diff --git a/modules/homelab/gitea/default.nix b/modules/homelab/gitea/default.nix
index 497cb4f..9926d9a 100644
--- a/modules/homelab/gitea/default.nix
+++ b/modules/homelab/gitea/default.nix
@@ -100,10 +100,9 @@ in
     networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ];
 
     # add to caddy for reverse proxy
-    services.caddy.virtualHosts."${cfg.url}" = {
-      serverAliases = [ "git.${homelab.public_domain}" ];
+    services.caddy.virtualHosts."git.${homelab.public_domain}" = {
+    #serverAliases = [ "git.${homelab.public_domain}" ];
       extraConfig = ''
-        tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
         reverse_proxy localhost:${toString cfg.port} {
         }
       '';
diff --git a/modules/homelab/gitea/default.nix.bak b/modules/homelab/gitea/default.nix.bak
new file mode 100644
index 0000000..497cb4f
--- /dev/null
+++ b/modules/homelab/gitea/default.nix.bak
@@ -0,0 +1,133 @@
+{ pkgs, config, lib, ... }:
+
+let
+  service = "gitea";
+  cfg = config.homelab.${service};
+  sec = config.sops.secrets;
+  homelab = config.homelab;
+in
+{
+  options.homelab.${service} = {
+    enable = lib.mkEnableOption "enables ${service}";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 7703;
+      description = "set port for ${service} (default: ${toString cfg.port}";
+    };
+    ssh_port = lib.mkOption {
+      type = lib.types.int;
+      default = 7567;
+      description = "set port for ${service} (default: ${toString cfg.port}";
+    };
+    url = lib.mkOption {
+      type = lib.types.str;
+      default = "git.${homelab.base_domain}";
+      description = "set domain for ${service}";
+    };
+    data_dir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/${service}";
+      description = "set data directory for ${service}";
+    };
+    ids = lib.mkOption {
+      type = lib.types.int;
+      default = cfg.port;
+      description = "set uid and pid of ${service} user (matches port by default)";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for ${service}";
+    };
+    motd = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = service;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare ${service} group
+    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
+
+    # declare ${service} user
+    users.users.${service} = {
+      description = lib.mkForce "${service} server user";
+      uid = lib.mkForce cfg.ids;
+      isSystemUser = true;
+      shell = pkgs.bash; 
+      home = cfg.data_dir;
+      createHome = true;
+      group = service;
+      extraGroups = [];
+    };
+
+    # declare the gitea service
+    services.gitea = {
+      enable = true;
+      user = "gitea";
+      group = "gitea";
+      stateDir = cfg.data_dir;
+      appName =  "gitea";
+      settings = {
+        server = {
+          ROOT_URL = "https://git.blakedheld.xyz";
+          LOCAL_ROOT_URL = "https://git.snowbelle.lan";
+          DOMAIN = "git.blakedheld.xyz";
+          HTTP_PORT = cfg.port;
+          SSH_PORT = cfg.ssh_port;
+          START_SSH_SERVER = true;
+          ENABLE_PUSH_CREATE_USER = true;
+          ALLOW_LOCALNETWORKS = true;
+          ALLOWED_DOMAINS = "10.10.0.10";
+          SKIP_TLS_VERIFY = true;
+
+        };
+      };
+      database = {
+        passwordFile = "${toString config.sops.secrets."gitea_database_password".path}";
+      };
+    };
+
+    # override umask to make permissions work out
+    systemd.services.${service}.serviceConfig = {
+      UMask = lib.mkForce "0007";
+    };
+
+    # open firewall
+    networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ];
+
+    # add to caddy for reverse proxy
+    services.caddy.virtualHosts."${cfg.url}" = {
+      serverAliases = [ "git.${homelab.public_domain}" ];
+      extraConfig = ''
+        tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
+        reverse_proxy localhost:${toString cfg.port} {
+        }
+      '';
+    };
+
+    # add to glance
+    homelab.glance.links.services = [{
+      title = service;
+      url = "https://git.${homelab.public_domain}";
+      error-url = "http://${homelab.host_ip}:${toString cfg.port}";
+      check-url = "http://${homelab.host_ip}:${toString cfg.port}";
+      icon = "di:${service}"; }];
+
+    # manage secrets with sops
+    sops.secrets = {
+      "${service}_database_password" = {
+        owner = service;
+        group = service;
+      };
+    };
+
+    # add to backups
+    homelab.backups.baks = {
+      ${service} = { paths = [ cfg.data_dir ]; };
+    };
+  };
+}