diff --git a/hosts/VEGAS/services/git/default.nix b/hosts/VEGAS/services/git/default.nix
deleted file mode 100644
index 6e54144..0000000
--- a/hosts/VEGAS/services/git/default.nix
+++ /dev/null
@@ -1,60 +0,0 @@
-{ config, lib, tools, ... }:
-with tools.nginx;
-let
-  inherit (tools.meta) domain;
-in
-{
-  reservePortsFor = [ "gitea" ];
-
-  age.secrets = {
-    giteaDBPassword = {
-      file = ../../../../secrets/gitea-db-credentials.age;
-      owner = "git";
-      group = "gitea";
-      mode = "0400";
-    };
-  };
-
-  services.nginx.virtualHosts = mappers.mapSubdomains {
-    git = vhosts.proxy "http://127.0.0.1:${config.portsStr.gitea}";
-  };
-
-  services.gitea = {
-    enable = true;
-    appName = "Private Void Gitea";
-    httpPort = config.ports.gitea;
-    domain = "git";
-    rootUrl = "https://git.${domain}";
-    disableRegistration = true;
-    # TODO: re-enable securely
-    ssh.enable = false;
-    user = "git";
-    log.level = "Warn";
-    
-    database = {
-      createDatabase = false;
-      type = "postgres";
-      host = "127.0.0.1";
-      port = 5432;
-      name = "gitea";
-      user = "gitea";
-      passwordFile = config.age.secrets.giteaDBPassword.path;
-    };
-
-    # TODO: integrate branding content (css, images) into system closure
-    settings.ui = { 
-      DEFAULT_THEME = "void";
-      THEMES = "void";
-    };
-  };
-
-  systemd.services.gitea.after = [ "keycloak.service" ];
-
-  users.users.git = {
-    description = "Git Service";
-    home = config.services.gitea.stateDir;
-    useDefaultShell = true;
-    group = "gitea";
-    isSystemUser = true;
-  };
-}
diff --git a/hosts/VEGAS/services/gitlab/default.nix b/hosts/VEGAS/services/gitlab/default.nix
new file mode 100644
index 0000000..3c3fd93
--- /dev/null
+++ b/hosts/VEGAS/services/gitlab/default.nix
@@ -0,0 +1,85 @@
+{ config, lib, tools, ... }:
+
+let
+  inherit (tools.meta) domain adminEmail;
+
+  mkSecret = name: {
+    owner = "gitlab";
+    group = "gitlab";
+    mode = "0400";
+    file = ../../../../secrets/${name}.age;
+  };
+
+  secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;
+
+  cfg = config.services.gitlab;
+in
+
+{
+  age.secrets = lib.flip lib.genAttrs mkSecret [
+    "gitlab-initial-root-password"
+    "gitlab-openid-secret"
+    "gitlab-secret-db"
+    "gitlab-secret-jws"
+    "gitlab-secret-otp"
+    "gitlab-secret-secret"
+  ];
+
+  services.gitlab = {
+    enable = true;
+    https = true;
+    host = "git.${domain}";
+    port = 443;
+
+    initialRootEmail = adminEmail;
+
+    statePath = "/srv/storage/private/gitlab/state";
+
+    smtp = {
+      enable = true;
+      inherit domain;
+    };
+
+    initialRootPasswordFile = secrets.gitlab-initial-root-password;
+
+    secrets = with secrets; {
+      dbFile = gitlab-secret-db;
+      jwsFile = gitlab-secret-jws;
+      otpFile = gitlab-secret-otp;
+      secretFile = gitlab-secret-secret;
+    };
+
+    extraConfig = {
+      omniauth = {
+        enabled = true;
+        auto_sign_in_with_provider = "openid_connect";
+        allow_single_sign_on = ["openid_connect"];
+        block_auto_created_users = false;
+        providers = [
+
+          {
+            name = "openid_connect";
+            label = "Private Void Account";
+            args = {
+              name = "openid_connect";
+              scope = ["openid" "profile"];
+              response_type = "code";
+              issuer = "https://login.${domain}/auth/realms/master";
+              discovery = true;
+              client_auth_method = "query";
+              uid_field = "preferred_username";
+              client_options = {
+                identifier = "net.privatevoid.git2";
+                secret = { _secret = secrets.gitlab-openid-secret; };
+                redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback";
+              };
+            };
+          }
+          
+        ];
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."${cfg.host}" = tools.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
+}
diff --git a/hosts/VEGAS/system.nix b/hosts/VEGAS/system.nix
index 664689b..fa2fc44 100644
--- a/hosts/VEGAS/system.nix
+++ b/hosts/VEGAS/system.nix
@@ -22,7 +22,7 @@
       ./services/cdn-shield
       ./services/dns
       ./services/fbi
-      ./services/git
+      ./services/gitlab
       ./services/hydra
       ./services/hyprspace
       ./services/ipfs
diff --git a/secrets/gitea-db-credentials.age b/secrets/gitea-db-credentials.age
deleted file mode 100644
index 8ec49a3..0000000
--- a/secrets/gitea-db-credentials.age
+++ /dev/null
@@ -1,14 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 NO562A PM8oVK72FJjSPefR1JV7e9Sti+QMPmNyOWNyjjn1Eyo
-jjc6tg7dnwAajhCTO/IH+8sszSP/WbCipuROvwD0Hxk
--> ssh-ed25519 5/zT0w cvASi9DkdxdKXSnxWi/mwjlYVz9PtnQqnNFwHr22TR4
-jASmnJsbTIItkRJzgIWmPPAqMziWREjzUpk6WEQG56g
--> ssh-ed25519 eDiawA R586/78N4EYagb8c5Ff9wqtOE4QYtU/vKVhOCSn+2RY
-ekys4sz2TxUtGH2rSGgXVnHvg4G6maPkYvJd1CiLJ2E
--> ssh-ed25519 d3WGuA jj4c320WQiJ/N80fEeLe0GHD1lSnOT8hGLhsL+T8XCg
-Mt2cS6+I9vKtczzb+3mWm0MquWigMJIWJaSvh+jhOjA
--> Vsn^{"-grease \<`i)T UL]B
-pz4ZxTRE5ugg7JkLSTfkmfi4TFfOP+H1pny8rAbThQGXSIX9SxEpFVwhcYqqMkEg
-LH5NvQztS+cZYQ0Sr7q666h4H7OKBRFbTmHMWxNdIecP43On
---- nknCOv9z0f8V+PrNTAEGdrxhLeY1nlfuDINbbgPr1Wo
-�0~��N�a�[g�s\���!��*���0�r�/��^�`c������3g>o�ɍ�k�v�	��mS
\ No newline at end of file
diff --git a/secrets/gitlab-initial-root-password.age b/secrets/gitlab-initial-root-password.age
new file mode 100644
index 0000000..1f703ff
--- /dev/null
+++ b/secrets/gitlab-initial-root-password.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A XRrOSniXZk7nvufR3liJ3ocjX257eenhQUYZdlYCpl4
+ctZGdEgc9SgWka/3R/2WW4G9m1DHIk7HLKaBNyUeHtE
+-> ssh-ed25519 5/zT0w k3z9vLsjCPABV2kTRMC3xiriW+4BwSdvnk02Xtoi3zk
+w43L1pm8VvwxVp6k8NJA73afZtPGfD8eCb2koa2goZQ
+-> ssh-ed25519 d3WGuA Bi1l2WS3kL5Y5NoVh7jAja3BG9LXxem801SSR76j52s
+fKhRIb+Ug3sW4JI2rczNnh3Frx/EEnbQfhTUGdwLSo8
+-> AOy-grease dju$ xL|5Hh q(A
+h0bIKBg8yQBMqNR8M9DlA/wZWWFB+sdo4ApLXvTT19Moz3E5Vly8N2XKHrV3ggCE
+Vn2a3snrXDrWxqQgfQEfJo7FnydItRcgO7ZDOuNAlnooyk0
+--- 9bMYjHMQsJt4fqnmE2ezRzN4AoKIrlRKAqh8pYRw8SQ
+�ܙ�j�>��r�|�>����Q�7�p����d�h��� �3��������57���{�Z9�L�����$DU$�0Y٠�3�BM���@o�U�_���d�Dݶ�5jq/���j�`�6��Z��i��A��&Q�����ʡ*Օ:R%+ ��ɡ���
\ No newline at end of file
diff --git a/secrets/gitlab-openid-secret.age b/secrets/gitlab-openid-secret.age
new file mode 100644
index 0000000..3a57392
--- /dev/null
+++ b/secrets/gitlab-openid-secret.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A ZCflrN3Tm5CiGr6ajyHWUBB/tQqvBuZkwTrJDrd/aV0
+ItnkxqiZTCT77SDnG0JgzaQlDL3LZ96V+kzjxjAJx5s
+-> ssh-ed25519 5/zT0w WoKnbgmzpR+HuLdXYCOkPfScle7g7U+NGA/YAmyfIhk
+pNfp+gOVyTfnXpVDRXuk16RyjlWjDILrO7Gibh7nRmU
+-> ssh-ed25519 d3WGuA L5xjtPNva83jZWsu2bCbcgaDNlou5BFVMsFkR8+L+2Q
+4+UtIsyOgY0NAuHtdg4lBJwMyZWquRsmRNeQ+YXqeA0
+-> hD-grease q%QV%; &/
+jl4ZKGU+SBSR0xhJN0yz7sV2uW/+Yhw
+--- 1LIvBjAzD1lUotPXuI4cPHSfUsMFbEaGjE/t+KnQcW4
+AWe��
���e�	c[���3m��y�Έ���6�
g{7�rd�_�7�WP��':�u����N
\ No newline at end of file
diff --git a/secrets/gitlab-secret-db.age b/secrets/gitlab-secret-db.age
new file mode 100644
index 0000000..347fe7f
Binary files /dev/null and b/secrets/gitlab-secret-db.age differ
diff --git a/secrets/gitlab-secret-jws.age b/secrets/gitlab-secret-jws.age
new file mode 100644
index 0000000..7b99d4e
Binary files /dev/null and b/secrets/gitlab-secret-jws.age differ
diff --git a/secrets/gitlab-secret-otp.age b/secrets/gitlab-secret-otp.age
new file mode 100644
index 0000000..28e6c7f
--- /dev/null
+++ b/secrets/gitlab-secret-otp.age
@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A su6ATd6CDJ/TD/nAPw1K4ZmELBDdNLZI63DsZl0zCF0
+J+2ZXXZArtjDDLIaQL6HaEdawHo8tonMdzHf45IQMO4
+-> ssh-ed25519 5/zT0w wdKMnoA5/huvtT/jyj1Aixf9nKtkzcyPSs1yoUpxoAk
+yGiW4Zg0h4NGkdU0BZiWzC+72CJZK6pJdrSBuZCVGAE
+-> ssh-ed25519 d3WGuA p4QVeohmXdTo8v0Wh2pkEoyqMhZhmdrblBpq39ENnVk
+7TybdsMNokMu+2q5ESnvdcNwAeWTl/5XGZltzJ7etjI
+-> Q-grease KJL\,Pw& c!aOPX
+C6DVdLd90RXPgjf22U5Y8OsW9O9rkfE3kY0LGQhmmjCSZ7yHde4bhOAVNeNronxE
+xFy8GtD+ZllI4NPUSyl3Y/90//H2fVUb32WA3Ga5WJmksrGXzg
+--- yWDk0jbHXLxwE9jWTT85ORZy0Pw20jaRVihmkKfGnKo
+@# 
+Q)F:����G��	#�g�����L��-k{T�d+��8��܃���/�-�a���\O*��!^R��y��@Z/o�~I�
+�[���PO��'v��e^�,�?���o��M�
]1
W
��F�J���B�&y�
y��Vv�_� %��Ǐ�'
\ No newline at end of file
diff --git a/secrets/gitlab-secret-secret.age b/secrets/gitlab-secret-secret.age
new file mode 100644
index 0000000..0b8f89e
Binary files /dev/null and b/secrets/gitlab-secret-secret.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 8375dd0..0b64728 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,7 +7,12 @@ in with hosts;
   "acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "ghost-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-secret-db.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-secret-jws.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-secret-otp.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-secret-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "hydra-bincache.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];