diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index 9593963..6df325b 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -42,18 +42,22 @@
   };
 
   # hardened openssh
-  services.openssh = {
-    allowSFTP = false;
-    extraConfig = ''
-      AllowTcpForwarding yes
-      X11Forwarding no
-      AllowAgentForwarding no
-      AllowStreamLocalForwarding no
-      AuthenticationMethods publickey
-    '';
-    settings = {
-      KbdInteractiveAuthentication = false;
-      PasswordAuthentication = false;
+  services = {
+    fail2ban.enable = true;
+    endlessh = {
+      enable = true;
+      port = 22;
+      openFirewall = true;
+    };
+    openssh = {
+      enable = true;
+      ports = [ 5011 ];
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = "no";
+        AllowUsers = [ "srv" ];
+      };
     };
   };
 
diff --git a/modules/nixos/bundles/server.nix b/modules/nixos/bundles/server.nix
index 7a9f017..66e50bb 100644
--- a/modules/nixos/bundles/server.nix
+++ b/modules/nixos/bundles/server.nix
@@ -12,6 +12,7 @@
     "cryptpad"
     "fi33.buzz"
     "gatus"
+    "forgejo"
     "homepage-dashboard"
     "immich"
     "jellyfin"
diff --git a/modules/nixos/features/forgejo.nix b/modules/nixos/features/forgejo.nix
new file mode 100644
index 0000000..ac2d647
--- /dev/null
+++ b/modules/nixos/features/forgejo.nix
@@ -0,0 +1,87 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  port = 5027;
+  certloc = "/var/lib/acme/fi33.buzz";
+  hostname = "git.fi33.buzz";
+  url = "https://git.fi33.buzz";
+  sshPort = lib.head config.services.openssh.ports;
+in
+{
+  services = {
+    forgejo = {
+      enable = true;
+      dump = {
+        enable = true;
+        interval = "00:00";
+      };
+      lfs.enable = true;
+      settings = {
+        server = {
+          # keep-sorted start
+          DOMAIN = hostname;
+          HTTP_PORT = port;
+          ROOT_URL = url;
+          SSH_PORT = sshPort;
+          # keep-sorted end
+        };
+        service.DISABLE_REGISTRATION = true;
+      };
+      user = "git";
+      group = "git";
+    };
+
+    openssh.settings.AllowUsers = [ "git" ];
+
+    gatus.settings.endpoints = [
+      {
+        name = "Forgejo";
+        group = "Private Services";
+        inherit url;
+        interval = "5m";
+        conditions = [
+          "[STATUS] == 200"
+          "[CONNECTED] == true"
+          "[RESPONSE_TIME] < 500"
+        ];
+        alerts = [ { type = "ntfy"; } ];
+      }
+      {
+        name = "Forgejo SSH";
+        group = "Private Services";
+        url = "ssh://${hostname}:${toString sshPort}";
+        interval = "5m";
+        conditions = [
+          "[CONNECTED] == true"
+          "[RESPONSE_TIME] < 500"
+        ];
+        alerts = [ { type = "ntfy"; } ];
+      }
+    ];
+
+    borgbackup.jobs = {
+      onsite.paths = [ "/var/lib/forgejo" ];
+      offsite.paths = [ "/var/lib/forgejo" ];
+    };
+
+    caddy.virtualHosts.${hostname}.extraConfig = ''
+      reverse_proxy localhost:${toString port}
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
+        protocols tls1.3
+      }
+    '';
+  };
+
+  users = {
+    users.git = {
+      home = "/var/lib/forgejo";
+      useDefaultShell = true;
+      group = "git";
+      isSystemUser = true;
+    };
+    groups.git = { };
+  };
+}
diff --git a/modules/nixos/features/homepage-dashboard.nix b/modules/nixos/features/homepage-dashboard.nix
index 3516600..d7ac6ef 100644
--- a/modules/nixos/features/homepage-dashboard.nix
+++ b/modules/nixos/features/homepage-dashboard.nix
@@ -23,6 +23,7 @@ let
 
   secrets = [
     # keep-sorted start
+    "forgejo-read-token"
     "immich"
     "jellyfin"
     "kavita-api"
@@ -79,6 +80,18 @@ in
         }
         {
           "Media Management" = [
+            {
+              Forgejo = {
+                description = "Software forge";
+                icon = "forgejo.svg";
+                href = "https://git.fi33.buzz/";
+                widget = {
+                  type = "gitea";
+                  url = "https://git.fi33.buzz/";
+                  key = "@forgejo-read-token@";
+                };
+              };
+            }
             {
               Radarr = {
                 description = "Movie organizer/manager";
diff --git a/secrets/forgejo-read-token.age b/secrets/forgejo-read-token.age
new file mode 100644
index 0000000..dceb6b9
Binary files /dev/null and b/secrets/forgejo-read-token.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 2bd9a15..795eecb 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -18,6 +18,7 @@ in
   "borgbackup-offsite.age".publicKeys = users;
   "borgbackup-onsite.age".publicKeys = users;
   "copyparty.age".publicKeys = users;
+  "forgejo-read-token.age".publicKeys = users;
   "gatus.age".publicKeys = users;
   "git_signing_key.age".publicKeys = users;
   "git_signing_key.pub.age".publicKeys = users;