diff --git a/roles/gitea/files/gitea.httpd.conf b/roles/gitea/files/gitea.httpd.conf
new file mode 100644
index 0000000..f4d6b83
--- /dev/null
+++ b/roles/gitea/files/gitea.httpd.conf
@@ -0,0 +1,4 @@
+ProxyPreserveHost On
+ProxyRequests Off
+ProxyPass / http://localhost:3000/
+ProxyPassReverse / http://localhost:3000/
diff --git a/roles/gitea/handlers/main.yml b/roles/gitea/handlers/main.yml
new file mode 100644
index 0000000..f2a7e62
--- /dev/null
+++ b/roles/gitea/handlers/main.yml
@@ -0,0 +1,8 @@
+- name: reload httpd
+  service:
+    name=httpd
+    state=reloaded
+- name: restart gitea
+  service:
+    name=gitea
+    state=restarted
diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml
new file mode 100644
index 0000000..2be10df
--- /dev/null
+++ b/roles/gitea/tasks/main.yml
@@ -0,0 +1,35 @@
+- name: load gitea secrets
+  include_vars: vault/gitea
+
+- name: ensure gitea is installed
+  package:
+    name=gitea
+    state=present
+  tags:
+  - install
+
+- name: ensure gitea is configured
+  template:
+    src=app.ini.j2
+    dest=/etc/gitea/app.ini
+    mode=0640
+    owner=root
+    group=gitea
+  notify: restart gitea
+
+- meta: flush_handlers
+- name: ensure gitea is running
+  service:
+    name=gitea
+    state=started
+- name: ensure gitea starts at boot
+  service:
+    name=gitea
+    enabled=yes
+
+- name: ensure apache is configured to proxy for gitea
+  copy:
+    src=gitea.httpd.conf
+    dest=/etc/httpd/conf.d/gitea.conf
+    mode=0644
+  notify: reload httpd
diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2
new file mode 100644
index 0000000..f2c7428
--- /dev/null
+++ b/roles/gitea/templates/app.ini.j2
@@ -0,0 +1,63 @@
+APP_NAME = Gitea: Git with a cup of tea
+RUN_USER = gitea
+RUN_MODE = prod
+
+[security]
+INTERNAL_TOKEN = {{ gitea_internal_token }}
+INSTALL_LOCK   = true
+SECRET_KEY     = {{ gitea_secret_key }}
+
+[database]
+DB_TYPE  = sqlite3
+HOST     = 127.0.0.1:3306
+NAME     = gitea
+USER     = gitea
+PASSWD   = 
+SSL_MODE = disable
+PATH     = /var/lib/gitea/data/gitea.db
+
+[repository]
+ROOT = /var/lib/gitea/gitea-repositories
+
+[server]
+APP_DATA_PATH    = /var/lib/gitea
+SSH_DOMAIN       = localhost
+DOMAIN           = localhost
+HTTP_PORT        = 3000
+ROOT_URL         = http://localhost:3000/
+DISABLE_SSH      = false
+SSH_PORT         = 22
+LFS_START_SERVER = true
+LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
+LFS_JWT_SECRET   = {{ gitea_lfs_jwt_secret }}
+OFFLINE_MODE     = false
+
+[mailer]
+ENABLED = false
+
+[service]
+REGISTER_EMAIL_CONFIRM            = false
+ENABLE_NOTIFY_MAIL                = false
+DISABLE_REGISTRATION              = true
+ENABLE_CAPTCHA                    = false
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = false
+DEFAULT_ENABLE_TIMETRACKING       = false
+NO_REPLY_ADDRESS                  = noreply.example.org
+
+[picture]
+DISABLE_GRAVATAR        = false
+ENABLE_FEDERATED_AVATAR = true
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[session]
+PROVIDER = file
+
+[log]
+MODE      = file
+LEVEL     = Info
+ROOT_PATH = /var/log/gitea