diff --git a/apps/production/gitea/deployment.yaml b/apps/production/gitea/deployment.yaml
index 761d6ff..0fc1cef 100644
--- a/apps/production/gitea/deployment.yaml
+++ b/apps/production/gitea/deployment.yaml
@@ -24,6 +24,21 @@ spec:
               value: "1000"
             - name: USER_GID
               value: "1000"
+            - name: ROOT_URL
+              value: "https://scm.bstein.dev"
+            - name: DB_TYPE
+              value: "postgres"
+            - name: DB_HOST
+              value: "postgres.postgres.svc.cluster.local:5432"  # Adjust if needed; use full DNS if cross-namespace.
+            - name: DB_NAME
+              value: "gitea"
+            - name: DB_USER
+              value: "gitea"
+            - name: DB_PASS
+              valueFrom:
+                secretKeyRef:
+                name: gitea-db-secret
+                key: password
           volumeMounts:
             - name: gitea-data
               mountPath: /data
diff --git a/apps/production/gitea/ingress.yaml b/apps/production/gitea/ingress.yaml
new file mode 100644
index 0000000..e211916
--- /dev/null
+++ b/apps/production/gitea/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea-ingress
+  namespace: gitea
+  annotations:
+    # If you use cert-manager for TLS:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+spec:
+  tls:
+    - hosts:
+        - scm.bstein.dev
+      secretName: gitea-tls
+  rules:
+    - host: scm.bstein.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: gitea
+                port:
+                  number: 3000