diff --git a/pillar/secrets/gitea.sls.sample b/pillar/secrets/gitea.sls.sample
new file mode 100644
index 0000000..56398e0
--- /dev/null
+++ b/pillar/secrets/gitea.sls.sample
@@ -0,0 +1,3 @@
+gitea:
+ lfs_jwt_secret: 'xyzzy'
+ internal_token: 'plugh'
diff --git a/pillar/top.sls b/pillar/top.sls
index 4668d6f..33ea091 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -1,4 +1,5 @@
base:
'scabbers.lunch.org.uk':
- secrets/dnsapi
+ - secrets/gitea
diff --git a/states/certificates/dehydrated/dnsapi.config.txt b/states/certificates/dehydrated/dnsapi.config.txt
index 45f9063..7920aac 100644
--- a/states/certificates/dehydrated/dnsapi.config.txt
+++ b/states/certificates/dehydrated/dnsapi.config.txt
@@ -10,6 +10,7 @@ www.bear-cave.org.uk {{ keyid }} {{ secret }}
{#- -#}
lunch.org.uk {{ keyid }} {{ secret }}
www.lunch.org.uk {{ keyid }} {{ secret }}
+git.lunch.org.uk {{ keyid }} {{ secret }}
hg.lunch.org.uk {{ keyid }} {{ secret }}
jenkins.lunch.org.uk {{ keyid }} {{ secret }}
lists.lunch.org.uk {{ keyid }} {{ secret }}
diff --git a/states/certificates/dehydrated/domains.txt b/states/certificates/dehydrated/domains.txt
index 86efae8..44ba3c8 100644
--- a/states/certificates/dehydrated/domains.txt
+++ b/states/certificates/dehydrated/domains.txt
@@ -1,5 +1,6 @@
bear-cave.org.uk www.bear-cave.org.uk
lunch.org.uk www.lunch.org.uk
+git.lunch.org.uk
hg.lunch.org.uk
jenkins.lunch.org.uk
mail.lunch.org.uk
diff --git a/states/gitea/app.ini b/states/gitea/app.ini
new file mode 100644
index 0000000..921d6f6
--- /dev/null
+++ b/states/gitea/app.ini
@@ -0,0 +1,79 @@
+APP_NAME = Gitea: Git with a cup of tea
+RUN_USER = git
+RUN_MODE = prod
+
+[database]
+DB_TYPE = sqlite3
+HOST = 127.0.0.1:5432
+NAME = gitea
+USER = gitea
+PASSWD =
+SCHEMA =
+SSL_MODE = disable
+CHARSET = utf8
+PATH = /var/lib/gitea/data/gitea.db
+LOG_SQL = false
+
+[repository]
+ROOT = /var/lib/gitea/data/gitea-repositories
+
+[server]
+SSH_DOMAIN = git.lunch.org.uk
+DOMAIN = git.lunch.org.uk
+HTTP_PORT = 3000
+ROOT_URL = https://git.lunch.org.uk/
+DISABLE_SSH = false
+LFS_START_SERVER = true
+LFS_JWT_SECRET = {{ pillar['gitea']['lfs_jwt_secret'] }}
+OFFLINE_MODE = false
+
+[lfs]
+PATH = /var/lib/gitea/data/lfs
+
+[mailer]
+ENABLED = true
+HOST = mail.lunch.org.uk:587
+FROM = git@lunch.org.uk
+USER =
+PASSWD =
+
+[service]
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+DISABLE_REGISTRATION = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = false
+REQUIRE_SIGNIN_VIEW = false
+DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = noreply.lunch.org.uk
+
+[picture]
+DISABLE_GRAVATAR = false
+ENABLE_FEDERATED_AVATAR = true
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = true
+
+[session]
+PROVIDER = file
+
+[log]
+MODE = console
+LEVEL = info
+ROOT_PATH = /var/lib/gitea/log
+ROUTER = console
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[security]
+INSTALL_LOCK = true
+INTERNAL_TOKEN = {{ pillar['gitea']['internal_token'] }}
+PASSWORD_HASH_ALGO = pbkdf2
+
diff --git a/states/gitea/git.lunch.org.uk.conf b/states/gitea/git.lunch.org.uk.conf
new file mode 100644
index 0000000..d762cf7
--- /dev/null
+++ b/states/gitea/git.lunch.org.uk.conf
@@ -0,0 +1,47 @@
+
+
+
+ ServerName git.lunch.org.uk
+
+ ErrorLog /var/log/apache2/git-error.log
+ CustomLog /var/log/apache2/git-access.log combined
+
+ RemoteIPProxyProtocol On
+
+ # Jenkins
+ ProxyPass / http://localhost:3000/
+ ProxyPassReverse / http://localhost:3000
+ ProxyRequests Off
+ AllowEncodedSlashes NoDecode
+
+ # Local reverse proxy authorization override
+ # Most unix distribution deny proxy by default
+
+ Order deny,allow
+ Allow from all
+
+
+ SSLEngine on
+ SSLCertificateFile /var/lib/dehydrated/certs/git.lunch.org.uk/fullchain.pem
+ SSLCertificateKeyFile /var/lib/dehydrated/certs/git.lunch.org.uk/privkey.pem
+
+
+
+
+
+ ServerName git.lunch.org.uk
+
+ ErrorLog /var/log/apache2/git-error.log
+ CustomLog /var/log/apache2/git-access.log combined
+
+ RemoteIPProxyProtocol On
+
+
+ #
+ # This redirects all accesses to the HTTPS version of the site.
+ #
+ RewriteEngine On
+
+ RewriteRule ^/?(.*) https://git.lunch.org.uk/$1 [R=301,L]
+
+
diff --git a/states/gitea/init.sls b/states/gitea/init.sls
new file mode 100644
index 0000000..1f5ed13
--- /dev/null
+++ b/states/gitea/init.sls
@@ -0,0 +1,47 @@
+gitea_repo:
+ pkgrepo.managed:
+ - name: deb http://mirrors.dotsrc.org/osdn/storage/g/r/ra/raspbian-addons/debian precise main
+ - key_url: https://apt.raspbian-addons.org/KEY.gpg
+ - file: /etc/apt/sources.list.d/respbian-addons.list
+
+gitea:
+ pkg.installed
+
+gitea_app_ini:
+ file.managed:
+ - name: /etc/gitea/app.ini
+ - source: salt://gitea/app.ini
+ - template: jinja
+ service.running:
+ - name: gitea
+ - restart: true
+ - watch:
+ - file: /etc/gitea/app.ini
+
+var_lib_gitea_directory:
+ file.directory:
+ - name: /var/lib/gitea
+ - user: git
+ - group: git
+ - recurse:
+ - user
+ - group
+
+gitea_web:
+ file.managed:
+ - require:
+ - sls: apache
+ - sls: certificates
+ - names:
+ - /etc/apache2/sites-available/git.lunch.org.uk.conf:
+ - source: salt://gitea/git.lunch.org.uk.conf
+ apache_site.enabled:
+ - require:
+ - file: /etc/apache2/sites-available/git.lunch.org.uk.conf
+ - name: git.lunch.org.uk
+ service.running:
+ - name: apache2
+ - reload: true
+ - watch:
+ - file: /etc/apache2/sites-available/git.lunch.org.uk.conf
+
diff --git a/states/top.sls b/states/top.sls
index 797148a..b47af20 100644
--- a/states/top.sls
+++ b/states/top.sls
@@ -13,6 +13,7 @@ base:
- apache
- fail2ban
- firewalls/scabbers
+ - gitea
- jenkins
- jenkins/worker
- mercurial