diff --git a/modules/nixos/services/gitea.nix b/modules/nixos/services/gitea.nix
new file mode 100644
index 0000000..b9e741f
--- /dev/null
+++ b/modules/nixos/services/gitea.nix
@@ -0,0 +1,174 @@
+{
+  config,
+  lib,
+  pkgs,
+  secretsDir,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf mkOption;
+  inherit (lib.types) str;
+
+  cfg = config.ataraxia.services.gitea;
+
+  gitea-user = config.services.gitea.user;
+  # gitea-group = "gitea";
+  # runner-user = "gitea-runner";
+  # runner-group = "root";
+  gitea-secret = {
+    sopsFile = secretsDir + /${cfg.sopsDir}/gitea.yaml;
+    owner = gitea-user;
+    restartUnits = [ "gitea.service" ];
+  };
+  # runner-secret = services: {
+  #   sopsFile = secretsDir + /${cfg.sopsDir}/gitea.yaml;
+  #   owner = runner-user;
+  #   restartUnits = services;
+  # };
+in
+{
+
+  options.ataraxia.services.gitea = {
+    enable = mkEnableOption "Enable gitea service";
+    sopsDir = mkOption {
+      type = str;
+      default = config.networking.hostName;
+      description = ''
+        Name for sops secrets directory. Defaults to hostname.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets.gitea = gitea-secret;
+    sops.secrets.gitea-mailer = gitea-secret;
+    # sops.secrets.gitea-runner-hypervisor = runner-secret [ "gitea-runner-hypervisor.service" ];
+
+    persist.state.directories = [
+      # { directory = "/var/lib/gitea-runner"; user = runner-user; group = runner-group; }
+      # { directory = "/srv/gitea"; user = gitea-user; group = gitea-group; }
+    ];
+
+    backups.postgresql.gitea = { };
+
+    # TODO: backups! gitea.dump setting
+    services.gitea = {
+      enable = true;
+      appName = "AtaraxiaDev's Gitea Instance";
+      database = {
+        type = "postgres";
+        passwordFile = config.sops.secrets.gitea.path;
+      };
+      dump = {
+        enable = true;
+        backupDir = "/srv/gitea/dump";
+        interval = "06:00";
+        type = "tar.zst";
+      };
+      lfs.enable = true;
+      stateDir = "/srv/gitea/data";
+      mailerPasswordFile = config.sops.secrets.gitea-mailer.path;
+      settings = {
+        server = {
+          DOMAIN = "code.ataraxiadev.com";
+          HTTP_ADDRESS = "127.0.0.1";
+          HTTP_PORT = 6000;
+          ROOT_URL = "https://code.ataraxiadev.com";
+        };
+        actions = {
+          ENABLED = false;
+        };
+        api = {
+          ENABLE_SWAGGER = false;
+        };
+        attachment = {
+          MAX_SIZE = 100;
+          MAX_FILES = 10;
+        };
+        mailer = {
+          ENABLED = true;
+          PROTOCOL = "smtps";
+          SMTP_ADDR = "mail.ataraxiadev.com";
+          USER = "gitea@ataraxiadev.com";
+        };
+        migrations = {
+          ALLOW_LOCALNETWORKS = true;
+          ALLOWED_DOMAINS = "";
+        };
+        packages = {
+          ENABLED = false;
+        };
+        "repository.upload" = {
+          FILE_MAX_SIZE = 100;
+          MAX_FILES = 10;
+        };
+        security = {
+          INSTALL_LOCK = true;
+          DISABLE_GIT_HOOKS = true;
+          DISABLE_WEBHOOKS = false;
+          IMPORT_LOCAL_PATHS = false;
+          PASSWORD_HASH_ALGO = "argon2";
+        };
+        oauth2 = {
+          JWT_SIGNING_ALGORITHM = "ES256";
+        };
+        service = {
+          DISABLE_REGISTRATION = true;
+          DEFAULT_ALLOW_CREATE_ORGANIZATION = false;
+          DEFAULT_USER_IS_RESTRICTED = true;
+          REGISTER_EMAIL_CONFIRM = false;
+          REGISTER_MANUAL_CONFIRM = true;
+        };
+        session = {
+          COOKIE_SECURE = true;
+        };
+        webhook = {
+          ALLOWED_HOST_LIST = "loopback, private, ataraxiadev.com, *.ataraxiadev.com";
+        };
+      };
+    };
+
+    systemd.services.gitea-dump-clean =
+      let
+        older-than = "3"; # in days
+      in
+      rec {
+        before = [ "gitea-dump.service" ];
+        requiredBy = before;
+        script = ''
+          ${pkgs.findutils}/bin/find ${config.services.gitea.dump.backupDir} \
+            -mindepth 1 -type f -mtime +${older-than} -delete
+        '';
+      };
+
+    # users.users.${runner-user} = {
+    #   isSystemUser = true;
+    #   group = runner-group;
+    # };
+    # services.gitea-actions-runner.instances.hypervisor = {
+    #   enable = true;
+    #   name = "hypervisor";
+    #   url = config.services.gitea.settings.server.ROOT_URL;
+    #   tokenFile = config.sops.secrets.gitea-runner-hypervisor.path;
+    #   labels = [
+    #     "native:host"
+    #     "debian-latest:docker://debian:12-slim"
+    #   ];
+    #   hostPackages = with pkgs; [
+    #     bash
+    #     curl
+    #     gawk
+    #     gitMinimal
+    #     gnused
+    #     wget
+    #   ];
+    #   # TODO: fix cache server
+    #   # settings = {};
+    # };
+    # systemd.services.gitea-runner-hypervisor = {
+    #   serviceConfig.DynamicUser = lib.mkForce false;
+    #   serviceConfig.User = lib.mkForce runner-user;
+    #   serviceConfig.Group = lib.mkForce runner-group;
+    # };
+  };
+}
diff --git a/secrets/orion/gitea.yaml b/secrets/orion/gitea.yaml
new file mode 100644
index 0000000..d250e3f
--- /dev/null
+++ b/secrets/orion/gitea.yaml
@@ -0,0 +1,30 @@
+gitea: ENC[AES256_GCM,data:J+ZBpsUSXOaPycPCjh6RgZQlRv8=,iv:DtE+qtWTIHS2OkFZBhUcjg07wVrwiMm7XsW63ZD4f5o=,tag:5vOIdgsBB8eMkIbRe6pNdA==,type:str]
+gitea-mailer: ENC[AES256_GCM,data:o7JNqMqJM3OoDxSohmeYsPn1n3wb6J6L,iv:agiJl0halqfmKMvWA8b0boXF3rXrbC2bIj9zb5274hg=,tag:DjnNySDnYwVYtP9RNuEYGQ==,type:str]
+gitea-secretkey: ENC[AES256_GCM,data:eyhy6wRwoWxUVGh3GghePwYZxX2BmHxly0Tn6eHq+6qDryDgL6c/fA==,iv:/xMqcni+lTh3syWSSp50pS6VHDTEDsUL2idFWEoCc9M=,tag:qgmGHzc5R6k6OLOEyrBlMw==,type:str]
+gitea-internaltoken: ENC[AES256_GCM,data:BYA9CHQ/IVnwA/apr0V3EYE66vJfz5wdpOGxgMzVdcYKrqVVhfK7YQ==,iv:Fj4gn00rRc2E1A74SWeRZWktm4EvvTeCG04p8K2NSxk=,tag:BanFYGL7GF5Q8zdjugAICw==,type:str]
+gitea-runner-hypervisor: ENC[AES256_GCM,data:vS++cR4ewTzT8W7h870tXJkFYy6F9hV8SA/A94kqIxsawAmeeu5xf5YVQZZcNw==,iv:h9LVb3J909tkoiI01mh7ZgW34MPrB49mC5Sn+b5iIQE=,tag:CJ9kk6Ly/X89VAU2pBOZaA==,type:str]
+sops:
+    shamir_threshold: 1
+    age:
+        - recipient: age13phpsegg6vu7a34ydtfa9s904dfpgzqhzru7epnky7glezk0xvkst9qh6h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbUdCR3NvYlFoeW9hZU5k
+            Um5YYzE3aDN1WWRvd3JRWG83eDV2VVBUWXpvCjYwSU1neTF5cmZneDVSTmgrbzgv
+            SE9JSWY4SmRwVmVMNVhmb1RzSEF0ZzgKLS0tIHFzcHhQWUwzelRBWGJyd3RwQ05K
+            c1AvZ2EwY0VPWGc1WnhucDFmQmhtWUUKkHK658ViO8wtm/kJk5t3B6z7vXHsCHI6
+            PeIbqM+hQ2dW7yCJTfKyYoJGwaWrAgzjFRD0wbh9b+JQWavIiyhZrA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m5msm7rgqye2q9zesgedg0emga4ntehlr629786lrxs3rhk0squq0ly9je
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvUUwvZ25yUGo5YjJNcHFM
+            b1hUSTQ5VUlmODMwbEhzNFFTSmFFaG9tcTJFCmFrYU9qSWlVNmRqUnlmdEkrYlhF
+            V2lCNnZwNGZVL0pUaW5RTWVHaFpnYlEKLS0tIFpDNC9RU21kS3R2UzRvMnpBcjc5
+            U1VldmYxV2k4c3gwY1FUSjNQWmtRODQK7P9NTF9JxzilXiLdv4WCGt0V3pxB7xbt
+            gECxjDTHYd+TBkOExzYHAD7VXQGpPPyCKREZ1AsZJjhhZoZJrrMMuQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-21T19:08:51Z"
+    mac: ENC[AES256_GCM,data:ranW9+W0x11eRFRzGosVfapoW1xpgTUpUvzzItYcZT0Pr1cRpBMQNTmHXpItNKuw1Ut4PBzUlmtDl/Y1VlefVecy6j9xvEczgYvCXCRH+x5Dp2FAuIwqw+EuQWsxxZ/k32zzdWT2brWsO+z5EmLRePJu0mBoxRx1vqVAZef8vwo=,iv:yEofPQ22CpHLktUjRke1Tlg445TpX0ocpQBeoeWba+Q=,tag:Ai+tbYJJ5BHyNHfnK1elgw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1