diff --git a/roles/forgejo/defaults/main.yml b/roles/forgejo/defaults/main.yml
new file mode 100644
index 0000000..40285e9
--- /dev/null
+++ b/roles/forgejo/defaults/main.yml
@@ -0,0 +1,13 @@
+---
+# Defines whether Forgejo is deployed behind a reverse proxy
+# if so, installs the nginx config file
+forgejo_reverse_proxy: true
+
+# Subdomain to be used for the reverse proxy configuration
+forgejo_subdomain: git
+
+# HTTP port that's both exposed by container and used by the reverse proxy
+forgejo_http_port: 3000
+
+# SSH port that's exposed from the container
+forgejo_ssh_port: 2222
diff --git a/roles/forgejo/tasks/main.yml b/roles/forgejo/tasks/main.yml
index 66b7ae0..d60326d 100644
--- a/roles/forgejo/tasks/main.yml
+++ b/roles/forgejo/tasks/main.yml
@@ -11,6 +11,16 @@
     - forgejo.network
     - forgejo.volume
 
+- name: Install the reverse proxy config
+  ansible.builtin.template:
+    src: templates/nginx.conf
+    dest: "/etc/nginx/conf.d/forgejo.conf"
+    mode: 0644
+    owner: root
+    group: root
+  when: forgejo_reverse_proxy
+  notify: Restart nginx
+
 - name: Enable the Forgejo quadlet
   ansible.builtin.systemd_service:
     daemon_reload: true
diff --git a/roles/forgejo/templates/forgejo.container b/roles/forgejo/templates/forgejo.container
index 6603318..3ace41c 100644
--- a/roles/forgejo/templates/forgejo.container
+++ b/roles/forgejo/templates/forgejo.container
@@ -15,8 +15,8 @@ Environment=SSH_CREATE_AUTHORIZED_PRINCIPALS_FILES=true
 Environment=SSH_AUTHORIZED_PRINCIPALS_ALLOW="username,email"
 
 Network=forgejo.network
-PublishPort=2222:22
-PublishPort=3000:3000
+PublishPort={{ forgejo_ssh_port }}:22
+PublishPort={{ forgejo_http_port }}:3000
 
 Volume=forgejo-data:/data
 
diff --git a/roles/forgejo/templates/nginx.conf b/roles/forgejo/templates/nginx.conf
new file mode 100644
index 0000000..6083b40
--- /dev/null
+++ b/roles/forgejo/templates/nginx.conf
@@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+
+upstream forgejo {
+        server 127.0.0.1:{{ forgejo_http_port }};
+}
+
+server {
+    listen 443 ssl http2; # managed by Certbot
+    listen [::]:443 ssl http2; # managed by Certbot
+
+    include ssl.conf;
+    server_name {{ forgejo_subdomain }}.{{ host_fqdn }};
+
+    location ~ / {
+        include proxy.conf;
+        proxy_pass http://forgejo;
+    }
+}