diff --git a/db/init/01-databases.sql b/db/init/01-databases.sql
index cb76f85..b4e94f4 100644
--- a/db/init/01-databases.sql
+++ b/db/init/01-databases.sql
@@ -1,7 +1,7 @@
 CREATE DATABASE IF NOT EXISTS `monica`;
+CREATE DATABASE IF NOT EXISTS `gitea`;
 # Nextcloud will automatically create a database on setup
 #CREATE DATABASE IF NOT EXISTS `nextcloud`;
 
 GRANT ALL PRIVILEGES ON *.* TO 'chris'@'%';
-GRANT ALL ON `nextcloud`.* TO 'chris'@'%' ;
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'%';
diff --git a/docker-compose.yml b/docker-compose.yml
index b442d02..f19973c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -52,6 +52,31 @@ services:
       - redis
       - nginx
 
+  gitea:
+    image: gitea/gitea:1
+    environment:
+      - "APP_NAME=Labs: Where the good stuff happens"
+      - RUN_MODE=prod
+      - DOMAIN=labs.${DOMAIN}
+      - ROOT_URL=https://labs.${DOMAIN}
+      - DB_TYPE=mysql
+      - DB_HOST=db
+      - DB_NAME=gitea
+      - DB_USER=${DB_USER}
+      - DB_PASSWD=${DB_PASSWORD}
+    restart: always
+    volumes:
+      - gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - 222:22
+    networks:
+      - db
+      - nginx
+    depends_on:
+      - db
+
   db:
     image: mariadb
     command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
@@ -84,12 +109,13 @@ services:
     depends_on:
       - monica
       - nextcloud
+      - gitea
+      - omgwtfssl-monica
+      - omgwtfssl-nextcloud
+      - omgwtfssl-gitea
     ports:
       - 80:80
       - 443:443
-    depends_on:
-      - omgwtfssl-monica
-      - omgwtfssl-nextcloud
     networks:
       - nginx
 
@@ -117,12 +143,25 @@ services:
       - SSL_CSR=/certs/tower.${DOMAIN}.csr
       - SSL_CERT=/certs/tower.${DOMAIN}.crt
 
+  omgwtfssl-gitea:
+    image: paulczar/omgwtfssl
+    restart: "no"
+    volumes:
+      - certs:/certs
+    environment:
+      - SSL_SUBJECT=labs.${DOMAIN}
+      - CA_SUBJECT=chris@${DOMAIN}
+      - SSL_KEY=/certs/labs.${DOMAIN}.key
+      - SSL_CSR=/certs/labs.${DOMAIN}.csr
+      - SSL_CERT=/certs/labs.${DOMAIN}.crt
+
 volumes:
   db:
   monica-public:
   monica-data:
   nextcloud:
   certs:
+  gitea:
 
 networks:
   db:
diff --git a/nginx.conf b/nginx.conf
index b56e652..29b49c3 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -26,14 +26,51 @@ http {
     set_real_ip_from  172.16.0.0/12;
     set_real_ip_from  192.168.0.0/16;
     real_ip_header    X-Real-IP;
+    
+    # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+    # scheme used to connect to this server
+    map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+        default $http_x_forwarded_proto;
+        ''      $scheme;
+    }
+
+    # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+    # server port the client connected to
+    map $http_x_forwarded_port $proxy_x_forwarded_port {
+        default $http_x_forwarded_port;
+        ''      $server_port;
+    }
+
+    # If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+    # Connection header that may have been passed to this server
+    map $http_upgrade $proxy_connection {
+        default upgrade;
+        '' close;
+    }
+
+    # Set appropriate X-Forwarded-Ssl header
+    map $scheme $proxy_x_forwarded_ssl {
+        default off;
+        https on;
+    }
+
+    # HTTP 1.1 support
+    proxy_http_version 1.1;
+    proxy_buffering off;
+    proxy_set_header Host $http_host;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+    proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+    proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+
+    # Mitigate httpoxy attack (see README for details)
+    proxy_set_header Proxy "";
 
-    # Connect to service services
     upstream monica-handler {
         server monica:9000;
     }
-    upstream nextcloud-handler {
-        server nextcloud:9000;
-    }
 
     server {
         listen 443 ssl http2;
@@ -167,6 +204,9 @@ http {
         }
     }
 
+    upstream nextcloud-handler {
+        server nextcloud:9000;
+    }
 
     server {
         listen 443 ssl http2;
@@ -299,4 +339,24 @@ http {
             access_log off;
         }
     }
+
+    upstream gitea-handler {
+        server gitea:3000;
+    }
+
+    server {
+        listen 443 ssl http2;
+
+        ssl_certificate /etc/nginx/certs/labs.scarif.local.crt;
+        ssl_certificate_key /etc/nginx/certs/labs.scarif.local.key;
+
+        gzip_types text/plain text/css application/json application/x-javascript
+                   text/xml application/xml application/xml+rss text/javascript;
+
+        server_name labs.scarif.local;
+
+        location / {
+            proxy_pass http://gitea-handler;
+        }
+    }
 }