diff --git a/nodes/postgres-2.json b/nodes/postgres-2.json
index 89bcc85..8e02a66 100644
--- a/nodes/postgres-2.json
+++ b/nodes/postgres-2.json
@@ -19,6 +19,7 @@
       "kosmos-base::default",
       "kosmos_postgresql::primary",
       "kosmos_postgresql::firewall",
+      "kosmos_gitea::pg_db",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
diff --git a/roles/postgresql_primary.rb b/roles/postgresql_primary.rb
index 58ef4b7..9124bc5 100644
--- a/roles/postgresql_primary.rb
+++ b/roles/postgresql_primary.rb
@@ -3,4 +3,5 @@ name "postgresql_primary"
 run_list %w(
   kosmos_postgresql::primary
   kosmos_postgresql::firewall
+  kosmos_gitea::pg_db
 )
diff --git a/site-cookbooks/kosmos_gitea/attributes/default.rb b/site-cookbooks/kosmos_gitea/attributes/default.rb
index 7a6b5d0..0495d7e 100644
--- a/site-cookbooks/kosmos_gitea/attributes/default.rb
+++ b/site-cookbooks/kosmos_gitea/attributes/default.rb
@@ -1,9 +1,10 @@
-gitea_version = "1.16.1"
+gitea_version = "1.16.3"
 node.default["kosmos_gitea"]["version"] = gitea_version
 node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
-node.default["kosmos_gitea"]["binary_checksum"] = "f03f3a3c4dccc2219351cde5c9af372715b2ec3e88a821779702bc6f38084c97"
+node.default["kosmos_gitea"]["binary_checksum"] = "626c7da554efcfd3abd88b0355e3adf55d7f0941a01e058b2d4f5923d0d5b7c3"
 node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
 node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea"
+node.default["kosmos_gitea"]["port"] = 3000
 
 node.default["kosmos_gitea"]["config"] = {
   "webhook":  {
diff --git a/site-cookbooks/kosmos_gitea/metadata.rb b/site-cookbooks/kosmos_gitea/metadata.rb
index 6b690ce..27947c3 100644
--- a/site-cookbooks/kosmos_gitea/metadata.rb
+++ b/site-cookbooks/kosmos_gitea/metadata.rb
@@ -19,6 +19,7 @@ chef_version '>= 14.0'
 #
 # source_url 'https://github.com/<insert_org_here>/kosmos_gitea'
 
+depends "firewall"
 depends "kosmos-nginx"
 depends "kosmos_postgresql"
 depends "backup"
diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb
index c059fa3..eebab81 100644
--- a/site-cookbooks/kosmos_gitea/recipes/default.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/default.rb
@@ -3,9 +3,6 @@
 # Recipe:: default
 #
 
-include_recipe "kosmos-nginx"
-
-domain                    = node["kosmos_gitea"]["nginx"]["domain"]
 working_directory         = node["kosmos_gitea"]["working_directory"]
 git_home_directory        = "/home/git"
 repository_root_directory = "#{git_home_directory}/gitea-repositories"
@@ -63,15 +60,6 @@ directory config_directory do
   mode "0750"
 end
 
-# Copy the self-signed root certificate to the system certificate store. Gitea
-# will find it there automatically
-postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
-root_cert_path = "/etc/ssl/certs/root.kosmos.org.crt"
-file root_cert_path do
-  content postgresql_data_bag_item['ssl_root_cert']
-  mode "0644"
-end
-
 template "#{config_directory}/app.ini" do
   source "app.ini.erb"
   owner "git"
@@ -119,20 +107,9 @@ service "gitea" do
   action [:enable, :start]
 end
 
-template "#{node['nginx']['dir']}/sites-available/#{domain}" do
-  source "nginx_conf.erb"
-  owner 'www-data'
-  mode 0640
-  variables server_name:   domain,
-            ssl_cert:      "/etc/letsencrypt/live/#{domain}/fullchain.pem",
-            ssl_key:       "/etc/letsencrypt/live/#{domain}/privkey.pem",
-            upstream_port: 3000
-
-  notifies :reload, 'service[nginx]', :delayed
+firewall_rule 'gitea' do
+  port     [node["kosmos_gitea"]["port"]]
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
 end
-
-nginx_site domain do
-  action :enable
-end
-
-nginx_certbot_site domain
diff --git a/site-cookbooks/kosmos_gitea/recipes/nginx.rb b/site-cookbooks/kosmos_gitea/recipes/nginx.rb
new file mode 100644
index 0000000..20bd979
--- /dev/null
+++ b/site-cookbooks/kosmos_gitea/recipes/nginx.rb
@@ -0,0 +1,52 @@
+#
+# Cookbook:: kosmos_gitea
+# Recipe:: nginx
+#
+
+include_recipe "kosmos-nginx"
+
+domain  = node["kosmos_gitea"]["nginx"]["domain"]
+
+# upstream_ip_addresses = []
+# search(:node, "role:gitea").each do |n|
+#   upstream_ip_addresses << n["knife_zero"]["host"]
+# end
+begin
+  upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"]
+rescue
+  Chef::Log.warn('No server with "gitea" role. Stopping here.')
+  return
+end
+
+nginx_certbot_site domain
+
+template "#{node['nginx']['dir']}/sites-available/#{domain}" do
+  source "nginx_conf_web.erb"
+  owner 'www-data'
+  mode 0640
+  variables server_name:   domain,
+            ssl_cert:      "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:       "/etc/letsencrypt/live/#{domain}/privkey.pem",
+            upstream_host: upstream_ip_address,
+            upstream_port: node["kosmos_gitea"]["port"]
+
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_site domain do
+  action :enable
+end
+
+template "#{node['nginx']['dir']}/streams-available/ssh" do
+  source "nginx_conf_ssh.erb"
+  owner 'www-data'
+  mode 0640
+  variables domain: domain,
+            upstream_host: upstream_ip_address
+
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_stream "ssh" do
+  action :enable
+end
diff --git a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
index 1d43c86..ce9ae23 100644
--- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
@@ -44,10 +44,6 @@ FROM = gitea@kosmos.org
 USER = <%= @smtp_user %>
 PASSWD = <%= @smtp_password %>
 
-[oauth2]
-JWT_SECRET = <%= @jwt_secret %>
-JWT_SIGNING_ALGORITHM = HS256
-
 [security]
 INTERNAL_TOKEN = <%= @internal_token %>
 INSTALL_LOCK   = true
diff --git a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb
new file mode 100644
index 0000000..085f7ff
--- /dev/null
+++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb
@@ -0,0 +1,8 @@
+upstream _gitea_ssh {
+  server <%= @upstream_host %>:22;
+}
+
+server {
+  listen 148.251.83.201:22;
+  proxy_pass _gitea_ssh;
+}
diff --git a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
similarity index 82%
rename from site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb
rename to site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
index 7965156..1476976 100644
--- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
@@ -1,6 +1,6 @@
 # Generated by Chef
-upstream _gitea {
-  server   localhost:<%= @upstream_port %>;
+upstream _gitea_web {
+  server   <%= @upstream_host %>:<%= @upstream_port %>;
 }
 
 server {
@@ -26,14 +26,14 @@ server {
 
   location ~ ^/(avatars|repo-avatars)/.*$ {
     proxy_buffers 1024 8k;
-    proxy_pass http://_gitea;
+    proxy_pass http://_gitea_web;
     proxy_http_version 1.1;
     expires 30d;
   }
 
   location / {
     proxy_buffers 1024 8k;
-    proxy_pass http://_gitea;
+    proxy_pass http://_gitea_web;
     proxy_http_version 1.1;
   }
 }