diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml
index 0b76479..66120fb 100644
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@@ -1,3 +1,11 @@
+gitea_version: 1.11.0
+gitea_arch: '{{ _gitea_arch_map[ansible_architecture] }}'
+gitea_bin: gitea-{{ gitea_version }}-linux-{{ gitea_arch }}
+gitea_bin_sha256: >-
+  d4df5f456cf13d49c096525ff762ad70386251d3f0d2805735b5dfade17e88d4
+gitea_download_url: >-
+  https://dl.gitea.io/gitea/{{ gitea_version }}/{{ gitea_bin }}
+
 gitea_ssh_domain: '{{ ansible_fqdn }}'
 gitea_http_domain: '{{ gitea_ssh_domain }}'
 gitea_root_url: 'http://{{ gitea_http_domain }}:3000/'
diff --git a/roles/gitea/files/.gitignore b/roles/gitea/files/.gitignore
new file mode 100644
index 0000000..41e3f27
--- /dev/null
+++ b/roles/gitea/files/.gitignore
@@ -0,0 +1 @@
+gitea-*-linux-*
diff --git a/roles/gitea/files/gitea.service b/roles/gitea/files/gitea.service
new file mode 100644
index 0000000..453c12a
--- /dev/null
+++ b/roles/gitea/files/gitea.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Gitea - Git with a cup of tea
+
+[Service]
+Type=simple
+User=gitea
+Environment=GITEA_CONFIG=/etc/gitea/app.ini
+Environment=HOME=/var/lib/gitea
+EnvironmentFile=-/etc/sysconfig/gitea
+ExecStart=/usr/local/bin/gitea web -c ${GITEA_CONFIG}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/gitea/handlers/main.yml b/roles/gitea/handlers/main.yml
index f2a7e62..4cc01c6 100644
--- a/roles/gitea/handlers/main.yml
+++ b/roles/gitea/handlers/main.yml
@@ -1,3 +1,6 @@
+- name: reload systemd
+  command:
+    systemctl daemon-reload
 - name: reload httpd
   service:
     name=httpd
diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml
index b0bf9a9..0db184e 100644
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -1,13 +1,59 @@
 - name: load gitea secrets
   include_vars: vault/gitea
 
+- name: ensure gitea system group exists
+  group:
+    name: gitea
+    system: yes
+  tags:
+  - user
+  - group
+- name: ensure gitea system user exists
+  user:
+    name: gitea
+    group: gitea
+    system: yes
+    home: /var/lib/gitea
+    createhome: no
+  tags:
+  - user
+
+- name: ensure gitea data directory exists
+  file:
+    path: /var/lib/gitea
+    mode: '0700'
+    owner: gitea
+    group: gitea
+
+- name: download gitea binary
+  become: false
+  delegate_to: localhost
+  get_url:
+    url: '{{ gitea_download_url }}'
+    dest: 'roles/gitea/files/{{ gitea_bin }}'
+    checksum: 'sha256:{{ gitea_bin_sha256 }}'
+  tags:
+  - download
 - name: ensure gitea is installed
-  package:
-    name=gitea
-    state=present
+  copy:
+    src: '{{ gitea_bin }}'
+    dest: /usr/local/bin/gitea
+    mode: '0755'
+  diff: false
+  notify:
+  - restart gitea
   tags:
   - install
 
+- name: ensure gitea systemd unit is installed
+  copy:
+    src: gitea.service
+    dest: /etc/systemd/system/gitea.service
+    mode: '0644'
+  notify:
+  - reload systemd
+  - restart gitea
+
 - name: ensure gitea is configured
   template:
     src=app.ini.j2
diff --git a/roles/gitea/vars/main.yml b/roles/gitea/vars/main.yml
new file mode 100644
index 0000000..c3200ab
--- /dev/null
+++ b/roles/gitea/vars/main.yml
@@ -0,0 +1,5 @@
+_gitea_arch_map:
+  i686: 386
+  x86_64: amd64
+  aarch64: arm64
+  armv7l: arm