diff --git a/Makefile b/Makefile
index d9ba2b0..638055f 100644
--- a/Makefile
+++ b/Makefile
@@ -7,6 +7,7 @@ MODULES += mastodon
 MODULES += matrix
 MODULES += nextcloud
 MODULES += mobilizon
+MODULES += gitea
 #MODULES += pixelfed
 
 include env.production
@@ -66,6 +67,12 @@ data/%/secrets:
 	echo >>$@ "export $(GET_MODULE)_CLIENT_SECRET=$(call RAND,20)"
 	echo >>$@ "export $(GET_MODULE)_SESSION_SECRET=$(call RAND,20)"
 
+data/gitea/secrets: data/gitea/host-setup.done
+data/gitea/host-setup.done:
+	sudo ./gitea/host-setup.sh
+	mkdir -p $(dir $@)
+	touch $@
+
 keycloak-setup: secrets-setup
 	$(DOCKER) run keycloak-setup
 
diff --git a/gitea.yaml b/gitea.yaml
new file mode 100644
index 0000000..c2ea9db
--- /dev/null
+++ b/gitea.yaml
@@ -0,0 +1,69 @@
+# gitea requires ssh access from the host machine, which needs special setup
+# In order to create the git user and auth keys, you need to run:
+#
+#     sudo gitea/setup.sh
+#
+version: "3"
+
+services:
+  gitea:
+    image: gitea/gitea:1.17.3
+    container_name: gitea
+    env_file:
+      - ./env.production
+    environment:
+      - USER_UID=2222 # must match git user on host system
+      - USER_GID=2222
+      - GITEA_CLIENT_SECRET=${GITEA_CLIENT_SECRET}
+      - GITEA_ADMIN_PASSWORD=${GITEA_ADMIN_PASSWORD}
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=gitea-db:5432
+      - GITEA__database__NAME=gitea
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD=gitea
+      - GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true
+      - GITEA__openid__ENABLE_OPENID_SIGNIN=true
+      - GITEA__openid__ENABLE_OPENID_SIGNUP=false
+      - GITEA__service__DISABLE_REGISTRATION=true
+      - GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
+      - GITEA__repository__DEFAULT_BRANCH=main
+      - GITEA__server__ROOT_URL=https://${GITEA_HOSTNAME}.${DOMAIN_NAME}/
+      - GITEA__server__SSH_DOMAIN=${GITEA_HOSTNAME}.${DOMAIN_NAME}
+      - GITEA__security__SECRET_KEY=${GITEA_SESSION_SECRET}
+      - GITEA__security__INSTALL_LOCK=true
+    entrypoint: ["/setup.sh"]
+    volumes:
+      - ./gitea/setup.sh:/setup.sh:ro
+      - ./data/gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - /home/git/.ssh/:/data/git/.ssh
+    ports:
+#      - "3030:3000"
+      - "2222:22"  # route host port 2222 to container port 22 for inbound ssh
+    restart: always
+    depends_on:
+      - gitea-db
+ 
+  gitea-db:
+    image: postgres:13.4-alpine
+    container_name: gitea-db
+    restart: always
+    environment:
+      - POSTGRES_USER=gitea
+      - POSTGRES_PASSWORD=gitea
+      - POSTGRES_DB=gitea
+    volumes:
+      - ./data/gitea/postgres:/var/lib/postgresql/data
+
+  # add the gitea nginx configuration into the nginx volume
+  nginx:
+    volumes:
+      - ./gitea/nginx.conf:/etc/nginx/templates/gitea.conf.template:ro
+
+  # add the gitea client secrets to the keycloak-setup volume
+  keycloak-setup:
+    env_file:
+      - data/gitea/secrets
+    volumes:
+      - ./gitea/keycloak.sh:/keycloak-setup/gitea.sh:ro
diff --git a/gitea/README.md b/gitea/README.md
index ef1b0be..2930b65 100644
--- a/gitea/README.md
+++ b/gitea/README.md
@@ -1,3 +1,6 @@
 # gitea
 
-OIDC setup is now automated
+There is still a sudo step that has to happen on the host.
+
+OIDC setup is now automated in the container.
+
diff --git a/gitea/docker-compose.yaml b/gitea/docker-compose.yaml
deleted file mode 100644
index 0fee41d..0000000
--- a/gitea/docker-compose.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-version: "3"
-
-networks:
-  gitea:
-    external: false
-
-services:
-  gitea:
-    image: gitea/gitea:1.16.6
-    env_file:
-      - ../env.production
-      - env.production
-      - ../data/gitea/env.secrets
-    environment:
-      - USER_UID=2222 # must match git user on host system
-      - USER_GID=2222
-      - GITEA__database__DB_TYPE=postgres
-      - GITEA__database__HOST=db:5432
-      - GITEA__database__NAME=gitea
-      - GITEA__database__USER=gitea
-      - GITEA__database__PASSWD=gitea
-    networks:
-      - gitea
-    volumes:
-      - ../data/gitea:/data
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro
-      - /home/git/.ssh/:/data/git/.ssh
-    ports:
-      - "3030:3000"
-      - "2222:22"
-    restart: always
-    depends_on:
-      - db
- 
-  db:
-    image: postgres:13.4-alpine
-    restart: always
-    environment:
-      - POSTGRES_USER=gitea
-      - POSTGRES_PASSWORD=gitea
-      - POSTGRES_DB=gitea
-    volumes:
-      - ../data/gitea/postgres:/var/lib/postgresql/data
-    networks:
-      - gitea
diff --git a/gitea/env.production b/gitea/env.production
deleted file mode 100644
index 70b7682..0000000
--- a/gitea/env.production
+++ /dev/null
@@ -1,7 +0,0 @@
-# gitea config for keycloak integration
-# only allow open id sign-in, turn off all other registrations
-GITEA__openid__ENABLE_OPENID_SIGNIN=true
-GITEA__openid__ENABLE_OPENID_SIGNUP=false
-#GITEA__service__DISABLE_REGISTRATION=true
-GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
-GITEA__repository__DEFAULT_BRANCH=main
diff --git a/gitea/add-ssh-user b/gitea/host-setup.sh
similarity index 100%
rename from gitea/add-ssh-user
rename to gitea/host-setup.sh
diff --git a/gitea/keycloak.sh b/gitea/keycloak.sh
new file mode 100755
index 0000000..dc2341b
--- /dev/null
+++ b/gitea/keycloak.sh
@@ -0,0 +1,4 @@
+#!/bin/bash -x
+# Setup the gitea client connection
+
+client-create gitea "$GITEA_HOSTNAME.$DOMAIN_NAME" "$GITEA_CLIENT_SECRET" </dev/null
diff --git a/nginx/nginx/templates/git.conf.template b/gitea/nginx.conf
similarity index 75%
rename from nginx/nginx/templates/git.conf.template
rename to gitea/nginx.conf
index 5c96a3a..25671e8 100644
--- a/nginx/nginx/templates/git.conf.template
+++ b/gitea/nginx.conf
@@ -1,5 +1,5 @@
 server {
-	server_name ${GITEA_HOSTNAME};
+	server_name ${GITEA_HOSTNAME} ${GITEA_HOSTNAME}.${DOMAIN_NAME};
 	client_max_body_size 128m;
 
 	sendfile on;
@@ -14,17 +14,17 @@ server {
 	proxy_read_timeout 1800s;
 
 	location / {
-		proxy_pass http://host.docker.internal:3030;
+		proxy_pass http://gitea:3000;
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}
 
-  # force login with OIDC
-  location /user/login {
-    return 302 https://${GITEA_HOSTNAME}/user/oauth2/keycloak;
-  }
+	# force login with OIDC
+	location /user/login {
+		return 302 https://${GITEA_HOSTNAME}.${DOMAIN_NAME}/user/oauth2/keycloak;
+	}
 
 	listen 443 ssl;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
@@ -33,5 +33,3 @@ server {
 	include /etc/nginx/includes/challenge.conf;
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
 }
-
-
diff --git a/gitea/setup b/gitea/setup
deleted file mode 100755
index 67d22be..0000000
--- a/gitea/setup
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/bin/bash
-die() { echo >&2 "gitea: ERROR $*" ; exit 1 ; }
-info() { echo >&2 "gitea: $*" ; }
-
-DIRNAME="$(dirname $0)"
-cd "$DIRNAME"
-
-source ../env.production || die "no top level environment"
-source ./env.production || die "no local environment"
-
-DATA="../data/gitea"
-SECRETS="$DATA/env.secrets"
-INI="$DATA/gitea/conf/app.ini"
-
-if [ -r "$SECRETS" ]; then
-	docker-compose up -d || die "unable to start"
-	exit 0
-fi
-
-./add-ssh-user || die "unable to add ssh user"
-
-GITEA_CLIENT_SECRET="$(openssl rand -hex 32)"
-GITEA_ADMIN_PASSWORD="$(openssl rand -hex 8)"
-
-info "creating new secrets $SECRETS"
-
-mkdir -p "$DATA"
-cat <<EOF > "$SECRETS"
-# DO NOT CHECK IN
-GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET
-GITEA_ADMIN_PASSWORD=$GITEA_ADMIN_PASSWORD
-GITEA__server__ROOT_URL=https://$GITEA_HOSTNAME/
-GITEA__server__SSH_DOMAIN=$GITEA_HOSTNAME
-GITEA__security__INSTALL_LOCK=true
-GITEA__security__SECRET_KEY=$(openssl rand -hex 32)
-EOF
-
-
-docker-compose down 2>/dev/null
-
-../keycloak/client-delete gitea 2>/dev/null
-../keycloak/client-create <<EOF || die "unable to create gitea client"
-{
-	"clientId": "gitea",
-	"rootUrl": "https://$GITEA_HOSTNAME",
-	"adminUrl": "https://$GITEA_HOSTNAME",
-	"redirectUris": [ "https://$GITEA_HOSTNAME/*" ],
-	"webOrigins": [ "https://$GITEA_HOSTNAME" ],
-	"clientAuthenticatorType": "client-secret",
-	"secret": "$GITEA_CLIENT_SECRET"
-}
-EOF
-
-docker-compose up -d || die "unable to start container"
-
-info "waiting for startup..."
-sleep 5
-
-info "adding oauth login"
-docker-compose exec -u git gitea \
-	gitea admin auth add-oauth \
-	--name "keycloak" \
-	--provider "openidConnect" \
-	--key "gitea" \
-	--secret "$GITEA_CLIENT_SECRET" \
-	--auto-discover-url "https://${KEYCLOAK_HOSTNAME}/realms/${REALM}/.well-known/openid-configuration" \
-	--group-claim-name "groups" \
-	--admin-group "admin" \
-|| die "unable to add oauth interface"
diff --git a/gitea/setup.sh b/gitea/setup.sh
new file mode 100755
index 0000000..091bd35
--- /dev/null
+++ b/gitea/setup.sh
@@ -0,0 +1,36 @@
+#!/bin/bash -x
+# This is *container* setup for the OIDC stuff
+
+export APP_NAME="${DOMAIN_NAME} Gitea"
+OIDC_CANARY="/data/oidc.done"
+
+if [ -r "$OIDC_CANARY" ]; then
+	# based on https://github.com/go-gitea/gitea/blob/main/Dockerfile
+	exec "/usr/bin/entrypoint" "/bin/s6-svscan"  "/etc/s6";
+fi
+
+
+# We have to do some setup, so start things and wait for the config
+# file to appear so that we can edit it.
+"/usr/bin/entrypoint" "/bin/s6-svscan"  "/etc/s6" &
+
+echo >&2 "*** Sleeping for setup"
+sleep 30
+
+echo >&2 "*** Adding OIDC login for $DOMAIN_NAME"
+su -s /bin/sh git <<EOF || exit 1
+gitea admin auth add-oauth \
+	--name "keycloak" \
+	--provider "openidConnect" \
+	--key "gitea" \
+	--secret "${GITEA_CLIENT_SECRET}" \
+	--auto-discover-url "https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}/realms/${REALM}/.well-known/openid-configuration" \
+	--group-claim-name "groups" \
+	--admin-group "admin" \
+
+EOF
+
+touch "${OIDC_CANARY}"
+
+echo >&2 "*** Done, maybe it works?"
+exit 0