diff --git a/ansible/roles/git/defaults/main.yml b/ansible/roles/git/defaults/main.yml
index 5bebc4c..56f2bd1 100644
--- a/ansible/roles/git/defaults/main.yml
+++ b/ansible/roles/git/defaults/main.yml
@@ -6,3 +6,7 @@ git_home: "/srv/{{ git_user }}"
 gitea_debyl_server_name: git.debyl.io
 gitea_image: docker.gitea.com/gitea:1.25.2
 gitea_db_image: docker.io/library/postgres:14-alpine
+
+# Skudak Gitea configuration
+gitea_skudak_server_name: git.skudak.com
+gitea_skudak_ssh_port: 2222
diff --git a/ansible/roles/git/tasks/gitea-skudak.yml b/ansible/roles/git/tasks/gitea-skudak.yml
new file mode 100644
index 0000000..4285cbc
--- /dev/null
+++ b/ansible/roles/git/tasks/gitea-skudak.yml
@@ -0,0 +1,114 @@
+---
+# Deploy Gitea Skudak containers using Podman pod
+# NOTE: Directories are created in podman.yml (psql dir created by postgres container)
+
+# Ensure SELinux contexts are applied before pod creation
+- name: flush handlers before gitea-skudak pod creation
+  ansible.builtin.meta: flush_handlers
+  tags: gitea, gitea-skudak
+
+# Create pod for Skudak Gitea services
+- name: create gitea-skudak pod
+  become: true
+  become_user: "{{ git_user }}"
+  containers.podman.podman_pod:
+    name: gitea-skudak-pod
+    state: started
+    ports:
+      - "3101:3000"
+      - "{{ gitea_skudak_ssh_port }}:2222"
+  tags: gitea, gitea-skudak
+
+# PostgreSQL container in pod
+- name: create gitea-skudak-postgres container
+  become: true
+  become_user: "{{ git_user }}"
+  containers.podman.podman_container:
+    name: gitea-skudak-postgres
+    image: "{{ gitea_db_image }}"
+    pod: gitea-skudak-pod
+    restart_policy: on-failure:3
+    log_driver: journald
+    env:
+      POSTGRES_DB: gitea
+      POSTGRES_USER: gitea
+      POSTGRES_PASSWORD: "{{ gitea_skudak_db_pass }}"
+    volumes:
+      - "{{ git_home }}/volumes/gitea-skudak/psql:/var/lib/postgresql/data"
+  tags: gitea, gitea-skudak
+
+# Gitea container in pod
+- name: create gitea-skudak container
+  become: true
+  become_user: "{{ git_user }}"
+  containers.podman.podman_container:
+    name: gitea-skudak
+    image: "{{ gitea_image }}"
+    pod: gitea-skudak-pod
+    restart_policy: on-failure:3
+    log_driver: journald
+    env:
+      USER_UID: "1000"
+      USER_GID: "1000"
+      GITEA__database__DB_TYPE: postgres
+      GITEA__database__HOST: "127.0.0.1:5432"
+      GITEA__database__NAME: gitea
+      GITEA__database__USER: gitea
+      GITEA__database__PASSWD: "{{ gitea_skudak_db_pass }}"
+      GITEA__server__DOMAIN: "{{ gitea_skudak_server_name }}"
+      GITEA__server__ROOT_URL: "https://{{ gitea_skudak_server_name }}/"
+      GITEA__server__SSH_DOMAIN: "{{ gitea_skudak_server_name }}"
+      # Use Gitea's built-in SSH server (non-privileged port inside container)
+      GITEA__server__START_SSH_SERVER: "true"
+      GITEA__server__DISABLE_SSH: "false"
+      GITEA__server__SSH_PORT: "{{ gitea_skudak_ssh_port }}"
+      GITEA__server__SSH_LISTEN_PORT: "2222"
+      GITEA__security__SECRET_KEY: "{{ gitea_skudak_secret_key }}"
+      GITEA__security__INTERNAL_TOKEN: "{{ gitea_skudak_internal_token }}"
+      GITEA__security__INSTALL_LOCK: "true"
+      # Allow registration only for @skudak.com emails
+      GITEA__service__DISABLE_REGISTRATION: "false"
+      GITEA__service__EMAIL_DOMAIN_ALLOWLIST: "skudak.com"
+      GITEA__service__REGISTER_EMAIL_CONFIRM: "true"
+      GITEA__service__REQUIRE_SIGNIN_VIEW: "false"
+      # Mailer configuration for email confirmation
+      GITEA__mailer__ENABLED: "true"
+      GITEA__mailer__PROTOCOL: "smtps"
+      GITEA__mailer__SMTP_ADDR: "{{ gitea_skudak_smtp_host }}"
+      GITEA__mailer__SMTP_PORT: "{{ gitea_skudak_smtp_port }}"
+      GITEA__mailer__USER: "{{ gitea_skudak_smtp_user }}"
+      GITEA__mailer__PASSWD: "{{ gitea_skudak_smtp_pass }}"
+      GITEA__mailer__FROM: "{{ gitea_skudak_smtp_from }}"
+      # Logging configuration - output to journald for fluent-bit capture
+      GITEA__log__MODE: console
+      GITEA__log__LEVEL: Info
+      GITEA__log__ENABLE_ACCESS_LOG: "true"
+    volumes:
+      - "{{ git_home }}/volumes/gitea-skudak/data:/data"
+      - /etc/localtime:/etc/localtime:ro
+  tags: gitea, gitea-skudak
+
+# Generate systemd service for the pod
+- name: create systemd job for gitea-skudak-pod
+  become: true
+  become_user: "{{ git_user }}"
+  ansible.builtin.shell: |
+    podman generate systemd --name gitea-skudak-pod --files --new
+    mv pod-gitea-skudak-pod.service {{ git_home }}/.config/systemd/user/
+    mv container-gitea-skudak-postgres.service {{ git_home }}/.config/systemd/user/
+    mv container-gitea-skudak.service {{ git_home }}/.config/systemd/user/
+  args:
+    chdir: "{{ git_home }}"
+  changed_when: false
+  tags: gitea, gitea-skudak
+
+- name: enable gitea-skudak-pod service
+  become: true
+  become_user: "{{ git_user }}"
+  ansible.builtin.systemd:
+    name: pod-gitea-skudak-pod.service
+    daemon_reload: true
+    enabled: true
+    state: started
+    scope: user
+  tags: gitea, gitea-skudak
diff --git a/ansible/roles/git/tasks/main.yml b/ansible/roles/git/tasks/main.yml
index 54ccca8..867af33 100644
--- a/ansible/roles/git/tasks/main.yml
+++ b/ansible/roles/git/tasks/main.yml
@@ -6,6 +6,7 @@
 - import_tasks: selinux.yml
 - import_tasks: selinux-podman.yml
 - import_tasks: gitea.yml
+- import_tasks: gitea-skudak.yml
 # git-daemon no longer needed - commented out
 # - import_tasks: systemd.yml
 
diff --git a/ansible/roles/git/tasks/podman.yml b/ansible/roles/git/tasks/podman.yml
index 598e0ba..a01d0cf 100644
--- a/ansible/roles/git/tasks/podman.yml
+++ b/ansible/roles/git/tasks/podman.yml
@@ -45,9 +45,14 @@
     - "{{ git_home }}/volumes"
     - "{{ git_home }}/volumes/gitea"
     - "{{ git_home }}/volumes/gitea/data"
-    # NOTE: psql directory is created by PostgreSQL container with container user ownership
+    - "{{ git_home }}/volumes/gitea/psql"
+    - "{{ git_home }}/volumes/gitea-skudak"
+    - "{{ git_home }}/volumes/gitea-skudak/data"
+    - "{{ git_home }}/volumes/gitea-skudak/psql"
+  # NOTE: psql directories may already exist with postgres ownership - ignore errors
+  failed_when: false
   notify: restorecon git
-  tags: git, gitea
+  tags: git, gitea, gitea-skudak
 
 # SELinux context for container volumes
 - name: selinux context for git container volumes
@@ -57,7 +62,17 @@
     setype: container_file_t
     state: present
   notify: restorecon git
-  tags: git, gitea, selinux
+  tags: git, gitea, gitea-skudak, selinux
+
+# SELinux context for container storage (images, overlays, etc.)
+- name: selinux context for git container storage
+  become: true
+  community.general.sefcontext:
+    target: "{{ git_home }}/.local/share/containers(/.*)?"
+    setype: container_file_t
+    state: present
+  notify: restorecon git
+  tags: git, gitea, gitea-skudak, selinux
 
 # Enable podman socket for SSH key lookup via AuthorizedKeysCommand
 - name: enable podman socket for git user
diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml
index 260839b..9a26865 100644
--- a/ansible/roles/podman/defaults/main.yml
+++ b/ansible/roles/podman/defaults/main.yml
@@ -89,6 +89,11 @@ parts_server_name_io: parts.debyl.io
 photos_server_name_io: photos.debyl.io
 gitea_debyl_server_name: git.debyl.io
 
+# skudak.com domains (migration from skudakrennsport.com)
+bookstack_server_name_new: wiki.skudak.com
+cloud_skudak_server_name_new: cloud.skudak.com
+gitea_skudak_server_name: git.skudak.com
+
 # Legacy nginx/ModSecurity configuration removed - Caddy provides built-in security
 
 # Web server configuration (Caddy is the default)
@@ -144,6 +149,7 @@ caddy_log_names:
   - cloud
   - cloud-skudak
   - gitea-debyl
+  - gitea-skudak
   - fulfillr
 
 # GeoIP configuration for Graylog
diff --git a/ansible/roles/podman/tasks/containers/skudak/cloud.yml b/ansible/roles/podman/tasks/containers/skudak/cloud.yml
index b11edc4..159d37d 100644
--- a/ansible/roles/podman/tasks/containers/skudak/cloud.yml
+++ b/ansible/roles/podman/tasks/containers/skudak/cloud.yml
@@ -119,3 +119,14 @@
     insertbefore: '^\);'
     create: false
   failed_when: false
+
+# Add cloud.skudak.com to Nextcloud trusted_domains
+- name: add cloud.skudak.com to nextcloud trusted_domains
+  become: true
+  become_user: "{{ podman_user }}"
+  ansible.builtin.command: >
+    podman exec -u www-data skudak-cloud
+    php occ config:system:set trusted_domains 1 --value="cloud.skudak.com"
+  register: trusted_domain_result
+  changed_when: "'System config value trusted_domains' in trusted_domain_result.stdout"
+  failed_when: false
diff --git a/ansible/roles/podman/tasks/containers/skudak/wiki.yml b/ansible/roles/podman/tasks/containers/skudak/wiki.yml
index c7ef08d..c318da4 100644
--- a/ansible/roles/podman/tasks/containers/skudak/wiki.yml
+++ b/ansible/roles/podman/tasks/containers/skudak/wiki.yml
@@ -68,7 +68,7 @@
     network:
       - shared
     env:
-      APP_URL: "https://wiki.skudakrennsport.com"
+      APP_URL: "https://wiki.skudak.com"
       APP_KEY: "{{ bookstack_app_key }}"
       DB_HOST: "bookstack-db"
       DB_USERNAME: "bookstack"
diff --git a/ansible/roles/podman/tasks/firewall.yml b/ansible/roles/podman/tasks/firewall.yml
index 973e670..d6f8225 100644
--- a/ansible/roles/podman/tasks/firewall.yml
+++ b/ansible/roles/podman/tasks/firewall.yml
@@ -13,6 +13,8 @@
     # web server (Caddy)
     - 80/tcp
     - 443/tcp
+    # Gitea Skudak SSH
+    - 2222/tcp
     # pihole (unused?)
     - 53/tcp
     - 53/udp
diff --git a/ansible/roles/podman/templates/caddy/Caddyfile.j2 b/ansible/roles/podman/templates/caddy/Caddyfile.j2
index b71d83a..3625cb5 100644
--- a/ansible/roles/podman/templates/caddy/Caddyfile.j2
+++ b/ansible/roles/podman/templates/caddy/Caddyfile.j2
@@ -79,11 +79,16 @@
 }
 
 
-# Wiki/BookStack - {{ bookstack_server_name }}
+# Wiki/BookStack - {{ bookstack_server_name }} redirect to new domain
 {{ bookstack_server_name }} {
+	redir https://{{ bookstack_server_name_new }}{uri} 302
+}
+
+# Wiki/BookStack - {{ bookstack_server_name_new }} (new primary domain)
+{{ bookstack_server_name_new }} {
 	import common_headers
 	reverse_proxy localhost:6875
-	
+
 	log {
 		output file /var/log/caddy/wiki.log
 		format json
@@ -258,28 +263,28 @@
 	}
 }
 
-# Skudak Nextcloud - {{ cloud_skudak_server_name }}
-{{ cloud_skudak_server_name }} {
+# Skudak Nextcloud - serve both domains (migration period)
+{{ cloud_skudak_server_name }}, {{ cloud_skudak_server_name_new }} {
 	request_body {
 		max_size {{ caddy_max_request_body_mb }}MB
 	}
-	
+
 	reverse_proxy localhost:8090 {
 		header_up Host {host}
 		header_up X-Real-IP {remote}
 	}
-	
+
 	header {
 		Strict-Transport-Security "max-age=31536000; includeSubDomains"
 		X-Content-Type-Options "nosniff"
 		Referrer-Policy "same-origin"
 		-X-Powered-By
 	}
-	
+
 	# Nextcloud specific redirects
 	redir /.well-known/carddav /remote.php/dav 301
 	redir /.well-known/caldav /remote.php/dav 301
-	
+
 	log {
 		output file /var/log/caddy/cloud-skudak.log
 		format json
@@ -300,6 +305,20 @@
 	}
 }
 
+# Gitea Skudak - {{ gitea_skudak_server_name }}
+{{ gitea_skudak_server_name }} {
+	import common_headers
+
+	reverse_proxy localhost:3101 {
+		flush_interval -1
+	}
+
+	log {
+		output file /var/log/caddy/gitea-skudak.log
+		format json
+	}
+}
+
 # Fulfillr - {{ fulfillr_server_name }} (Static + API with IP restrictions)
 {{ fulfillr_server_name }} {
 {{ ip_restricted_site() }}
diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml
index d99bc71..e411d2f 100644
Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ