diff --git a/configuration.nix b/configuration.nix
index 4ece4be..12a7975 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -82,6 +82,11 @@
       repo = (lib.removeSuffix "\n" (builtins.readFile ./secrets/borg-backup-repo));
     };
 
+    gitea = {
+      enable = true;
+      privatePort = 8082;
+    };
+
     miniflux = {
       enable = true;
       adminCredentialsFile = "${./secrets/miniflux-admin-credentials}";
diff --git a/services/default.nix b/services/default.nix
index 67af050..7a4290b 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ./bitwarden_rs.nix
     ./borg-backup.nix
+    ./gitea.nix
     ./matrix.nix
     ./miniflux.nix
     ./monitoring.nix
diff --git a/services/gitea.nix b/services/gitea.nix
new file mode 100644
index 0000000..5968f12
--- /dev/null
+++ b/services/gitea.nix
@@ -0,0 +1,92 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.my.services.gitea;
+  my = config.my;
+
+  domain = config.networking.domain;
+in {
+  options.my.services.gitea = {
+    enable = mkEnableOption "Personal Git hosting with Gitea";
+
+    privatePort = mkOption {
+      type = types.int;
+      default = 8082;
+      example = 8082;
+      description = "Port to serve the app";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # use git as user to have `git clone git@git.domain`
+    users.users.git = {
+      description = "Gitea Service";
+      home = config.services.gitea.stateDir;
+      useDefaultShell = true;
+      group = "git";
+
+      # the systemd service for the gitea module seems to hardcode the group as
+      # gitea, so, uh, just in case?
+      extraGroups = [ "gitea" ];
+
+      isSystemUser = true;
+    };
+    users.groups.git = { };
+
+    services.gitea = {
+      enable = true;
+      user = "git";
+      domain = "git.${domain}";
+      appName = "Personal Forge";
+      rootUrl = "https://git.${domain}/";
+      httpAddress = "127.0.0.1";
+      httpPort = cfg.privatePort;
+      log.level = "Info"; # [ "Trace" "Debug" "Info" "Warn" "Error" "Critical" ]
+      lfs.enable = true;
+
+      # NOTE: temporarily remove this for initial setup
+      disableRegistration = true;
+
+      # only send cookies via HTTPS
+      cookieSecure = true;
+
+      settings = {
+        other.SHOW_FOOTER_VERSION = false;
+      };
+
+      dump.enable = true;
+
+      database = {
+        type = "postgres";
+        # user needs to be the same as gitea user
+        user = "git";
+      };
+    };
+
+    my.services.borg-backup = mkIf cfg.enable {
+      paths = [ config.services.gitea.dump.backupDir ];
+    };
+
+    services.nginx = {
+      enable = true;
+
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      recommendedProxySettings = true;
+
+      virtualHosts = {
+        "git.${domain}" = {
+          forceSSL = true;
+          enableACME = true;
+
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
+          };
+        };
+      };
+    };
+  };
+}