diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json
index aa4a52b..4068c68 100644
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@@ -65,8 +65,6 @@
   "run_list": [
     "recipe[kosmos-base]",
     "recipe[kosmos_kvm::host]",
-    "recipe[kosmos_discourse::nginx]",
-    "recipe[kosmos_gitea::nginx]",
-    "recipe[kosmos_drone::nginx]"
+    "role[nginx_proxy]"
   ]
-}
\ No newline at end of file
+}
diff --git a/roles/nginx_proxy.rb b/roles/nginx_proxy.rb
new file mode 100644
index 0000000..0c94bc8
--- /dev/null
+++ b/roles/nginx_proxy.rb
@@ -0,0 +1,13 @@
+name "nginx_proxy"
+
+default_run_list = %w(
+  kosmos_discourse::nginx
+  kosmos_gitea::nginx
+  kosmos_drone::nginx
+)
+
+env_run_lists(
+  '_default' => default_run_list,
+  'development' => [],
+  'production' => default_run_list
+)
diff --git a/site-cookbooks/kosmos_drone/recipes/default.rb b/site-cookbooks/kosmos_drone/recipes/default.rb
index 787e010..8df676f 100644
--- a/site-cookbooks/kosmos_drone/recipes/default.rb
+++ b/site-cookbooks/kosmos_drone/recipes/default.rb
@@ -55,9 +55,24 @@ systemd_unit "drone.service" do
   action [:create, :enable, :start]
 end
 
+nginx_proxy_ip_addresses = []
+search(:node, "role:nginx_proxy").each do |node|
+  nginx_proxy_ip_addresses << node["knife_zero"]["host"]
+end
+
+nginx_proxy_ip_addresses.each do |ip_address|
+  IPAddr.new ip_address
+  hostsfile_entry ip_address do
+    hostname 'gitea.kosmos.org'
+    action :create
+  end
+rescue IPAddr::InvalidAddressError
+  next
+end
+
 firewall_rule 'drone' do
   port     [node["kosmos_drone"]["upstream_port"]]
-  source   "10.1.1.0/24"
+  source   "10.1.1.0/24" # TODO only allow nginx proxy IPs
   protocol :tcp
   command  :allow
 end
diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb
index eebab81..9f35e27 100644
--- a/site-cookbooks/kosmos_gitea/recipes/default.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/default.rb
@@ -60,6 +60,27 @@ directory config_directory do
   mode "0750"
 end
 
+nginx_proxy_ip_addresses = []
+search(:node, "role:nginx_proxy").each do |node|
+  nginx_proxy_ip_addresses << node["knife_zero"]["host"]
+end
+
+node.default["kosmos_gitea"]["config"] = {
+  "webhook":  {
+    "allowed_host_list" => "external,#{nginx_proxy_ip_addresses.join(",")}"
+  }
+}
+
+nginx_proxy_ip_addresses.each do |ip_address|
+  IPAddr.new ip_address
+  hostsfile_entry ip_address do
+    hostname 'drone.kosmos.org'
+    action :create
+  end
+rescue IPAddr::InvalidAddressError
+  next
+end
+
 template "#{config_directory}/app.ini" do
   source "app.ini.erb"
   owner "git"
@@ -79,7 +100,7 @@ template "#{config_directory}/app.ini" do
             smtp_host: smtp_credentials["relayhost"],
             smtp_user: smtp_credentials["user_name"],
             smtp_password: smtp_credentials["password"],
-            config: node["kosmos_gitea"]["config"]
+            config: node.default["kosmos_gitea"]["config"]
   notifies :restart, "service[gitea]", :delayed
 end
 
@@ -109,7 +130,7 @@ end
 
 firewall_rule 'gitea' do
   port     [node["kosmos_gitea"]["port"]]
-  source   "10.1.1.0/24"
+  source   "10.1.1.0/24" # TODO only allow nginx proxy IPs
   protocol :tcp
   command  :allow
 end