diff --git a/roles/server/default.nix b/roles/server/default.nix
index d5a0970..e75390f 100755
--- a/roles/server/default.nix
+++ b/roles/server/default.nix
@@ -14,5 +14,6 @@
 		./beep.nix
 		./wireguard.nix
 		./tailscale.nix
+		./traefik.nix
 	];
 }
diff --git a/roles/server/gitea.nix b/roles/server/gitea.nix
index 40c8cb9..6cbac30 100644
--- a/roles/server/gitea.nix
+++ b/roles/server/gitea.nix
@@ -9,11 +9,32 @@
 			server = {
 				#server.SSH_PORT = 69;
 				DISABLE_REGISTRATION = lib.mkDefault true;
-				ROOT_URL = "http://everest.local:3000";
+				ROOT_URL = "http://everest/gitea/";
 			};
 		};
 	};
-	networking.firewall = {
-		allowedTCPPorts = [ 3000 ];
+	# Set up traefik as the reverse proxy for Gitea
+	services.traefik = {
+		dynamicConfigOptions = {
+			http = {
+				routers = {
+					/*
+					Gitea works best as a subdomain, but I do not have a dns server (yet),
+					and since tailscale doesn't support adding subdomains with MagicDNS I'll
+					just put it in a subpath for now
+					*/
+					gitea-subpath = {
+						middlewares = [ "gitea-strip-prefix" ];
+						rule = "PathPrefix(`/gitea`)";
+						service = "gitea";
+					};
+				};
+				services.gitea.loadBalancer.servers = [
+					{ url = "http://localhost:${toString config.services.gitea.settings.server.HTTP_PORT}"; }
+				];
+				# Gitea freaks out if you don't remove the subpath it's being proxied from
+				middlewares.gitea-strip-prefix.stripprefix.prefixes = "/gitea";
+			};
+		};
 	};
 }
diff --git a/roles/server/traefik.nix b/roles/server/traefik.nix
new file mode 100644
index 0000000..c2b9442
--- /dev/null
+++ b/roles/server/traefik.nix
@@ -0,0 +1,16 @@
+{ config, ... }:
+
+{
+	services.traefik = {
+		enable = true;
+		staticConfigOptions = {
+			# Enable the web ui
+			api.insecure = true;
+			api.dashboard = true;
+			entryPoints = {
+				http = { address = ":80"; };
+			};
+		};
+	};
+	networking.firewall.allowedTCPPorts = [ 80 8080 ];
+}