diff --git a/modules/nixos/bundles/server.nix b/modules/nixos/bundles/server.nix
index 7a9f017..66e50bb 100644
--- a/modules/nixos/bundles/server.nix
+++ b/modules/nixos/bundles/server.nix
@@ -12,6 +12,7 @@
     "cryptpad"
     "fi33.buzz"
     "gatus"
+    "forgejo"
     "homepage-dashboard"
     "immich"
     "jellyfin"
diff --git a/modules/nixos/features/forgejo.nix b/modules/nixos/features/forgejo.nix
new file mode 100644
index 0000000..67e2d6b
--- /dev/null
+++ b/modules/nixos/features/forgejo.nix
@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  port = 5027;
+  certloc = "/var/lib/acme/fi33.buzz";
+  hostname = "git.fi33.buzz";
+  url = "https://git.fi33.buzz";
+in
+{
+  services = {
+    forgejo = {
+      enable = true;
+      dump = {
+        enable = true;
+        interval = "00:00";
+      };
+      lfs.enable = true;
+      settings = {
+        server = {
+          # keep-sorted start
+          DOMAIN = hostname;
+          HTTP_PORT = port;
+          ROOT_URL = url;
+          SSH_PORT = lib.head config.services.openssh.ports;
+          # keep-sorted end
+        };
+        service.DISABLE_REGISTRATION = true;
+      };
+    };
+
+    openssh.settings.AllowUsers = [ "forgejo" ];
+
+    borgbackup.jobs = {
+      onsite.paths = [ "/var/lib/forgejo" ];
+      offsite.paths = [ "/var/lib/forgejo" ];
+    };
+
+    caddy.virtualHosts.${hostname}.extraConfig = ''
+      reverse_proxy localhost:${toString port}
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
+        protocols tls1.3
+      }
+    '';
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 2bd9a15..795eecb 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -18,6 +18,7 @@ in
   "borgbackup-offsite.age".publicKeys = users;
   "borgbackup-onsite.age".publicKeys = users;
   "copyparty.age".publicKeys = users;
+  "forgejo-read-token.age".publicKeys = users;
   "gatus.age".publicKeys = users;
   "git_signing_key.age".publicKeys = users;
   "git_signing_key.pub.age".publicKeys = users;