the pool"
-  type        = number
-  default     = 1
+variable "k8s_customer_node_size" {
+  description = "Customer node pool droplet size (app instances)"
+  type        = string
+  default     = "s-1vcpu-2gb"
 }
 
-variable "k8s_max_nodes" {
-  description = "Maximum nodes in the pool"
+variable "k8s_max_customer_nodes" {
+  description = "Maximum nodes in the customer pool"
   type        = number
-  default     = 3
+  default     = 10
 }
 
 variable "cluster_lb_ip" {
diff --git a/terraform/waf.tf b/terraform/waf.tf
index 088d5bc..c31c168 100644
--- a/terraform/waf.tf
+++ b/terraform/waf.tf
@@ -14,7 +14,6 @@ resource "cloudflare_ruleset" "admin_ip_allowlist" {
     expression  = <<-EOT
       (
         http.host in {
-          "git.${var.domain}"
           "vault.${var.domain}"
           "argocd.${var.domain}"
         }