diff --git a/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml b/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml
index 683a499..1177466 100644
--- a/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml
+++ b/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml
@@ -7,6 +7,7 @@ profiles::haproxy::dns::vrrp_cnames:
   - readarr.main.unkin.net
   - prowlarr.main.unkin.net
   - nzbget.main.unkin.net
+  - git.unkin.net
 
 profiles::haproxy::mappings:
   fe_http:
@@ -22,6 +23,7 @@ profiles::haproxy::mappings:
       - 'nzbget.main.unkin.net be_nzbget'
       - 'jellyfin.main.unkin.net be_jellyfin'
       - 'fafflix.unkin.net be_jellyfin'
+      - 'git.unkin.net be_gitea'
   fe_https:
     ensure: present
     mappings:
@@ -35,6 +37,7 @@ profiles::haproxy::mappings:
       - 'nzbget.main.unkin.net be_nzbget'
       - 'jellyfin.main.unkin.net be_jellyfin'
       - 'fafflix.unkin.net be_jellyfin'
+      - 'git.unkin.net be_gitea'
 
 profiles::haproxy::frontends:
   fe_http:
@@ -53,6 +56,7 @@ profiles::haproxy::frontends:
         - 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
         - 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
         - 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
+        - 'acl_gitea req.hdr(host) -i git.unkin.net'
         - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
       use_backend:
         - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@@ -68,6 +72,7 @@ profiles::haproxy::frontends:
         - 'set-header X-Frame-Options DENY if acl_nzbget'
         - 'set-header X-Frame-Options DENY if acl_jellyfin'
         - 'set-header X-Frame-Options DENY if acl_fafflix'
+        - 'set-header X-Frame-Options DENY if acl_gitea'
         - 'set-header X-Content-Type-Options nosniff'
         - 'set-header X-XSS-Protection 1;mode=block'
 
@@ -215,6 +220,22 @@ profiles::haproxy::backends:
         - set-header X-Forwarded-Port %[dst_port]
         - add-header X-Forwarded-Proto https if { dst_port 443 }
       redirect: 'scheme https if !{ ssl_fc }'
+  be_gitea:
+    description: Backend for gitea cluster
+    collect_exported: false # handled in custom function
+    options:
+      balance: roundrobin
+      option:
+        - httpchk GET /
+        - forwardfor
+        - http-keep-alive
+        - prefer-last-server
+      cookie: SRVNAME insert indirect nocache
+      http-reuse: always
+      http-request:
+        - set-header X-Forwarded-Port %[dst_port]
+        - add-header X-Forwarded-Proto https if { dst_port 443 }
+      redirect: 'scheme https if !{ ssl_fc }'
 
 profiles::haproxy::certlist::enabled: true
 profiles::haproxy::certlist::certificates:
@@ -227,6 +248,7 @@ profiles::haproxy::certlist::certificates:
   - /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
   - /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
   - /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
   - /etc/pki/tls/vault/certificate.pem
 
 # additional altnames
@@ -252,3 +274,4 @@ certbot::client::domains:
   - prowlarr.main.unkin.net
   - nzbget.main.unkin.net
   - fafflix.unkin.net
+  - git.unkin.net
diff --git a/hieradata/roles/infra/git/server.yaml b/hieradata/roles/infra/git/server.yaml
index 993d9f8..208c6f4 100644
--- a/hieradata/roles/infra/git/server.yaml
+++ b/hieradata/roles/infra/git/server.yaml
@@ -3,6 +3,7 @@ hiera_include:
   - profiles::sql::postgresdb
   - profiles::nginx::simpleproxy
   - profiles::gitea::user
+  - profiles::gitea::haproxy
   - gitea
 
 # additional altnames
@@ -70,10 +71,15 @@ profiles::nginx::simpleproxy::proxy_port: 3000
 profiles::nginx::simpleproxy::proxy_path: '/'
 nginx::client_max_body_size: 1024M
 
+# enable external access via haproxy
+profiles::gitea::haproxy::enable: true
+
+# manage a pgsql database + user
 profiles::sql::postgresdb::cluster_name: "patroni-shared-%{facts.environment}"
 profiles::sql::postgresdb::dbname: gitea
 profiles::sql::postgresdb::dbuser: gitea
 
+# deploy gitea
 gitea::ensure: '1.22.4'
 gitea::checksum: 'd549104f55067e6fb156e7ba060c9af488f36e12d5e747db7563fcc99eaf8532'
 gitea::manage_user: false
@@ -96,11 +102,11 @@ gitea::custom_configuration:
   server:
     PROTOCOL: 'http'
     DOMAIN: 'git.unkin.net'
-    ROOT_URL: 'https://git.query.consul'
+    ROOT_URL: 'https://git.unkin.net'
     HTTP_ADDR: '0.0.0.0'
     HTTP_PORT: 3000
     START_SSH_SERVER: false
-    SSH_DOMAIN: 'git.query.consul'
+    SSH_DOMAIN: 'git.unkin.net'
     SSH_PORT: 2222
     SSH_LISTEN_HOST: '0.0.0.0'
     OFFLINE_MODE: true
diff --git a/hieradata/roles/infra/pki/certbot.yaml b/hieradata/roles/infra/pki/certbot.yaml
index c31492e..b91e40e 100644
--- a/hieradata/roles/infra/pki/certbot.yaml
+++ b/hieradata/roles/infra/pki/certbot.yaml
@@ -13,3 +13,4 @@ certbot::domains:
   - prowlarr.main.unkin.net
   - nzbget.main.unkin.net
   - fafflix.unkin.net
+  - git.unkin.net
diff --git a/site/profiles/manifests/gitea/haproxy.pp b/site/profiles/manifests/gitea/haproxy.pp
new file mode 100644
index 0000000..ddea586
--- /dev/null
+++ b/site/profiles/manifests/gitea/haproxy.pp
@@ -0,0 +1,21 @@
+# enable external access via haproxy
+class profiles::gitea::haproxy (
+  Boolean $enable = false,
+){
+
+  # export haproxy balancemember
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443":
+    service => 'be_gitea',
+    ports   => [443],
+    options => [
+      "cookie ${facts['networking']['hostname']}",
+      'ssl',
+      'verify none',
+      'check',
+      'inter 2s',
+      'rise 3',
+      'fall 2',
+    ]
+  }
+
+}