diff --git a/2-nomad-config/.terraform.lock.hcl b/2-nomad-config/.terraform.lock.hcl
index 51e754c..d92fab2 100644
--- a/2-nomad-config/.terraform.lock.hcl
+++ b/2-nomad-config/.terraform.lock.hcl
@@ -16,6 +16,23 @@ provider "registry.terraform.io/carlpett/sops" {
   ]
 }
 
+provider "registry.terraform.io/cloudflare/cloudflare" {
+  version     = "5.5.0"
+  constraints = "~> 5.0"
+  hashes = [
+    "h1:wZhU174xytOMZ1t6uDUQiLtR/XKpi2RH9OzMz0XqP9Q=",
+    "zh:178f29dee2edac39252780819f34004b1841770c61ee7fb5a625afaece6495cd",
+    "zh:6faf26203167ae20ca5c8ece4a8bb1c4187137505058fb7b1a4bd5095823e648",
+    "zh:97c91a95819336b8c41618919786ddd2dca643d28219d52af1d80b88018c6eec",
+    "zh:bbc53670fc2613e3fe81b5bf7b8674c5ad083a206fa8af34f0f055a8d06b2d01",
+    "zh:d305bcb01249ada21b80e5038e371f6ca0a60d95d7052df82456e4c4963f3bfc",
+    "zh:e2f9db57ead7100676b790a3e4567d88443fae0e19127e66b3505210de93e4b5",
+    "zh:eb8cef2e6cbf05237b8a2f229314ae12c792ed5f8f60fe180102bdf17dc30841",
+    "zh:f51a5bb0130d2f42772988ee56723f176aa230701184a0f5598dbb1c7b4c3906",
+    "zh:f809ab383cca0a5f83072981c64208cbd7fa67e986a86ee02dd2c82333221e32",
+  ]
+}
+
 provider "registry.terraform.io/cyrilgdn/postgresql" {
   version = "1.25.0"
   hashes = [
diff --git a/2-nomad-config/1-infra.tf b/2-nomad-config/1-infra.tf
index 91fa1c2..2a978e7 100644
--- a/2-nomad-config/1-infra.tf
+++ b/2-nomad-config/1-infra.tf
@@ -10,6 +10,10 @@ terraform {
       source  = "carlpett/sops"
       version = "~> 0.5"
     }
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 5"
+    }
     postgresql = {
       source = "cyrilgdn/postgresql"
     }
@@ -24,8 +28,32 @@ data "sops_file" "secrets" {
   source_file = "secrets.enc.json"
 }
 
+provider "cloudflare" {
+  api_token = data.sops_file.secrets.data["cloudflare.api_token"]
+}
+
 // Networking
 
+resource "cloudflare_dns_record" "othrayte-one" {
+  comment = "othrayte.one proxy to internal IP for traefik"
+  zone_id = "2616ab2a44d0645b03fbc3106c79bd99"
+  type    = "AAAA"
+  name    = "othrayte.one"
+  content = data.sops_file.secrets.data["cloudflare.direct_ip6"]
+  proxied = true
+  ttl     = 1 # Auto
+}
+
+resource "cloudflare_dns_record" "star-othrayte-one" {
+  comment = "*.othrayte.one proxy to internal IP for traefik"
+  zone_id = "2616ab2a44d0645b03fbc3106c79bd99"
+  type    = "AAAA"
+  name    = "*"
+  content = data.sops_file.secrets.data["cloudflare.direct_ip6"]
+  proxied = true
+  ttl     = 1 # Auto
+}
+
 resource "nomad_job" "traefik" {
   jobspec = file("traefik.nomad.hcl")
 }
diff --git a/2-nomad-config/2-services.tf b/2-nomad-config/2-services.tf
index ba1210f..81b72d5 100644
--- a/2-nomad-config/2-services.tf
+++ b/2-nomad-config/2-services.tf
@@ -58,8 +58,19 @@ resource "nomad_csi_volume_registration" "unraid_appdata_transferfilebrowser" {
   }
 }
 
+resource "cloudflare_dns_record" "git-othrayte-one" {
+  comment = "git.othrayte.one maps to tailscale fqdn"
+  zone_id = "2616ab2a44d0645b03fbc3106c79bd99"
+  type    = "CNAME"
+  name    = "git"
+  content = "git.tail15856.ts.net"
+  ttl     = 1 # Auto
+}
+
 resource "nomad_job" "gitea" {
-  jobspec = file("gitea.nomad.hcl")
+  jobspec = templatefile("gitea.nomad.hcl", {
+    ts_authkey = data.sops_file.secrets.data["tailscale.auth_key"]
+  })
 }
 
 resource "nomad_variable" "gitea" {
diff --git a/2-nomad-config/gitea.nomad.hcl b/2-nomad-config/gitea.nomad.hcl
index 1bc1288..1bfecd8 100644
--- a/2-nomad-config/gitea.nomad.hcl
+++ b/2-nomad-config/gitea.nomad.hcl
@@ -1,7 +1,3 @@
-# TODOs
-#  - Map /data/ to unraid appdata
-#  - Move database config to /data/gitea/conf/app.ini (where it would be copied on first run)
-
 job "gitea" {
   group "gitea" {
     network {
@@ -33,12 +29,12 @@ job "gitea" {
         "traefik.http.routers.gitea.middlewares=auth@file",
       ]
 
-      # check {
-      #   type     = "http"
-      #   path     = "/"
-      #   interval = "10s"
-      #   timeout  = "2s"
-      # }
+      check {
+        type     = "http"
+        path     = "/"
+        interval = "10s"
+        timeout  = "2s"
+      }
     }
 
     task "gitea" {
@@ -59,7 +55,7 @@ job "gitea" {
 
       resources {
         cpu    = 500
-        memory = 256
+        memory = 512
       }
 
       volume_mount {
@@ -85,6 +81,7 @@ ROOT = /data/git/repositories
 
 [server]
 DOMAIN = code.othrayte.one
+SSH_DOMAIN = git.othrayte.one
 ROOT_URL = https://code.othrayte.one/
 
 [lfs]
@@ -107,6 +104,29 @@ EOF
       }
     }
 
+    task "tailscale" {
+      driver = "docker"
+
+      config {
+        image = "tailscale/tailscale:latest"
+      }
+
+      env = {
+        TS_AUTHKEY  = "${ts_authkey}"
+        TS_HOSTNAME = "git"
+      }
+
+      resources {
+        cpu    = 100
+        memory = 64
+      }
+
+      lifecycle {
+        hook    = "prestart"
+        sidecar = true
+      }
+    }
+
     volume "unraid_appdata_gitea" {
       type            = "csi"
       read_only       = false
diff --git a/2-nomad-config/secrets.enc.json b/2-nomad-config/secrets.enc.json
index b8e740f..11cacf2 100644
--- a/2-nomad-config/secrets.enc.json
+++ b/2-nomad-config/secrets.enc.json
@@ -2,6 +2,13 @@
 	"unraid": {
 		"nomad": "ENC[AES256_GCM,data:FCGEs+XCSuunLxVPyzE=,iv:j8Ey+l8iJiPY7CbE5IoT0ZgNklnv+4odSZkorJQ/nr8=,tag:7PoizENid+vgWC/eb5MOaQ==,type:str]"
 	},
+	"cloudflare": {
+		"api_token": "ENC[AES256_GCM,data:445wM+3yHRnMfiAHuBg3dWzLA3jB0dpNBaHrxl1bb036sFZnzN+gOg==,iv:g8tMdxY8XFTPA2W8/RtMtDhnyCzNLY6dJDWWC2ZeIZQ=,tag:04uf/y3DWY3HIXOJ2HenJw==,type:str]",
+		"direct_ip6": "ENC[AES256_GCM,data:/yDwQJHmcwD6nULnRFdn9aSVY1rQUic+,iv:5YBevwSrZzsqdoo5K8Wv6R4nxmWoCFa9NLP35Y+wtLw=,tag:+5F0SlVo5D4ZoMcKzaODRQ==,type:str]"
+	},
+	"tailscale": {
+		"auth_key": "ENC[AES256_GCM,data:gzh4nqEOQLijp5DTGHHSn0aO1mFQUB3sVSdAVDLG+a2H6XJ0BtJJGU55oLJURy7E/um7gzwDofP5mwZGTA==,iv:yl8lHqnNLB2AXlBfMyw/0CAR7+KmyKKDFc7kxbo9S6c=,tag:CunYd62x3omji6ozqmhgOg==,type:str]"
+	},
 	"authelia": {
 		"session_secret": "ENC[AES256_GCM,data:gPVSGzU00EjuW/NDD9bpsc+4DQ==,iv:IRzSKqfv2Quaj1bzrFaK0glCKEPrle+uI8fq/1HFi60=,tag:loiTEpEBGBwQETRWpOffNg==,type:str]",
 		"jwt_secret": "ENC[AES256_GCM,data:7Q/0M5IY0vLsgCE0z78L,iv:f6GymDrq2/NlKJuMNnDDmG2GUAzhonNa8LXlr0x1elw=,tag:1ITT9WmD3UOP30AjYEkLJQ==,type:str]",
@@ -21,8 +28,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-05-19T12:11:30Z",
-		"mac": "ENC[AES256_GCM,data:BjUuMWp3bE0iHLZZ9lHh/sSKSDF3sBgRr4CmKKqjXaY1CJ6k9wESgZmxjT2FOTfzJ5tZaBXdm4WKwagE6frke0eNfYDIWC+FQfX/4geUe8OyQFW/22i7I60uS4bVv9PAO/JJKTNCZxOdtLsK7fZ8rS4Jve9mAdhEbKfPmQHIiy4=,iv:cqi4rpbJLxLr8zjKrx80mKJBbSuU1D0XjUbBg1CYDRk=,tag:+8Hl9WQ2ZUY6BPMw/GMtpQ==,type:str]",
+		"lastmodified": "2025-05-22T14:03:49Z",
+		"mac": "ENC[AES256_GCM,data:gRzCl7GS4ywePISLFcR4bd+D8lg+2ZNDpF1QEKS/VZmRZW42NIQT+xiNg7cX7QYYnMyAjckYVGXFlK2/INzHGHWZhuP7pREt9zVCFAXaDZ6s1FVV1ee59u9VdZX7mzUESxvUWEPYvrkbDPtTC6U0x67rihBj/oIc7tGCWt7EoyY=,iv:UVZPZiByRFb1gFL+n1NkokEuDPXaYPbTBhKhraUWOD4=,tag:prVhsjnUswTW9aHz8Xu9IA==,type:str]",
 		"encrypted_regex": "^(.*)$",
 		"version": "3.10.2"
 	}