diff --git a/k8s/apps/gitea/app.yaml b/k8s/apps/gitea/app.yaml
new file mode 100644
index 0000000..34c7465
--- /dev/null
+++ b/k8s/apps/gitea/app.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitea
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: gitea
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/gitea
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+
diff --git a/k8s/apps/gitea/deployment.yaml b/k8s/apps/gitea/deployment.yaml
new file mode 100644
index 0000000..19a8fe3
--- /dev/null
+++ b/k8s/apps/gitea/deployment.yaml
@@ -0,0 +1,86 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea
+  namespace: gitea
+  labels:
+    app: gitea
+spec:
+  selector:
+    matchLabels:
+      app: gitea
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        app: gitea
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      volumes:
+        - name: storage
+          hostPath:
+            path: /k8s/gitea
+            type: Directory
+      containers:
+        - name: gitea
+          image: 'gitea/gitea:latest'
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+            - name: ssh
+              containerPort: 22
+              protocol: TCP
+          volumeMounts:
+            - name: storage
+              mountPath: /data
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea-runner
+  namespace: gitea
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea-runner
+  template:
+    metadata:
+      labels:
+        app: gitea-runner
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      volumes:
+        - name: docker-sock
+          hostPath:
+            #path: /var/run/k3s/containerd/containerd.sock
+            path: /var/run/docker.sock
+            type: Socket
+      containers:
+        - name: gitea-runner
+          image: gitea/act_runner:nightly
+          volumeMounts:
+            - name: docker-sock
+              mountPath: /var/run/docker.sock
+          env:
+            - name: GITEA_INSTANCE_URL
+              value: "https://gt.hexor.cy"
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-runner-act-runner-secrets
+                  key: token
+            - name: GITEA_RUNNER_NAME
+              value: "k8s-runner"
+            - name: GITEA_RUNNER_LABELS
+              value: "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest,ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04,ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04"
+
diff --git a/k8s/apps/gitea/external-secrets.yaml b/k8s/apps/gitea/external-secrets.yaml
new file mode 100644
index 0000000..9ace272
--- /dev/null
+++ b/k8s/apps/gitea/external-secrets.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitea-runner-token
+  namespace: gitea
+spec:
+  refreshInterval: 1m
+  target:
+    name: gitea-runner-act-runner-secrets
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        token: |-
+          {{ .password }}
+  data:
+    - secretKey: password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: e475b5ab-ea3c-48a5-bb4c-a6bc552fc064
+        property: login.password
+
diff --git a/k8s/apps/gitea/ingress.yaml b/k8s/apps/gitea/ingress.yaml
new file mode 100644
index 0000000..1d860f9
--- /dev/null
+++ b/k8s/apps/gitea/ingress.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea-tls-ingress
+  namespace: gitea
+  annotations:
+    ingressClassName: traefik
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  rules:
+    - host: gt.hexor.cy
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: gitea
+                port:
+                  number: 80
+  tls:
+    - secretName: gitea-tls
+      hosts:
+        - gt.hexor.cy
+
diff --git a/k8s/apps/gitea/kustomization.yaml b/k8s/apps/gitea/kustomization.yaml
new file mode 100644
index 0000000..ac085db
--- /dev/null
+++ b/k8s/apps/gitea/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+
diff --git a/k8s/apps/gitea/service.yaml b/k8s/apps/gitea/service.yaml
new file mode 100644
index 0000000..abba9c9
--- /dev/null
+++ b/k8s/apps/gitea/service.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea
+  namespace: gitea
+spec:
+  selector:
+    app: gitea
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 3000
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-ssh
+  namespace: gitea
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 30022
+      targetPort: 22
+  selector:
+    app: gitea
+