diff --git a/configuration/default.nix b/configuration/default.nix
index b6cd2c3..ce509ff 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -5,6 +5,7 @@
   ...
 }: {
   imports = [
+    ./services/gitea.nix
     ./services/nextcloud.nix
     ./services/webserver.nix
     ./services/starbound.nix
@@ -80,6 +81,11 @@
       domain = config.services.nginx.domain;
     in {
       "${domain}" = proxyPassToPort 3002 {serverAliases = ["www.${domain}"];};
+      "gitea.${domain}" = proxyPassToPort 3000 {};
+      "nextcloud.${domain}" = {
+        forceSSL = true;
+        enableACME = true;
+      };
     };
   };
 
diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index 1bcbe7a..5f9ebd0 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -1,30 +1,48 @@
-{config, ...}: let
-  domain = "gitea.${config.services.nginx.domain}";
-in {
-  services.gitea = {
-    inherit domain;
-    enable = true;
-
-    httpAddress = "127.0.0.1";
-    database.type = "postgres";
-
-    ssh.clonePort = 2222;
-    rootUrl = "https://gitea.tlater.net/";
-    cookieSecure = true;
-
-    appName = "Gitea: Git with a cup of tea";
+{config, ...}: {
+  users = {
+    extraUsers.gitea = {
+      uid = config.ids.uids.git;
+      isSystemUser = true;
+      description = "Gitea Service";
+      group = config.users.extraGroups.gitea.name;
+    };
+    extraGroups.gitea = {gid = config.ids.gids.git;};
   };
 
-  # Set up SSL
-  services.nginx.virtualHosts."${domain}" = let
-    inherit (config.services.gitea) httpAddress httpPort;
-  in {
-    forceSSL = true;
-    enableACME = true;
-    extraConfig = ''
-      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-    '';
+  virtualisation.pods.gitea = {
+    hostname = "gitea.tlater.net";
+    publish = ["3000:3000" "2221:2221"];
+    network = "slirp4netns";
 
-    locations."/".proxyPass = "http://${httpAddress}:httpPort";
+    containers = {
+      gitea = {
+        image = "gitea/gitea:latest";
+        volumes = ["gitea:/data:Z" "/etc/localtime:/etc/localtime:ro"];
+        dependsOn = ["postgres"];
+
+        environment = {
+          DB_TYPE = "postgres";
+          DB_HOST = "localhost:5432";
+          DB_NAME = "gitea";
+          DB_USER = "gitea";
+
+          USER_UID = toString config.users.extraUsers.gitea.uid;
+          USER_GID = toString config.users.extraGroups.gitea.gid;
+
+          RUN_MODE = "prod";
+          DOMAIN = "gitea.tlater.net";
+          SSH_PORT = "2221";
+        };
+      };
+
+      postgres = {
+        image = "postgres:alpine";
+        environment = {
+          POSTGRES_DB = "gitea";
+          POSTGRES_USER = "gitea";
+        };
+        volumes = ["gitea-postgres-14:/var/lib/postgresql/data"];
+      };
+    };
   };
 }
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index 11673d9..d864302 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -5,13 +5,11 @@
 }: let
   inherit (pkgs) fetchNextcloudApp;
   nextcloud = pkgs.nextcloud23;
-  hostName = "nextcloud.${config.services.nginx.domain}"
 in {
   services.nextcloud = {
-    inherit hostName;
-
     package = nextcloud;
     enable = true;
+    hostName = "nextcloud.${config.services.nginx.domain}";
     maxUploadSize = "2G";
     https = true;
 
@@ -34,10 +32,4 @@ in {
 
   # Ensure that this service doesn't start before postgres is ready
   systemd.services.nextcloud-setup.after = ["postgresql.service"];
-
-  # Set up SSL
-  services.nginx.virtualHosts."${hostName}" = {
-    forceSSL = true;
-    enableACME = true;
-  };
 }