diff --git a/utility-services/gitea/runner.ts b/utility-services/gitea/runner/index.ts
similarity index 98%
rename from utility-services/gitea/runner.ts
rename to utility-services/gitea/runner/index.ts
index 72766f3..90069ef 100644
--- a/utility-services/gitea/runner.ts
+++ b/utility-services/gitea/runner/index.ts
@@ -1,10 +1,10 @@
 import { Construct } from "constructs";
 import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
-
-import { OnePasswordSecret, LonghornPvc } from "../../utils";
 import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
 import { PodDisruptionBudgetV1 } from "@cdktf/provider-kubernetes/lib/pod-disruption-budget-v1";
 
+import { OnePasswordSecret, LonghornPvc } from "../../../utils";
+
 type GiteaRunnerOptions = {
   provider: KubernetesProvider;
   name: string;
diff --git a/utility-services/gitea/server.ts b/utility-services/gitea/server/index.ts
similarity index 69%
rename from utility-services/gitea/server.ts
rename to utility-services/gitea/server/index.ts
index e439eef..f90228e 100644
--- a/utility-services/gitea/server.ts
+++ b/utility-services/gitea/server/index.ts
@@ -7,8 +7,9 @@ import {
   OnePasswordSecret,
   PublicIngressRoute,
   IngressRouteTcp,
-} from "../../utils";
-import type { Providers } from "../../types";
+  PrivateCertificate,
+} from "../../../utils";
+import type { Providers } from "../../../types";
 
 type GiteaServerOptions = {
   providers: Providers;
@@ -22,45 +23,61 @@ export class GiteaServer extends Construct {
     super(scope, id);
 
     const { kubernetes, helm } = options.providers;
+    const { name, namespace, r2Endpoint } = options;
 
     new OnePasswordSecret(this, "admin", {
       provider: kubernetes,
       name: "gitea-admin",
-      namespace: options.namespace,
+      namespace,
       itemPath: "vaults/Lab/items/gitea-admin",
     });
 
     new OnePasswordSecret(this, "oauth", {
       provider: kubernetes,
       name: "gitea-oauth",
-      namespace: options.namespace,
+      namespace,
       itemPath: "vaults/Lab/items/gitea-oauth",
     });
 
     new OnePasswordSecret(this, "smtp", {
       provider: kubernetes,
       name: "gitea-smtp-token",
-      namespace: options.namespace,
+      namespace,
       itemPath: "vaults/Lab/items/smtp-token",
     });
 
     new OnePasswordSecret(this, "r2", {
       provider: kubernetes,
       name: "gitea-cloudflare-token",
-      namespace: options.namespace,
+      namespace,
       itemPath: "vaults/Lab/items/cloudflare",
     });
 
+    new PrivateCertificate(this, "internal-cert", {
+      provider: kubernetes,
+      namespace,
+      name: "gitea-tls-internal",
+      secretName: "gitea-tls-internal",
+      dnsNames: [
+        "git.dogar.dev",
+        "gitea",
+        "gitea.homelab.svc",
+        "gitea.homelab.svc.cluster.local",
+      ],
+      usages: ["digital signature", "key encipherment", "server auth"],
+    });
+
     new Release(this, id, {
       ...options,
       provider: helm,
       repository: "https://dl.gitea.com/charts",
       chart: "gitea",
+      namespace,
       createNamespace: true,
       set: [
         {
           name: "gitea.config.storage.MINIO_ENDPOINT",
-          value: options.r2Endpoint,
+          value: r2Endpoint,
         },
       ],
       values: [
@@ -72,21 +89,22 @@ export class GiteaServer extends Construct {
 
     new IngressRouteTcp(this, "ssh-ingress", {
       provider: kubernetes,
-      namespace: options.namespace,
-      name: options.name,
+      namespace,
+      name,
       match: "HostSNI(`*`)",
       entryPoint: "ssh",
-      serviceName: `${options.name}-ssh`,
+      serviceName: `${name}-ssh`,
       servicePort: 22,
     });
 
     new PublicIngressRoute(this, "http-ingress", {
       provider: kubernetes,
-      namespace: options.namespace,
-      name: options.name,
+      namespace,
+      name,
       host: "git.dogar.dev",
-      serviceName: `${options.name}-http`,
+      serviceName: `${name}-http`,
       servicePort: 3000,
+      serviceProtocol: "https",
     });
   }
 }
diff --git a/utility-services/gitea/values.yaml b/utility-services/gitea/server/values.yaml
similarity index 84%
rename from utility-services/gitea/values.yaml
rename to utility-services/gitea/server/values.yaml
index bc58b08..f7aa4a9 100644
--- a/utility-services/gitea/values.yaml
+++ b/utility-services/gitea/server/values.yaml
@@ -24,11 +24,18 @@ gitea:
     enabled: true
     serviceMonitor:
       enabled: true
+      scheme: "https"
+      tlsConfig:
+        insecureSkipVerify: false
+        caFile: /internal-ca/ca.crt
   config:
     server:
       ENABLE_PPROF: true
       ENABLE_GZIP: true
       LFS_START_SERVER: true
+      PROTOCOL: https
+      CERT_FILE: /certs/tls.crt
+      KEY_FILE: /certs/tls.key
       ROOT_URL: https://git.dogar.dev/
       SSH_DOMAIN: git.dogar.dev
       DISABLE_SSH: false
@@ -93,6 +100,27 @@ gitea:
         secretKeyRef:
           name: gitea-cloudflare-token
           key: secret_access_key
+  livenessProbe:
+    httpGet:
+      path: /api/healthz
+      port: 3000
+      scheme: HTTPS
+    initialDelaySeconds: 5
+    periodSeconds: 10
+  readinessProbe:
+    httpGet:
+      path: /api/healthz
+      port: 3000
+      scheme: HTTPS
+    initialDelaySeconds: 5
+    periodSeconds: 10
+  startupProbe:
+    httpGet:
+      path: /api/healthz
+      port: 3000
+      scheme: HTTPS
+    initialDelaySeconds: 5
+    periodSeconds: 10
 persistence:
   labels:
     recurring-job.longhorn.io/source: "enabled"
@@ -149,6 +177,9 @@ extraVolumes:
             items:
               - key: ca.crt
                 path: root.crt
+  - name: gitea-tls-internal
+    secret:
+      secretName: gitea-tls-internal
   - name: gitea-temp
     emptyDir: {}
 extraInitVolumeMounts:
@@ -159,6 +190,8 @@ extraContainerVolumeMounts:
   - name: ssl-bundle
     mountPath: /opt/gitea/.postgresql
     readOnly: true
+  - name: gitea-tls-internal
+    mountPath: /certs
     readOnly: true
   - name: gitea-temp
     mountPath: /tmp/gitea-uploads