diff --git a/ControlPlane.AppHost/AppHost.cs b/ControlPlane.AppHost/AppHost.cs
index 02e8ae1..923c19d 100644
--- a/ControlPlane.AppHost/AppHost.cs
+++ b/ControlPlane.AppHost/AppHost.cs
@@ -31,27 +31,6 @@ var cpPostgres    = builder.AddPostgres("opc-postgres", password: cpPostgresPass
     .WithPgAdmin();
 
 var controlPlaneDb = cpPostgres.AddDatabase("opcdb");
-var giteaDb        = cpPostgres.AddDatabase("giteadb");
-#endregion
-
-#region GITEA
-// Gitea is ControlPlane's code management component — owns its own DB on opc-postgres.
-var gitea = builder.AddContainer("gitea", "gitea/gitea", "latest")
-    .WithHttpEndpoint(port: 3000, targetPort: 3000, name: "http")
-    .WithEndpoint(port: 2222, targetPort: 22, name: "ssh")
-    .WithVolume("clarity-gitea-data", "/data")
-    .WithEnvironment("GITEA__database__DB_TYPE",  "postgres")
-    .WithEnvironment("GITEA__database__HOST",      "host.docker.internal:5433")
-    .WithEnvironment("GITEA__database__NAME",      "giteadb")
-    .WithEnvironment("GITEA__database__USER",      "postgres")
-    .WithEnvironment("GITEA__database__PASSWD",    "controlplane-dev")
-    .WithEnvironment("GITEA__server__DOMAIN",      "opc.clarity.test")
-    .WithEnvironment("GITEA__server__ROOT_URL",    "http://opc.clarity.test")
-    .WithEnvironment("GITEA__server__SSH_DOMAIN",  "opc.clarity.test")
-    .WithEnvironment("GITEA__server__SSH_PORT",    "2222")
-    .WithEnvironment("GITEA__service__DISABLE_REGISTRATION", "true")
-    .WaitFor(giteaDb)
-    .WithLifetime(ContainerLifetime.Persistent);
 #endregion
 
 #region RABBITMQ
@@ -67,7 +46,6 @@ var api = builder.AddProject<Projects.ControlPlane_Api>("controlplane-api")
     .WaitFor(rabbit)
     .WithReference(controlPlaneDb)
     .WaitFor(controlPlaneDb)
-    .WithEnvironment("Gitea__BaseUrl",        gitea.GetEndpoint("http"))
     .WithEnvironment("ClientAssets__Folder",  clientAssetsPath)
     .WithEnvironment("Docker__RepoRoot",      Path.GetFullPath(Path.Combine(builder.AppHostDirectory, "..", "..")))  // ClarityStack/ root — needed for Directory.*.props
     .WithExternalHttpEndpoints();
diff --git a/infra/docker-compose.yml b/infra/docker-compose.yml
index ccf6951..36bc3ca 100644
--- a/infra/docker-compose.yml
+++ b/infra/docker-compose.yml
@@ -20,6 +20,8 @@ networks:
 volumes:
   postgres-data:
   minio-data:
+  clarity-gitea-data:
+    external: true
 
 services:
 
@@ -154,6 +156,37 @@ services:
         aliases:
           - nginx
 
+  # ── Gitea ─────────────────────────────────────────────────────────────────
+  # Platform source control. Hosts OPC, Clarity, and Gateway repos.
+  # Accessible at https://opc.clarity.test (nginx terminates TLS).
+  gitea:
+    image: gitea/gitea:latest
+    container_name: clarity-gitea
+    restart: unless-stopped
+    ports:
+      - "3000:3000"
+      - "2222:22"
+    environment:
+      GITEA__database__DB_TYPE:  postgres
+      GITEA__database__HOST:     postgres:5432
+      GITEA__database__NAME:     giteadb
+      GITEA__database__USER:     postgres
+      GITEA__database__PASSWD:   postgres
+      GITEA__server__DOMAIN:     opc.clarity.test
+      GITEA__server__ROOT_URL:   https://opc.clarity.test
+      GITEA__server__SSH_DOMAIN: opc.clarity.test
+      GITEA__server__SSH_PORT:   "2222"
+      GITEA__service__DISABLE_REGISTRATION: "true"
+    volumes:
+      - clarity-gitea-data:/data
+    depends_on:
+      postgres:
+        condition: service_healthy
+    networks:
+      clarity-net:
+        aliases:
+          - gitea
+
   # ── Dnsmasq ───────────────────────────────────────────────────────────────
   # Resolves *.clarity.test → 127.0.0.1 so browser requests hit nginx on the host.
   dnsmasq:
diff --git a/infra/nginx/conf.d/opc.clarity.test.conf b/infra/nginx/conf.d/opc.clarity.test.conf
new file mode 100644
index 0000000..507bf50
--- /dev/null
+++ b/infra/nginx/conf.d/opc.clarity.test.conf
@@ -0,0 +1,15 @@
+server {
+    listen 443 ssl;
+    server_name opc.clarity.test;
+
+    ssl_certificate     /etc/nginx/certs/clarity.test.crt;
+    ssl_certificate_key /etc/nginx/certs/clarity.test.key;
+
+    location / {
+        proxy_pass         http://gitea:3000;
+        proxy_set_header   Host              $host;
+        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+    }
+}
diff --git a/infra/postgres/init.sql b/infra/postgres/init.sql
index 0131df7..a623f4a 100644
--- a/infra/postgres/init.sql
+++ b/infra/postgres/init.sql
@@ -7,3 +7,4 @@
 -- clarity_{tenant} → Created at provisioning time by ControlPlane.Worker.
 
 SELECT 'CREATE DATABASE keycloakdb' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'keycloakdb')\gexec
+SELECT 'CREATE DATABASE giteadb'    WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'giteadb')\gexec