diff --git a/projects/gitea/manifests/postgre.yaml b/projects/gitea/manifests/postgre.yaml
new file mode 100644
index 00000000..98e1855c
--- /dev/null
+++ b/projects/gitea/manifests/postgre.yaml
@@ -0,0 +1,57 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: gitea-db
+  namespace: gitea
+spec:
+  instances: 1
+  imageName: ghcr.io/cloudnative-pg/postgresql:15
+
+  bootstrap:
+    initdb:
+      import:
+        type: microservice
+        databases:
+          - gitea
+        source:
+          externalCluster: gitea
+
+  backup:
+    barmanObjectStore:
+      destinationPath: "s3://gitea-db/"
+      endpointURL: "http://minio.minio.svc.cluster.local:9000"
+      s3Credentials:
+        accessKeyId:
+          name: bucket
+          key: accesskey
+        secretAccessKey:
+          name: bucket
+          key: secretkey
+      wal:
+        compression: gzip
+        #encryption: AES256
+      data:
+        compression: gzip
+        #encryption: AES256
+    retentionPolicy: "90d"
+
+  resources:
+    requests:
+      memory: "64Mi"
+      cpu: "50m"
+    limits:
+      memory: "1Gi"
+      cpu: "1"
+
+  storage:
+    size: 10Gi
+
+  externalClusters:
+    - name: gitea
+      connectionParameters:
+        host: gitea-postgresql.gitea.svc.cluster.local
+        user: gitea
+        dbname: gitea
+      password:
+        name: postgres
+        key: postgresql-password
diff --git a/projects/gitea/values/gitea.yaml b/projects/gitea/values/gitea.yaml
index f8f4ce74..576a6a54 100644
--- a/projects/gitea/values/gitea.yaml
+++ b/projects/gitea/values/gitea.yaml
@@ -27,8 +27,8 @@ securityContext:
     drop:
       - ALL
 #   # https://gitea.com/gitea/helm-chart/issues/161
-#     add:
-#       - SYS_CHROOT
+    add:
+      - SYS_CHROOT
   privileged: false
   readOnlyRootFilesystem: true
   runAsGroup: 1000
@@ -104,6 +104,8 @@ gitea:
 
   config:
     APP_NAME: "Git with a lot of coffee"
+    webhook:
+      ALLOWED_HOST_LIST: argocd-server.argocd.svc.cluster.local
     ui:
       DEFAULT_THEME: arc-green
     repository:
@@ -114,7 +116,8 @@ gitea:
       DOMAIN: git.nold.in
       ROOT_URL: https://git.nold.in
     database:
-      HOST: gitea-postgresql.gitea.svc.cluster.local:5432
+      NAME: app
+      HOST: gitea-db-rw.gitea.svc.cluster.local:5432
     service:
       DISABLE_REGISTRATION: true
     lfs:
@@ -128,20 +131,22 @@ gitea:
     oauth:
       ENABLE: false
 
+  additionalConfigFromEnvs:
+    - name: ENV_TO_INI__DATABASE__PASSWD
+      valueFrom:
+        secretKeyRef:
+          name: gitea-db-app
+          key: password
+    - name: ENV_TO_INI__DATABASE__USER
+      valueFrom:
+        secretKeyRef:
+          name: gitea-db-app
+          key: username
+
 memcached:
   enabled: true
   service:
     port: 11211
 
 postgresql:
-  enabled: true
-  global:
-    #storageClass: slow
-    postgresql:
-      existingSecret: postgres
-  persistence:
-    size: 10Gi
-  psp:
-    create: true
-  rbac:
-    create: true
+  enabled: false