diff --git a/nixos_configs/git.nix b/nixos_configs/git.nix
index 1d9f9d9..330be6b 100644
--- a/nixos_configs/git.nix
+++ b/nixos_configs/git.nix
@@ -13,7 +13,7 @@ in
   };
 
   environment.systemPackages = with pkgs;
-  [ jq git gitolite lighttpd cgit ];
+  [ jq git gitolite gitea nginx ];
   services.openssh.enable = true;
   networking.firewall.allowedTCPPorts = [ 22 80 443 ];
 
@@ -29,15 +29,44 @@ in
     dataDir = "${storage-dir}/data/gitolite";
   };
 
-  users.users.lighttpd.extraGroups = [ "gitolite" ];
-
-  services.lighttpd.enable = true;
-  services.lighttpd.cgit = {
+  services.gitea = {
     enable = true;
-    configText = ''
-      source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
-      project-list=/srv/data/gitolite/projects.list
-      scan-path=/srv/data/gitolite/repositories
-    '';
+    stateDir = "${storage-dir}/data/gitea";
+    domain = "code.betamike.com";
+    rootUrl = "https://code.betamike.com";
+
+    # will be reverse proxied through nginx for TLS termination
+    httpAddress = "localhost";
+    httpPort = 3000;
+
+    # only send cookies over tls
+    cookieSecure = true;
+
+    # TODO: enable after initial setup
+    disableRegistration = false;
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    virtualHosts = {
+      "code.betamike.com" = {
+        enableACME = true;
+        forceSSL = true;
+
+        locations."/" = {
+          proxyPass = "http://localhost:3000";
+        };
+      };
+    };
+  };
+
+  security.acme.acceptTerms = true;
+  security.acme.certs = {
+    "code.betamike.com".email = "mike@betamike.com";
   };
 }