diff --git a/data_bags/credentials/gitea.json b/data_bags/credentials/gitea.json
index 92f9d8d..f8431b2 100644
--- a/data_bags/credentials/gitea.json
+++ b/data_bags/credentials/gitea.json
@@ -1,30 +1,30 @@
 {
   "id": "gitea",
   "jwt_secret": {
-    "encrypted_data": "qHUcKXEhYWXZziyiI9URzLiyIRVWlVJmAuOyBhTe/xogUzURgCmbcgeEfOkb\n2GT2E2Qot5MDdV2+PgjwkyY=\n",
-    "iv": "LCl4UrlOrhcaHgaW\n",
-    "auth_tag": "UxyCH/obwVyR6fpIdmr/KA==\n",
+    "encrypted_data": "jTNhXpJ1mhUXjfRZ3OAR8lrGgxyyob44kN0TyNec5zO2Wb46hJgYMWwtKlZ9\nohNexOKV+wXCjZNeVw0kNgI=\n",
+    "iv": "NYkJTeTzLilMLptE\n",
+    "auth_tag": "a/PuBmOmhyCx0ooepz7n1w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "internal_token": {
-    "encrypted_data": "lIeZaN6Dx6Jq+/1m0CzBzDa+/gGE+lA0CfzdMn5c0cKVmISIRfdxDE1PfawL\nFm7zvktC1DdlHnCLPKK03U6Lzy2VWRIn6HCZC8IbeFzf7zmWvHrpjOw5pEqA\nGdQmLZ2IDHcs7VcM7Xml0olH9cvccFCAGahdp5wrwB+14w==\n",
-    "iv": "ZPl9OJkrJAgneqvW\n",
-    "auth_tag": "QwqSj0q+olo811kiN+FbgQ==\n",
+    "encrypted_data": "HbyEfyrupc06vGHhSqKUUT8NAIrlvbK4LbMdqxmJMgeltvDItqGgFa0ZdD51\n0djRqQMrRZ4MEdqVTFSBL+8QVdriKeUcLcummp52Sp9tYZKSQKympJFx3fsS\n49rBJhDKRlc3+jUpejJu4jHY4xR2MMNvWWqkkufTvZHhzg==\n",
+    "iv": "DUSCP7Q3dgjyYXwl\n",
+    "auth_tag": "HkPLLvY8uVNK871OsMshcg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "secret_key": {
-    "encrypted_data": "z4nxVYGEo/hqSHZ4qa5s+a9wMHUOnms5cOsSd07Nuth8YntyS3KOKfhhjvRe\n5oSDShD6IPIWGjDI481HbiJkLFufyQGHV8oR5HDvel/dKNCrokw=\n",
-    "iv": "xF8mlqQQVC5Senbt\n",
-    "auth_tag": "Un/oE3NxQMtpJQUutH19uw==\n",
+    "encrypted_data": "bvxdPokzagjZkdGG37hbWBi6ywu+1UuOrlJJ4p5zOG03b4PN4N40ztO4fWr5\ncMHfO7FER779fRc+tA2H7L1SKqSvlJThgk7X8R7AGGQmrQy7Jvc=\n",
+    "iv": "0uTGeUjnbvnW2WGp\n",
+    "auth_tag": "Dzfb3Jiim5eYWfwpN3HO5Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "postgresql_password": {
-    "encrypted_data": "qflAQFt3eMkODtNP86zjH77Y3fRvc3BWXeV0Zra4Zezkaa6vsZOWePaqSg==\n",
-    "iv": "SrpWet9nSiEeRMma\n",
-    "auth_tag": "SAvgZ5pmwWDsx3uud1EeTg==\n",
+    "encrypted_data": "yv2gQYUxMTa7eeC0GJqE+fujOvM9GIwj/OL/L1wvn7uNTjJE97Xt1gYXRw==\n",
+    "iv": "F6yrDSav9EShCf2N\n",
+    "auth_tag": "08b4vT71g41qu6A6jZ6opw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }
diff --git a/nodes/andromeda.kosmos.org.json b/nodes/andromeda.kosmos.org.json
index ace8d73..dea7894 100644
--- a/nodes/andromeda.kosmos.org.json
+++ b/nodes/andromeda.kosmos.org.json
@@ -47,6 +47,7 @@
       "kosmos-ejabberd::default",
       "kosmos-ejabberd::letsencrypt",
       "kosmos-ejabberd::backup",
+      "kosmos_gitea::pg_db",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -108,8 +109,7 @@
       "kosmos-base::letsencrypt",
       "git::default",
       "git::package",
-      "build-essential::default",
-      "poise-git::default"
+      "build-essential::default"
     ],
     "platform": "ubuntu",
     "platform_version": "18.04",
@@ -134,6 +134,7 @@
     "recipe[kosmos-mediawiki]",
     "recipe[kosmos-btcpayserver::proxy]",
     "role[mastodon]",
-    "role[ejabberd]"
+    "role[ejabberd]",
+    "recipe[kosmos_gitea::pg_db]"
   ]
 }
\ No newline at end of file
diff --git a/nodes/centaurus.kosmos.org.json b/nodes/centaurus.kosmos.org.json
index 0a5fe83..abd2780 100644
--- a/nodes/centaurus.kosmos.org.json
+++ b/nodes/centaurus.kosmos.org.json
@@ -8,16 +8,20 @@
   "automatic": {
     "fqdn": "centaurus.kosmos.org",
     "os": "linux",
-    "os_version": "4.15.0-96-generic",
+    "os_version": "4.15.0-101-generic",
     "hostname": "centaurus",
     "ipaddress": "78.46.59.98",
     "roles": [
-      "postgresql_replica"
+      "postgresql_replica",
+      "gitea"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos-postgresql::replica",
+      "kosmos_gitea",
+      "kosmos_gitea::default",
+      "kosmos_gitea::backup",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -33,7 +37,19 @@
       "hostname::default",
       "firewall::default",
       "chef-sugar::default",
-      "build-essential::default"
+      "kosmos-nginx::default",
+      "nginx::default",
+      "nginx::package",
+      "nginx::ohai_plugin",
+      "nginx::repo",
+      "nginx::commons",
+      "nginx::commons_dir",
+      "nginx::commons_script",
+      "nginx::commons_conf",
+      "backup::default",
+      "logrotate::default",
+      "build-essential::default",
+      "kosmos-base::letsencrypt"
     ],
     "platform": "ubuntu",
     "platform_version": "18.04",
@@ -51,6 +67,7 @@
   },
   "run_list": [
     "recipe[kosmos-base]",
-    "role[postgresql_replica]"
+    "role[postgresql_replica]",
+    "role[gitea]"
   ]
 }
\ No newline at end of file
diff --git a/roles/gitea.rb b/roles/gitea.rb
new file mode 100644
index 0000000..b6f5069
--- /dev/null
+++ b/roles/gitea.rb
@@ -0,0 +1,6 @@
+name "gitea"
+
+run_list %w(
+  kosmos_gitea::default
+  kosmos_gitea::backup
+)
diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb
index 22bfcdc..e159833 100644
--- a/site-cookbooks/kosmos_gitea/recipes/default.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/default.rb
@@ -42,6 +42,9 @@ postgresql_server = postgresql_primary_node[:ipaddress]
 # PostgreSQL is on the same server, connect through localhost
 postgresql_server = "localhost" if postgresql_primary_node[:hostname] == node[:hostname]
 
+# Dependency
+package "git"
+
 user "git" do
   manage_home true
   home "/home/git"
@@ -144,8 +147,7 @@ nginx_site domain do
   action :enable
 end
 
-# Enable when we switch the IP of gitea.kosmos.org
-# nginx_certbot_site domain
+nginx_certbot_site domain
 
 unless node.chef_environment == "development"
   include_recipe "firewall"
diff --git a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
index 4597dcc..68b771f 100644
--- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
@@ -31,7 +31,7 @@ SSL_MODE = verify-ca
 PROVIDER = file
 PROVIDER_CONFIG = sessions
 # Enable when TLS is enabled
-# COOKIE_SECURE = true
+COOKIE_SECURE = true
 
 [mailer]
 ENABLED = true
diff --git a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb
index 6dff6f4..a77bc02 100644
--- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb
@@ -4,7 +4,7 @@ upstream _gitea {
 }
 
 server {
-<% if File.exist?(@ssl_cert) && !File.exist?(@ssl_key) -%>
+<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name <%= @server_name %>;
@@ -16,6 +16,10 @@ server {
 <% else -%>
   listen 80;
   server_name <%= @server_name %>;
+
+  location /.well-known {
+    root "/var/www/<%= @server_name %>";
+  }
 <% end -%>
 
   location / {