diff --git a/README.md b/README.md
index 0886f41..92441ef 100755
--- a/README.md
+++ b/README.md
@@ -7,4 +7,7 @@ ansible-playbook -i inventory -e @secrets.enc --ask-vault-pass frontend.yaml
 
 # Github runner
 ansible-playbook -i inventory -e @secrets.enc --ask-vault-pass github-runner.yaml
+
+# gitea server
+ansible-playbook -i inventory -e @secrets.enc --ask-vault-pass gitea.yaml
 ```
diff --git a/apptabulous/reverseproxy/conf.d/reverse_proxy.conf b/apptabulous/reverseproxy/conf.d/reverse_proxy.conf
index 6d056c7..f7ad950 100755
--- a/apptabulous/reverseproxy/conf.d/reverse_proxy.conf
+++ b/apptabulous/reverseproxy/conf.d/reverse_proxy.conf
@@ -26,6 +26,25 @@ server {
     }
 }
 
+# gitea.m5p3nc3r webserver
+server {
+    listen 80;
+    listen [::]:80;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name gitea.m5p3nc3r.co.uk;
+
+    ssl_certificate /etc/letsencrypt/live/apptabulous.co.uk/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/apptabulous.co.uk/privkey.pem;
+
+    # if ($block_uri = 1) {
+    #     return 403;
+    # }
+
+    location / {
+        proxy_pass http://rpi5-2:3000;
+    }
+}
 
 # apptabulous webserver
 server {
@@ -69,32 +88,6 @@ server {
     }
 }
 
-# my-aiva.apptabulous.co.uk
-# server {
-#     listen 80;
-#     listen [::]:80;
-#     listen 443 ssl;
-#     listen [::]:443 ssl;
-#     server_name my-aiva.apptabulous.co.uk;
-
-#     ssl_certificate /etc/letsencrypt/live/apptabulous.co.uk/fullchain.pem;
-#     ssl_certificate_key /etc/letsencrypt/live/apptabulous.co.uk/privkey.pem;
-
-#     if ($block_uri = 1) {
-#         return 403;
-#     }
-
-#     # This must come before the / endpoint so as not to be masked
-#     location /webhook {
-#         proxy_pass http://my-aiva:5000;
-#     }
-
-#     location / {
-#         proxy_pass http://my-aiva:3000;
-#     }
-
-# }
-
 # Watchtower
 server {
     listen 80;
diff --git a/apptabulous/reverseproxy/nginx.conf b/apptabulous/reverseproxy/nginx.conf
new file mode 100644
index 0000000..22925b9
--- /dev/null
+++ b/apptabulous/reverseproxy/nginx.conf
@@ -0,0 +1,35 @@
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}
+
+stream {
+    include /etc/nginx/stream.d/*.conf;
+}
\ No newline at end of file
diff --git a/apptabulous/reverseproxy/stream.d/ssh.conf b/apptabulous/reverseproxy/stream.d/ssh.conf
new file mode 100644
index 0000000..e35ebb1
--- /dev/null
+++ b/apptabulous/reverseproxy/stream.d/ssh.conf
@@ -0,0 +1,7 @@
+# Stream the ssh connections for gitea
+server {
+  listen 2222;
+  proxy_pass rpi5-2:2222;   # the machine where sshd runs (often same as gitea)
+  proxy_timeout 1h;
+  proxy_connect_timeout 10s;
+}
diff --git a/frontend.yaml b/frontend.yaml
index 9bf0d50..e931638 100755
--- a/frontend.yaml
+++ b/frontend.yaml
@@ -20,9 +20,9 @@
           - "www.apptabulous.co.uk"
           - "hub.apptabulous.co.uk"
           - "watchtower.apptabulous.co.uk"
-          - "my-aiva.apptabulous.co.uk"
           - "m5p3nc3r.co.uk"
           - "www.m5p3nc3r.co.uk"
+          - "gitea.m5p3nc3r.co.uk"
 
     certbot_repo: https://github.com/certbot/certbot.git
     certbot_version: master
@@ -58,15 +58,18 @@
     - name: Start reverse proxy container
       community.docker.docker_container:
         name: reverse_proxy
-        #image: nginx:1.26.2-alpine-slim
-        image: ghcr.io/m5p3nc3r/nginx-keyval:main
+        image: nginx:alpine
+        #image: ghcr.io/m5p3nc3r/nginx-keyval:main
         restart_policy: always
         volumes:
+          - /etc/reverseproxy/nginx.conf:/etc/nginx/nginx.conf
           - /etc/reverseproxy/conf.d:/etc/nginx/conf.d
+          - /etc/reverseproxy/stream.d:/etc/nginx/stream.d
           - /etc/letsencrypt:/etc/letsencrypt
         ports:
           - "80:80"
           - "443:443"
+          - "2222:2222"
         state: started
 
     - name: Start docker registry
diff --git a/gitea.yaml b/gitea.yaml
new file mode 100644
index 0000000..c7ebf3c
--- /dev/null
+++ b/gitea.yaml
@@ -0,0 +1,71 @@
+---
+- name: Frontend setup
+  hosts: gitea
+
+  vars:
+    username: matt
+    nas_host: nas.localdomain
+
+    mounts:
+      gitea_repos:
+        local: "/mnt/gitea-repos"
+        remote: "/volume1/gitea-repos"
+      gitea_backups:
+        local: "/mnt/gitea-backups"
+        remote: "/volume1/gitea-backups"
+
+
+
+    docker_add_repo: true
+    docker_users:
+      - "{{ username }}"
+
+  roles:
+    - role: geerlingguy.git
+      become: true
+    - role: geerlingguy.docker
+      become: true
+
+  tasks:
+    - name: Create myapp directory in home
+      ansible.builtin.file:
+        path: "{{ ansible_env.HOME }}/gitea"
+        state: directory
+        mode: "0755"
+
+    - name: Copy the gitea compose file to the host
+      ansible.builtin.copy:
+        src: gitea/compose.yaml
+        dest: "{{ ansible_env.HOME }}/gitea/compose.yaml"
+
+    # - name: Install NFS client
+    #   ansible.builtin.apt:
+    #     name: nfs-common
+    #     state: present
+    #     update_cache: true
+    #     become: true
+
+    - name: Create mountpoint directories for gitea
+      ansible.builtin.file:
+        path: "{{ item.value.local }}"
+        state: directory
+        mode: "0755"
+      loop: "{{mounts | dict2items  }}"
+      become: true
+
+    - name: Mount an NFS volume for repositories
+      ansible.posix.mount:
+        src: "nas.localdomain:{{ item.value.remote }}"
+        path: "{{ item.value.local }}"
+        opts: nfsvers=3,proto=tcp,rw
+        state: mounted
+        fstype: nfs
+      loop: "{{ mounts | dict2items }}"
+      become: true
+
+
+    - name: Create and start services
+      community.docker.docker_compose_v2:
+        project_src: "{{ ansible_env.HOME }}/gitea/"
+        state: present
+
diff --git a/gitea/compose.yaml b/gitea/compose.yaml
new file mode 100644
index 0000000..f5a8c78
--- /dev/null
+++ b/gitea/compose.yaml
@@ -0,0 +1,32 @@
+services:
+  gitea:
+    image: gitea/gitea:latest
+    container_name: gitea
+    # restart: unless-stopped
+
+    environment:
+      # Gitea-supported vars for internal ownership/permissions
+      - USER_UID=1027
+      - USER_GID=65536
+      - TZ=Europe/London
+
+    volumes:
+      # Local: app.ini, database (sqlite by default), queues (LevelDB), sessions, etc.
+      - gitea-data:/data
+
+      # NAS: only repositories (best practice)
+      - /mnt/gitea-repos:/data/git/repositories
+
+      # Optional: put LFS on NAS too
+      # - /mnt/gitea-lfs:/data/git/lfs
+
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+
+    ports:
+      - "3000:3000" # Web
+      - "2222:22" # SSH (container 22 -> host 2222)
+
+volumes:
+  gitea-data:
+    driver: local
diff --git a/inventory b/inventory
index db696e6..dee8da8 100755
--- a/inventory
+++ b/inventory
@@ -2,4 +2,7 @@
 rpi4-2.localdomain
 
 [github-runners]
-rpi5-1.localdomain
\ No newline at end of file
+rpi5-1.localdomain
+
+[gitea]
+rpi5-2.localdomain
\ No newline at end of file