diff --git a/README.md b/README.md
index 3d15e4a..10df55f 100644
--- a/README.md
+++ b/README.md
@@ -15,8 +15,5 @@ apt install jq docker-compose
 ```
 ./keycloak/setup
 ./nginx/setup
-./hedgedoc/setup
-./nextcloud/setup
-./mastodon/setup
-./grafana/setup
+./start-all
 ```
diff --git a/env.production b/env.production
index 69e6b8a..10b3f52 100644
--- a/env.production
+++ b/env.production
@@ -6,5 +6,5 @@ HEDGEDOC_HOSTNAME=docs.hackerspace.zone
 MASTODON_HOSTNAME=social.hackerspace.zone
 NEXTCLOUD_HOSTNAME=cloud.hackerspace.zone
 GRAFANA_HOSTNAME=dashboard.hackerspace.zone
-GITLAB_HOSTNAME=git.hackerspace.zone
+GITEA_HOSTNAME=git.hackerspace.zone
 MATRIX_HOSTNAME=matrix.hackerspace.zone
diff --git a/gitea/README.md b/gitea/README.md
new file mode 100644
index 0000000..ef1b0be
--- /dev/null
+++ b/gitea/README.md
@@ -0,0 +1,3 @@
+# gitea
+
+OIDC setup is now automated
diff --git a/gitea/docker-compose.yaml b/gitea/docker-compose.yaml
new file mode 100644
index 0000000..df66dbf
--- /dev/null
+++ b/gitea/docker-compose.yaml
@@ -0,0 +1,45 @@
+version: "3"
+
+networks:
+  gitea:
+    external: false
+
+services:
+  gitea:
+    image: gitea/gitea:1.16.6
+    env_file:
+      - ../env.production
+      - env.production
+      - ../data/gitea/env.secrets
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=db:5432
+      - GITEA__database__NAME=gitea
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD=gitea
+    networks:
+      - gitea
+    volumes:
+      - ../data/gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "3030:3000"
+      - "222:22"
+    restart: always
+    depends_on:
+      - db
+ 
+  db:
+    image: postgres:13.4-alpine
+    restart: always
+    environment:
+      - POSTGRES_USER=gitea
+      - POSTGRES_PASSWORD=gitea
+      - POSTGRES_DB=gitea
+    volumes:
+      - ../data/gitea/postgres:/var/lib/postgresql/data
+    networks:
+      - gitea
diff --git a/gitea/env.production b/gitea/env.production
new file mode 100644
index 0000000..f7920e2
--- /dev/null
+++ b/gitea/env.production
@@ -0,0 +1,6 @@
+# gitea config for keycloak integration
+# only allow open id sign-in, turn off all other registrations
+GITEA__openid__ENABLE_OPENID_SIGNIN=true
+GITEA__openid__ENABLE_OPENID_SIGNUP=false
+#GITEA__service__DISABLE_REGISTRATION=true
+GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
diff --git a/gitea/setup b/gitea/setup
new file mode 100755
index 0000000..d05db79
--- /dev/null
+++ b/gitea/setup
@@ -0,0 +1,67 @@
+#!/bin/bash
+die() { echo >&2 "gitea: ERROR $*" ; exit 1 ; }
+info() { echo >&2 "gitea: $*" ; }
+
+DIRNAME="$(dirname $0)"
+cd "$DIRNAME"
+
+source ../env.production || die "no top level environment"
+source ./env.production || die "no local environment"
+
+DATA="../data/gitea"
+SECRETS="$DATA/env.secrets"
+INI="$DATA/gitea/conf/app.ini"
+
+if [ -r "$SECRETS" ]; then
+	docker-compose up -d || die "unable to start"
+	exit 0
+fi
+
+
+GITEA_CLIENT_SECRET="$(openssl rand -hex 32)"
+GITEA_ADMIN_PASSWORD="$(openssl rand -hex 8)"
+
+info "creating new secrets $SECRETS"
+
+mkdir -p "$DATA"
+cat <<EOF > "$SECRETS"
+# DO NOT CHECK IN
+GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET
+GITEA_ADMIN_PASSWORD=$GITEA_ADMIN_PASSWORD
+GITEA__server__ROOT_URL=https://$GITEA_HOSTNAME/
+GITEA__security__INSTALL_LOCK=true
+GITEA__security__SECRET_KEY=$(openssl rand -hex 32)
+EOF
+
+
+docker-compose down 2>/dev/null
+
+../keycloak/client-delete gitea 2>/dev/null
+../keycloak/client-create <<EOF || die "unable to create gitea client"
+{
+	"clientId": "gitea",
+	"rootUrl": "https://$GITEA_HOSTNAME",
+	"adminUrl": "https://$GITEA_HOSTNAME",
+	"redirectUris": [ "https://$GITEA_HOSTNAME/*" ],
+	"webOrigins": [ "https://$GITEA_HOSTNAME" ],
+	"clientAuthenticatorType": "client-secret",
+	"secret": "$GITEA_CLIENT_SECRET"
+}
+EOF
+
+docker-compose up -d || die "unable to start container"
+
+info "waiting for startup..."
+sleep 5
+
+info "adding oauth login"
+docker-compose exec -u git gitea \
+	gitea admin auth add-oauth \
+	--name "keycloak" \
+	--provider "openidConnect" \
+	--key "gitea" \
+	--secret "$GITEA_CLIENT_SECRET" \
+	--auto-discover-url "https://${KEYCLOAK_HOSTNAME}/realms/${REALM}/.well-known/openid-configuration" \
+	--group-claim-name "groups" \
+	--admin-group "admin" \
+|| die "unable to add oauth interface"
diff --git a/html/index.html b/html/index.html
index 74a71a0..7f71a17 100644
--- a/html/index.html
+++ b/html/index.html
@@ -8,6 +8,7 @@ An easy to install set of self-hosted, single-sign-on, open-source services.
 <li><a href="https://social.hackerspace.zone/">mastodon</a>: federated social media
 <li><a href="https://cloud.hackerspace.zone/">nextcloud</a>: self hosted documents and calendaring
 <li><a href="https://dashboard.hackerspace.zone/">grafana</a>: dashboards and statistic collection
+<li><a href="https://git.hackerspace.zone/">gitea</a>: git repository hosting
 <li><a href="https://login.hackerspace.zone/">keycloak</a>: user management and single sign on for the domain
 </ul>
 
diff --git a/nginx/certbot-renew b/nginx/certbot-renew
index 25b4873..7a5ed08 100755
--- a/nginx/certbot-renew
+++ b/nginx/certbot-renew
@@ -7,7 +7,7 @@ cd "$DIRNAME"
 source ../env.production
 source ./env.production
 
-domain_args="-d $DOMAIN_NAME,$KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME,$GRAFANA_HOSTNAME,$MATRIX_HOSTNAME"
+domain_args="-d $DOMAIN_NAME,$KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME,$GRAFANA_HOSTNAME,$MATRIX_HOSTNAME,$GITEA_HOSTNAME"
 rsa_key_size=2048
 
 set -x
diff --git a/nginx/nginx/templates/git.conf.template b/nginx/nginx/templates/git.conf.template
new file mode 100644
index 0000000..5c96a3a
--- /dev/null
+++ b/nginx/nginx/templates/git.conf.template
@@ -0,0 +1,37 @@
+server {
+	server_name ${GITEA_HOSTNAME};
+	client_max_body_size 128m;
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+
+	gzip on;
+	gzip_disable "msie6";
+
+	proxy_read_timeout 1800s;
+
+	location / {
+		proxy_pass http://host.docker.internal:3030;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+
+  # force login with OIDC
+  location /user/login {
+    return 302 https://${GITEA_HOSTNAME}/user/oauth2/keycloak;
+  }
+
+	listen 443 ssl;
+	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+	include /etc/nginx/includes/options-ssl-nginx.conf;
+	include /etc/nginx/includes/challenge.conf;
+	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
+}
+
+