diff --git a/.env b/.env
index 88e706c..ab077a4 100644
--- a/.env
+++ b/.env
@@ -2,4 +2,4 @@ CORS_ALLOWED_ORIGINS=https://dev1.aptivaai.com,http://34.16.120.118:3000,http://
 SERVER1_PORT=5000
 SERVER2_PORT=5001
 SERVER3_PORT=5002
-IMG_TAG=202507281838
\ No newline at end of file
+IMG_TAG=202507301457
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index eef8893..b4b046b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -101,9 +101,17 @@ services:
     image: nginx:1.25-alpine
     command: ["nginx", "-g", "daemon off;"]
     depends_on: [server1, server2, server3]
+    networks: [default, aptiva-shared]
     ports: ["80:80", "443:443"]
     volumes:
       - ./build:/usr/share/nginx/html:ro
       - ./nginx.conf:/etc/nginx/nginx.conf:ro
       - /etc/letsencrypt:/etc/letsencrypt:ro
       - ./empty:/etc/nginx/conf.d
+
+networks:
+  default:
+    name: aptiva_default
+  aptiva-shared:
+    external: true
+
diff --git a/nginx.conf b/nginx.conf
index 5179924..8d09571 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -4,14 +4,15 @@ http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    # ------------------ upstreams (one line to edit per container) ----------
+    # ───────────── upstreams to Docker services ─────────────
     upstream backend5000 { server server1:5000; }   # auth & free
     upstream backend5001 { server server2:5001; }   # onet, distance, etc.
     upstream backend5002 { server server3:5002; }   # premium
+    upstream gitea_backend { server gitea:3000; }   # gitea service (shared network)
 
-    # -----------------------------------------------------------------------
-    #  1.  HTTP → HTTPS redirect
-    # -----------------------------------------------------------------------
+    ########################################################################
+    # 1.  HTTP → HTTPS redirect for the main site
+    ########################################################################
     server {
         listen 80;
         listen [::]:80;
@@ -19,19 +20,19 @@ http {
         return 301 https://$host$request_uri;
     }
 
-    # -----------------------------------------------------------------------
-    #  2.  Main virtual host on :443
-    # -----------------------------------------------------------------------
+    ########################################################################
+    # 2.  Main virtual host  (dev1.aptivaai.com)  on :443
+    ########################################################################
     server {
-        listen 443 ssl http2;
+        listen 443 ssl;
+        http2  on;                     # modern syntax
         server_name dev1.aptivaai.com;
 
-        # ---------- TLS -----------------------------------------------------
         ssl_certificate     /etc/letsencrypt/live/dev1.aptivaai.com/fullchain.pem;
         ssl_certificate_key /etc/letsencrypt/live/dev1.aptivaai.com/privkey.pem;
         ssl_protocols       TLSv1.2 TLSv1.3;
 
-        # ---------- React static assets -------------------------------------
+        # ───── React static assets ─────
         root /usr/share/nginx/html;
         index index.html;
         location / {
@@ -42,13 +43,7 @@ http {
             access_log off;
         }
 
-        # -------------------------------------------------------------------
-        #  3.  API reverse‑proxy rules  (three prefixes = three back‑ends)
-        # -------------------------------------------------------------------
-
-        ## 3A  server2 – career, maps, onet, salary, etc.
-        ##     Anything that *starts* with /api/onet/ OR any one of the paths
-        ##     you previously enumerated now lives here.
+        # ───── API reverse‑proxy rules ─────
         location ^~ /api/onet/          { proxy_pass http://backend5001; }
         location ^~ /api/chat/          { proxy_pass http://backend5001; proxy_http_version 1.1; proxy_buffering off; }
         location ^~ /api/job-zones      { proxy_pass http://backend5001; }
@@ -61,23 +56,48 @@ http {
         location ^~ /api/maps/distance  { proxy_pass http://backend5001; }
         location ^~ /api/schools        { proxy_pass http://backend5001; }
 
-        ## 3B  server3 – premium & public assets handled by server3
         location ^~ /api/premium/       { proxy_pass http://backend5002; }
         location ^~ /api/public/        { proxy_pass http://backend5002; }
 
-        ## 3C  server1 – everything else beginning with /api/
-        ##     (register, signin, user‑profile, areas, activate‑premium, …)
         location ^~ /api/               { proxy_pass http://backend5000; }
 
-        # ---------- shared proxy settings -----------------------------------
-        ## Add the headers *once*; they apply to every proxy_pass above.
-        proxy_set_header Host            $host;
-        proxy_set_header X-Real-IP       $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        # shared proxy headers
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
 
-        # ---------- error pages ---------------------------------------------
         error_page 502 503 504 /50x.html;
         location = /50x.html { root /usr/share/nginx/html; }
     }
+
+    ########################################################################
+    # 3.  Gitea virtual host  (HTTPS)  gitea.dev1.aptivaai.com
+    ########################################################################
+    server {
+        listen 443 ssl;
+        http2  on;
+        server_name gitea.dev1.aptivaai.com;
+
+        ssl_certificate     /etc/letsencrypt/live/gitea.dev1.aptivaai.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/gitea.dev1.aptivaai.com/privkey.pem;
+        ssl_protocols       TLSv1.2 TLSv1.3;
+
+        location / {
+            proxy_pass http://gitea_backend;
+            proxy_set_header Host              $host;
+            proxy_set_header X-Real-IP         $remote_addr;
+            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+        }
+    }
+
+    ########################################################################
+    # 4.  Gitea HTTP → HTTPS redirect
+    ########################################################################
+    server {
+        listen 80;
+        server_name gitea.dev1.aptivaai.com;
+        return 301 https://$host$request_uri;
+    }
 }
diff --git a/refresh_secrets.sh b/refresh_secrets.sh
new file mode 100755
index 0000000..552233d
--- /dev/null
+++ b/refresh_secrets.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Re‑export secrets from Secret Manager
+echo "🔐  Pulling latest secrets…"
+source /home/jcoakley/aptiva-dev1-app/fetch-secrets.sh   # same array as deploy_all.sh
+
+# Restart only the application stack so env changes propagate
+cd /home/jcoakley/aptiva-dev1-app
+docker compose up -d --no-build --no-deps server1 server2 server3
+
+echo "✅  Secrets injected; containers unchanged."
diff --git a/user_profile.db b/user_profile.db
index cb40bcc..a6e06e0 100644
Binary files a/user_profile.db and b/user_profile.db differ