diff --git a/ansible/roles/gitea/files/gitea-shell b/ansible/roles/gitea/files/gitea-shell
new file mode 100644
index 0000000..e07a8f3
--- /dev/null
+++ b/ansible/roles/gitea/files/gitea-shell
@@ -0,0 +1,2 @@
+#!/bin/sh
+/usr/bin/docker exec -i --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" gitea sh "$@"
diff --git a/ansible/roles/gitea/handlers/main.yml b/ansible/roles/gitea/handlers/main.yml
new file mode 100644
index 0000000..371a87b
--- /dev/null
+++ b/ansible/roles/gitea/handlers/main.yml
@@ -0,0 +1,10 @@
+- name: restart sshd
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
+
+- name: restart gitea
+  community.docker.docker_compose:
+    project_src: "{{ install_directory }}/gitea"
+    restarted: true
+
diff --git a/ansible/roles/gitea/tasks/main.yml b/ansible/roles/gitea/tasks/main.yml
new file mode 100644
index 0000000..379b3a0
--- /dev/null
+++ b/ansible/roles/gitea/tasks/main.yml
@@ -0,0 +1,72 @@
+###### SSH Passthrough ######
+- name: Install gitea shell
+  ansible.builtin.copy:
+    src: gitea-shell
+    dest: /usr/local/bin/gitea-shell
+    mode: a+x
+  become: true
+
+- name: Append block to sshd config
+  ansible.builtin.blockinfile:
+    path: /etc/ssh/sshd_config
+    block: |
+      Match User git
+        AuthorizedKeysCommandUser git
+        AuthorizedKeysCommand /usr/bin/docker exec -i gitea /usr/local/bin/gitea keys -c /etc/gitea/app.ini -e git -u %u -t %t -k %k
+  become: true
+  notify: restart sshd
+#############################
+
+- name: Create git user
+  user:
+    name: git
+    groups: docker
+    append: true
+    shell: /usr/local/bin/gitea-shell
+    system: true
+  register: service_user
+  become: true
+
+- name: Create install directory
+  file:
+    path: "{{ install_directory }}/{{ role_name }}"
+    state: directory
+    owner: "{{ docker_user }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Create data and config directories
+  file:
+    path: "{{ data_dir }}/gitea/{{ item }}"
+    state: directory
+    owner: "{{ service_user.uid }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  loop:
+    - data
+    - config
+  become: true
+
+- name: Install configuration file
+  template:
+    src: app.ini
+    dest: "{{ data_dir }}/gitea/config/app.ini"
+    owner: git
+    group: "{{ primary_gid }}"
+    mode: "0660"
+  notify: restart gitea
+  become: true
+
+- name: Copy docker-compose file to destination
+  template:
+    src: docker-compose.yml
+    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
+    owner: "{{ docker_user }}"
+    mode: "{{ docker_compose_file_mask }}"
+    validate: docker-compose -f %s config
+  become: true
+
+- name: Start docker container
+  community.docker.docker_compose:
+    project_src: "{{ install_directory }}/{{ role_name }}"
+    pull: true
+    remove_orphans: yes
diff --git a/ansible/roles/gitea/templates/app.ini b/ansible/roles/gitea/templates/app.ini
new file mode 100644
index 0000000..416d2bc
--- /dev/null
+++ b/ansible/roles/gitea/templates/app.ini
@@ -0,0 +1,53 @@
+APP_NAME = Gitea: Git with a cup of tea
+RUN_USER = git
+
+[repository]
+ROOT = /var/lib/gitea/git/repositories
+DEFAULT_BRANCH = master
+
+[server]
+SSH_DOMAIN 		= git.mjwilson.org
+ROOT_URL 		= https://git.mjwilson.org
+START_SSH_SERVER 	= true
+SSH_PORT		= 2222
+LFS_START_SERVER	= true
+DOMAIN			= git.mjwilson.org
+OFFLINE_MODE		= true
+ENABLE_GZIP		= true
+LANDING_PAGE		= explore
+LFS_JWT_SECRET		= {{ lfs_jwt_secret }}
+
+[database]
+DB_TYPE	= postgres
+HOST	= db:5432
+NAME	= gitea
+USER	= gitea
+PASSWD	= gitea
+
+[session]
+PROVIDER 	= db
+COOKIE_NAME	= gitea_session
+
+[security]
+INSTALL_LOCK			= true
+# For automated deployments, generate secret key by hand. See here: https://docs.gitea.com/next/administration/command-line#generate
+SECRET_KEY			= {{ secret_key }}
+REVERSE_PROXY_TRUSTED_PROXIES	= *
+INTERNAL_TOKEN			= {{ internal_token }}
+LOGIN_REMEMBER_DAYS		= 30
+
+[service]
+DISABLE_REGISTRATION = true
+
+[ui]
+SHOW_USER_EMAIL = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = true
+
+[mirror]
+DEFAULT_INTERVAL = 1h
+
+[federation]
+ENABLED = true
diff --git a/ansible/roles/gitea/templates/docker-compose.yml b/ansible/roles/gitea/templates/docker-compose.yml
new file mode 100644
index 0000000..65e68f6
--- /dev/null
+++ b/ansible/roles/gitea/templates/docker-compose.yml
@@ -0,0 +1,39 @@
+version: "{{ docker_compose_version }}"
+
+networks:
+  traefik:
+    external: true
+
+services:
+  server:
+    container_name: gitea
+    image: gitea/gitea:latest-rootless
+    restart: unless-stopped
+    networks:
+      - default
+      - traefik
+    user: "{{ service_user.uid }}"
+    volumes:
+      - "{{ data_dir }}/gitea/data:/var/lib/gitea"
+      - "{{ data_dir }}/gitea/config:/etc/gitea"
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - 2222:2222
+    tmpfs:
+      - /var/lib/gitea/tmp
+    labels:
+      traefik.enable: true
+      traefik.http.routers.gitea.rule: "Host(`git.{{ personal_domain }}`)"
+      traefik.http.services.gitea.loadbalancer.server.port: 3000
+
+
+  db:
+    image: postgres:14
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: gitea
+      POSTGRES_PASSWORD: gitea
+      POSTGRESS_DB: gitea
+    volumes:
+      - "{{ data_dir }}/postgres/gitea:/var/lib/postgresql/data"
diff --git a/ansible/roles/gitea/vars/main.yml b/ansible/roles/gitea/vars/main.yml
new file mode 100644
index 0000000..5f8c5ec
--- /dev/null
+++ b/ansible/roles/gitea/vars/main.yml
@@ -0,0 +1,31 @@
+lfs_jwt_secret: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  38396161633561663039656137386661383464663238383266343033376439643835613863626661
+  6130613033656262376565666233626530343234623039380a343434323932353632653130313436
+  35353464656362306538343232346232303864366532333436333266353732646539623163303831
+  3465313738353266370a333137306330336237396166313361373463393738363732356435353336
+  66376633386430636231623236636336306465393338393130306430383264633364623630336236
+  3132353161633634363139616133346537373763396235383331
+
+secret_key: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  63306161346430626235656337633236656436396136323435616565653831363763626539626465
+  6634333266333464646332623035663466326531336635330a326361613262656438353264333361
+  36303365343965393938346332343831373136656662303765616366613634383531336638313534
+  6635343564336532650a383338343661383766636335353037316365313463373834653033343466
+  34653332663438323638396639363230393664323931633762323532353561303237306564363931
+  65613332383937316139613638383738623535346536333463373663336264376365353462363238
+  34326239363833393135633932363638663134353861633236643336646463663066336365656664
+  35346131636565303633
+
+internal_token: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  35376465636238346336656232303530333263653064323935613337376462353665646138666436
+  6366343431353834383961643937386634373330363061350a653532333136376234613639333263
+  30646135633337666663356635363834663332663333666536313964626236373866353431383030
+  6131303736386666610a633465383639633132343838336337353934386135343830386535653537
+  62386438313833333338333339663538653666313633343835616365336265376635633266383361
+  38313438653630636233616437646639636235653737353461386230613736356662336237393039
+  62363962636132333266646431373162313261363635646166643462396161303635653338626431
+  35626638386562386361383035623431306465623738616361346139343134643134613563343038
+  38623638373335346533613536616136346638616465386637666463353234366237