diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf
index 2973914..843b8d6 100644
--- a/tofu/authentik/main.tf
+++ b/tofu/authentik/main.tf
@@ -22,7 +22,7 @@ resource "authentik_group" "ci" {
 }
 
 resource "authentik_group" "admins" {
-  name = "authentik Admins"
+  name         = "authentik Admins"
   is_superuser = true
 }
 
@@ -35,9 +35,9 @@ module "argo-workflows" {
   app_access_group_id = authentik_group.ci.id
   redirect_uris       = ["https://ci.fuku/oauth2/callback"]
   app_icon            = "https://argoproj.github.io/icons/icon-512x512.png"
-  app_description = "Kubernetes-native workflow engine supporting DAG and step-based workflows"
-  app_publisher = "Argo Project"
-  app_url = "https://ci.fuku"
+  app_description     = "Kubernetes-native workflow engine supporting DAG and step-based workflows"
+  app_publisher       = "Argo Project"
+  app_url             = "https://ci.fuku"
 }
 
 module "firezone" {
@@ -49,8 +49,23 @@ module "firezone" {
   app_access_group_id = authentik_group.admins.id
   redirect_uris       = ["https://fz.fukurokuju.dev/auth/oidc/authentik/callback/"]
   app_icon            = "https://www.firezone.dev/icon.svg"
-  app_description = "VPN"
-  app_publisher = "Firezone"
-  app_url = "https://fz.fukurokuju.dev"
-  sub_mode = "hashed_user_id"
-}
\ No newline at end of file
+  app_description     = "VPN"
+  app_publisher       = "Firezone"
+  app_url             = "https://fz.fukurokuju.dev"
+  sub_mode            = "hashed_user_id"
+}
+
+module "gitea" {
+  source              = "../modules/authentik"
+  app_name            = "Gitea"
+  app_slug            = "gitea"
+  client_id           = var.gitea_client_id
+  client_secret       = var.gitea_client_secret
+  app_access_group_id = ""
+  redirect_uris       = ["https://git.roboces.dev/user/oauth2/authentik/callback"]
+  app_icon            = "https://about.gitea.com/gitea.svg"
+  app_description     = "Git with a cup of Tea 🍵"
+  app_publisher       = "Gitea"
+  app_url             = "https://git.roboces.dev/user/oauth2/authentik"
+  sub_mode            = "hashed_user_id"
+}
diff --git a/tofu/authentik/sample.env b/tofu/authentik/sample.env
index 29cff53..ae38be8 100644
--- a/tofu/authentik/sample.env
+++ b/tofu/authentik/sample.env
@@ -4,3 +4,5 @@
  TF_VAR_argo_workflows_client_secret=
  TF_VAR_firezone_client_id=
  TF_VAR_firezone_client_secret=
+ TF_VAR_gitea_client_id=
+ TF_VAR_gitea_client_secret=
diff --git a/tofu/authentik/vars.tf b/tofu/authentik/vars.tf
index e9ff398..21b9ed0 100644
--- a/tofu/authentik/vars.tf
+++ b/tofu/authentik/vars.tf
@@ -17,3 +17,13 @@ variable "firezone_client_secret" {
   description = "Client secret"
   type        = string
 }
+
+variable "gitea_client_id" {
+  description = "Client ID"
+  type        = string
+}
+
+variable "gitea_client_secret" {
+  description = "Client secret"
+  type        = string
+}
diff --git a/tofu/modules/authentik/main.tf b/tofu/modules/authentik/main.tf
index f2232b0..dd36b32 100644
--- a/tofu/modules/authentik/main.tf
+++ b/tofu/modules/authentik/main.tf
@@ -42,8 +42,10 @@ resource "authentik_application" "app" {
   meta_publisher = var.app_publisher
   meta_launch_url = var.app_url
 }
+
 resource "authentik_policy_binding" "app_access" {
   target = authentik_application.app.uuid
   group  = var.app_access_group_id
   order  = 0
+  count = var.app_access_group_id != "" ? 1 : 0
 }
\ No newline at end of file