diff --git a/hosts/harbor/configuration.nix b/hosts/harbor/configuration.nix
index 629bb8b..4a8bd8b 100644
--- a/hosts/harbor/configuration.nix
+++ b/hosts/harbor/configuration.nix
@@ -18,6 +18,10 @@
     sopsFile = ../../secrets/harbor/wg.yaml;
     key = "privateKey";
   };
+  sops.secrets."gitea-db-pass" = {
+    sopsFile = ../../secrets/harbor/gitea.yaml;
+    key = "databasePassword";
+  };
 
   # Configure nix and garbage collection
   nix = {
@@ -50,6 +54,9 @@
   };
 
   # hive modules
+  hive.gitea-instance.enable = true;
+  hive.gitea-instance.instanceFQDN = "git.jroeger.de";
+  hive.gitea-instance.databasePasswordFile = config.sops.secrets.gitea-db-pass.path;
   hive.nextcloud-instance.enable = true;
   hive.nextcloud-instance.ssl = true;
   hive.nextcloud-instance.adminPasswordFile = config.sops.secrets.nextcloud-admin-pass.path;
diff --git a/modules/default.nix b/modules/default.nix
index ccc3b8e..5efbd59 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -27,6 +27,7 @@
       ./programs/games.nix
       ./programs/spotify-shortcuts.nix
       ./services/borg-server.nix
+      ./services/gitea-instance.nix
       ./services/kdeconnect.nix
       ./services/nextcloud-instance.nix
       ./services/virt-manager.nix
diff --git a/modules/services/gitea-instance.nix b/modules/services/gitea-instance.nix
new file mode 100644
index 0000000..82a6371
--- /dev/null
+++ b/modules/services/gitea-instance.nix
@@ -0,0 +1,70 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.hive.gitea-instance;
+in {
+  options.hive.gitea-instance = {
+    enable = lib.mkEnableOption "Enable the Gitea instance";
+
+    instanceFQDN = lib.mkOption {
+      type = lib.types.singleLineStr;
+      example = "git.example.com";
+      description = "Fully qualified domain name of the Gitea instance";
+    };
+
+    databasePasswordFile = lib.mkOption {
+      type = lib.types.path;
+      example = "/etc/gitea-db-pass.txt";
+      description = "Path to the file containing the Gitea database password";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Gitea instance
+    services.gitea = {
+      enable = true;
+      appName = "Git yourself some Tea!";
+      database = {
+        name = "gitea";
+        type = "postgres";
+        passwordFile = cfg.databasePasswordFile;
+      };
+      settings = {
+        server.PROTOCOL = "http+unix";
+        server.ROOT_URL = "https://${cfg.instanceFQDN}/";
+        server.DOMAIN = cfg.instanceFQDN;
+      };
+    };
+
+    # Fallback server with only 403
+    services.nginx.virtualHosts.${config.networking.domain} = lib.mkDefault {
+      default = true;
+      locations."/".return = 403;
+      forceSSL = true;
+      enableACME = true;
+    };
+
+    # Virtual host for gitea
+    services.nginx.virtualHosts."${cfg.instanceFQDN}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://unix:/run/gitea/gitea.sock";
+      };
+    };
+
+    # Database setup
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [config.services.gitea.user];
+      ensureUsers = [
+        {
+          name = config.services.gitea.database.user;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+  };
+}
diff --git a/secrets/harbor/gitea.yaml b/secrets/harbor/gitea.yaml
new file mode 100644
index 0000000..4e4757d
--- /dev/null
+++ b/secrets/harbor/gitea.yaml
@@ -0,0 +1,25 @@
+databasePassword: ENC[AES256_GCM,data:D0pt10IJXbmx5Fj/yvMxyPjVPGctrQ==,iv:OiBSQIr4/lLCAV2mlIBfIfiVT51SeTGU1xJustlXZes=,tag:6FRtjip5pR7PeaJXRw1DVw==,type:str]
+sops:
+    age:
+        - recipient: age1wf0rq27v0n27zfy0es8ns3n25e2fdt063dgn68tt3f89rgrtu9csq4yhsp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNMnU3bE51SGhMbnFJZitN
+            RGJTMVBndVBhVVFGTVhHTU5BbWxEVnBMRjM4CnNZTy94T3h5TlZlNFdFV3JKVzEw
+            R1Y4dzNOYnR4TE9GN3E0ejNjVklHUzgKLS0tIHd2YUdXRnBtaFVjdDlOVi9wVjRJ
+            MVFrRDc3VkwxTDBqZkJNbmtGYXJkOEUK2N0kZdgCYYmGdgTdozqMSfEPOtWvol9X
+            CqVW0cp4BbycA1yV14H555ywFkz2n9tp8vuapt7FP1guFGiVYxK5Wg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1expg8vyduf290pz7l4f3mjzvk9f0azfdn48pyjzs3m6p7v4qjq0qwtn36z
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNXhsTzNrQkwyQnJXdU1x
+            ZHZMNkdqV1NzRnRwQktrRzMzenRnTDFwTmx3CnB2UDJUbUJvcE5zbzlqRlFtUjdt
+            MU1JNGlJOUtMUE1MQzhZdmF2M0I0c3MKLS0tICsxUTFTbm5udUMyRyt0VnprU3dG
+            c1N5VHJZY1JkSCtPTGdHQlI1QUxQZncKzHuz+/0jj/0AL2atUTw56fL8J3bKBNmg
+            hCIsy3SeMeNXs2KN/yka3mfvzoCHeqHRXhQr8MzTkHaGmUhCv5ix/A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-20T22:17:16Z"
+    mac: ENC[AES256_GCM,data:hN0eKuZyls/R5fbL7+U5INi0cq/TYVdTR9PYqgsrPWJL+HtN6KA6ZpaWR27ZBLv9/zB6FHPTg2Js+RQqYE6CZP+0scIx4p5uUe+kUV3qfX3/ZL6wh0vHpn8Jv+Y2NE8OMTeztYSqSDfTgqxeOfY0AchgMFiwgNITDl0IBrPfRSY=,iv:nY5bDlzNGc3N1xU5Zgt/aBgcelfvO5JEuf3sMVNfS14=,tag:oAhw2ZjGA0/DEISS4aqvkA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0