diff --git a/argocd/application.yaml b/argocd/application.yaml
index 1be6aea..0893697 100644
--- a/argocd/application.yaml
+++ b/argocd/application.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: http://10.10.0.64:3000/funman300/Rusty_Solitare.git
+    repoURL: https://git.aleshym.co/funman300/Rusty_Solitare.git
     targetRevision: master
     path: deploy
   destination:
diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
index 24124dc..14e97ef 100644
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@@ -19,6 +19,47 @@ spec:
       imagePullSecrets:
         - name: gitea-registry
       containers:
+        - name: analytics
+          image: datasetteproject/datasette:0.65.1
+          args:
+            - serve
+            - /data/sol.db
+            - --host
+            - "0.0.0.0"
+            - --port
+            - "8001"
+            - --readonly
+            - --setting
+            - sql_time_limit_ms
+            - "5000"
+            - --setting
+            - max_returned_rows
+            - "1000"
+          ports:
+            - containerPort: 8001
+          volumeMounts:
+            - name: db-data
+              mountPath: /data
+              readOnly: true
+          livenessProbe:
+            httpGet:
+              path: /-/alive
+              port: 8001
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /-/alive
+              port: 8001
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: 25m
+              memory: 48Mi
+            limits:
+              cpu: 200m
+              memory: 128Mi
         - name: server
           image: solitaire-server
           imagePullPolicy: Always
diff --git a/deploy/ingress-analytics.yaml b/deploy/ingress-analytics.yaml
new file mode 100644
index 0000000..f520c60
--- /dev/null
+++ b/deploy/ingress-analytics.yaml
@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: solitaire-analytics
+  namespace: solitaire
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: solitaire-analytics-auth@kubernetescrd
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: analytics.aleshym.co
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: solitaire-server
+                port:
+                  name: analytics
+  tls:
+    - hosts:
+        - analytics.aleshym.co
+      secretName: analytics-tls
diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml
index 692ba13..f354aea 100644
--- a/deploy/kustomization.yaml
+++ b/deploy/kustomization.yaml
@@ -7,6 +7,9 @@ resources:
 - deployment.yaml
 - service.yaml
 - ingress.yaml
+- middleware-analytics-auth.yaml
+- secret-analytics-auth.yaml
+- ingress-analytics.yaml
 
 # CI updates this block automatically via `kustomize edit set image`.
 # The image name here matches the `image: solitaire-server` stub in deployment.yaml.
diff --git a/deploy/middleware-analytics-auth.yaml b/deploy/middleware-analytics-auth.yaml
new file mode 100644
index 0000000..cf26792
--- /dev/null
+++ b/deploy/middleware-analytics-auth.yaml
@@ -0,0 +1,8 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: analytics-auth
+  namespace: solitaire
+spec:
+  basicAuth:
+    secret: analytics-auth-secret
diff --git a/deploy/service.yaml b/deploy/service.yaml
index e4e9631..329cf85 100644
--- a/deploy/service.yaml
+++ b/deploy/service.yaml
@@ -10,3 +10,6 @@ spec:
     - name: http
       port: 80
       targetPort: 8080
+    - name: analytics
+      port: 8001
+      targetPort: 8001