diff --git a/hosts/tadpole/modules/gitea/default.nix b/hosts/tadpole/modules/gitea/default.nix
new file mode 100644
index 0000000..4d54cc5
--- /dev/null
+++ b/hosts/tadpole/modules/gitea/default.nix
@@ -0,0 +1,64 @@
+{ lib, config, ... }:
+let
+  enable = config.mod.gitea.enable;
+  domain = config.mod.gitea.domain;
+
+  nginxEnable = config.mod.nginx.enable;
+in
+{
+  options = {
+    mod.gitea = {
+      enable = lib.mkEnableOption "Enable gitea";
+
+      domain = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+        description = "The domain that nginx will use as a virtual host";
+      };
+    };
+  };
+
+  config = lib.mkIf (enable && nginxEnable) {
+    services.gitea = {
+      enable = true;
+
+      settings = {
+        service = {
+          DISABLE_REGISTRATION = false;
+        };
+
+        server = {
+          DOMAIN = domain;
+          ROOT_URL = "https://${domain}";
+
+          SSH_PORT = 1122; # See `ssh` module
+        };
+
+        database = {
+          type = "sqlite3";
+          passwordFile = config.age.secrets.gitea-dbpassword.path;
+        };
+
+        session = {
+          COOKIE_SECURE = true;
+        };
+      };
+    };
+
+    services.nginx = {
+      virtualHosts."${domain}" = {
+        forceSSL = true;
+        enableACME = true;
+
+        locations."/" = {
+          proxyPass = "http://0.0.0:3000";
+          proxyWebsockets = true;
+        };
+      };
+    };
+
+    age.secrets = {
+      "gitea-dbpassword".file = ../../../../secrets/tadpole/gitea-dbpassword.age;
+    };
+  };
+}