diff --git a/machines/fuuko/configuration.nix b/machines/fuuko/configuration.nix
index 3942b37..9e433d3 100644
--- a/machines/fuuko/configuration.nix
+++ b/machines/fuuko/configuration.nix
@@ -7,6 +7,7 @@
 
     ./services/ankisyncd.nix
     ./services/dnsmasq.nix
+    ./services/gitea.nix
     ./services/grafana.nix
     ./services/hedgedoc.nix
     ./services/media.nix
diff --git a/machines/fuuko/services/gitea.nix b/machines/fuuko/services/gitea.nix
new file mode 100644
index 0000000..703b0ce
--- /dev/null
+++ b/machines/fuuko/services/gitea.nix
@@ -0,0 +1,74 @@
+{ config, pkgs, ... }:
+let
+  cfg = config.services.gitea;
+in
+{
+  krops.secrets.gitea-mail.owner = cfg.user;
+  users.users."${cfg.user}".extraGroups = [ "keys" ];
+
+  services.gitea = {
+    enable = true;
+
+    # FIXME use stable version once it is released
+    package = pkgs.gitea.overrideAttrs (o: o // rec {
+      version = "1.14.0-rc2";
+
+      src = pkgs.fetchurl {
+        url = "https://github.com/go-gitea/gitea/releases/download/v${version}/gitea-src-${version}.tar.gz";
+        sha256 = "1w7q049gi534lhdgqs6jwr49bnr54ndv4a3w88izp5kd2nhwm9zy";
+      };
+    });
+
+    rootUrl = "https://git.sbruder.de/";
+    appName = "sbrudergit";
+    cookieSecure = true;
+    log.level = "Warn";
+    lfs = {
+      enable = true;
+      contentDir = "/data/gitea/lfs/";
+    };
+    enableUnixSocket = true;
+    ssh = {
+      clonePort = 2022;
+    };
+    database.type = "postgres";
+    mailerPasswordFile = config.krops.secrets.gitea-mail.path;
+    settings = {
+      mailer = {
+        ENABLED = true;
+        HOST = "vueko.sbruder.de:587";
+        FROM = "gitea@sbruder.de";
+        USER = "gitea@sbruder.de";
+      };
+      avatar = {
+        DISABLE_GRAVATAR = true;
+      };
+      server = {
+        # privacy
+        DISABLE_ROUTER_LOG = true;
+        OFFLINE_MODE = true;
+
+        # internal ssh server
+        BUILTIN_SSH_SERVER_USER = "git";
+        START_SSH_SERVER = true;
+      };
+      service = {
+        DEFAULT_KEEP_EMAIL_PRIVATE = true;
+        ENABLE_NOTIFY_MAIL = true;
+        NO_REPLY_ADDRESS = "users.git.sbruder.de";
+        REGISTER_EMAIL_CONFIRM = true;
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ cfg.ssh.clonePort ];
+
+  services.nginx.virtualHosts."git.sbruder.de" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://unix:/run/gitea/gitea.sock";
+    };
+  };
+}