diff --git a/hosts/iron/secrets/mail-users.nix b/hosts/iron/secrets/mail-users.nix
index 4caac02..0046b88 100644
Binary files a/hosts/iron/secrets/mail-users.nix and b/hosts/iron/secrets/mail-users.nix differ
diff --git a/hosts/magnesium/ports.nix b/hosts/magnesium/ports.nix
index b35165c..0fa666e 100644
--- a/hosts/magnesium/ports.nix
+++ b/hosts/magnesium/ports.nix
@@ -1,4 +1,4 @@
-{ lib, custom-utils, ... }:
+{ custom-utils, ... }:
 
 custom-utils.validatePortAttrset {
   coturn-cli.tcp = 5766;
@@ -9,4 +9,5 @@ custom-utils.validatePortAttrset {
   nginx-http.tcp = 80;
   nginx-https.tcp = 443;
   wireguard-public-ip-tunnel.udp = 51000;
+  forgejo-ssh.tcp = 2022;
 }
diff --git a/hosts/magnesium/secrets.yaml b/hosts/magnesium/secrets.yaml
index cd7f526..f7c505b 100644
--- a/hosts/magnesium/secrets.yaml
+++ b/hosts/magnesium/secrets.yaml
@@ -1,6 +1,7 @@
 wireguard_key_hetzner-ha: ENC[AES256_GCM,data:HEW+EalHg6/mq7pRKZkasGz0nqbkSppkf0H/uV5QMJnWwKw9a9W21Y77OSw=,iv:OA6yml1T5kVafX0RYd0Es7DHcGjJazUxP2M6a5Pwkag=,tag:lX5UPIseIQ136HLrHbzZyw==,type:str]
 turn-static-auth-secret: ENC[AES256_GCM,data:rzhixUemFPwKj1BcVPZd7KtUO9OA6A2R4qEQ1BZGVG0=,iv:uYHYe4Cywxovt3b/Ho1tQVHrpgVic+AKh9AjYMYSZcM=,tag:rr8RW/if06t38GpZCYQB4w==,type:str]
 gitlab-runner_fablab-nea-hcloud-labsync: ENC[AES256_GCM,data:+znVO8cQxjDdhch7oUALZvt84iJmWnAx6lTM0+WGkGtaRWTCTPjgnst5waSJpw/Oysrd1PkXZKmLHyHuU7K/CHQij7sWH50G3ZcUum58klJc3dCPztlrLpDVHeSwyYiLpsqkQTfjqLPfrMkxuxBgTEVXlq2ZnFuyOGbFx9hubPxLeyQKakiW3qZWGjbFXYAps7Gl61AVdKJj3y1otX2JbCjG9x2i6FHZpl5ywwQCjKNM,iv:7v+I/oJtWDap6PNIJ4Qm3Si9dGs7a79SaMhnr/tbe1A=,tag:7jgoLtdWAEKMkWoXZ10owA==,type:str]
+forgejo-mail: ENC[AES256_GCM,data:eZv9dM0a06wFJaDUZjo=,iv:L32ab5k/AX8HqSACJA5w+WbzLlBijA5++Gcr2SrnYIU=,tag:ddyTXikWTMnxq86IijgyYg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -16,8 +17,8 @@ sops:
             QTBqZDZLeDFLK0k2MHF4Uk1mQTIxRHcKeLHz+lSnHLyTgw2Aq+IVGpIi9X8SQx+Q
             bCSPPMPIZsL4VLInuZmcd2n/kEr80fQM2P3/ktW8RnViQjTU+kKbMg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-10-13T18:27:53Z"
-    mac: ENC[AES256_GCM,data:8DPq0aGtoiMOdFyD+0NKGZ9OrDi1VXXS/6y3tH4DwlkLDpDqb2QsxunTDwoHlILQBu300nB2lUeGuGlp4/0FimFdiddlu2Ljq8vLh3wt+sz660RgfeaIcgWLSHtulyNIIQJ91wzzgbRADafFRCavVFvJALnIgeE+QDQa4ybLus0=,iv:T3xwELbHbqDszIkGs8BeJn9WV0LjagF1T+HLxCR/Aeo=,tag:NAIBPTRcnRtkGKhpWpe5Pw==,type:str]
+    lastmodified: "2024-09-17T12:35:12Z"
+    mac: ENC[AES256_GCM,data:ji+KDLN/7nQG448ZMxOFCuCTrzwnn00xbey84itd2cHpGP3oWYCFDWqdMg18C7koZ8eVtudgi3v6++bYLunAMONcvVwqconiEgEy17GKMzaladkEVDzSTRLipbcby/k4VYzS+iBP02eEn1gHYaNWTeIN/8X+42kIdhq3Itx44fU=,iv:X72KO/yNE1RI8lSPEc5llmCUuO0bZrtD4kizHf4dnzA=,tag:jZOIX1hhF1yfy7U8f47/VA==,type:str]
     pgp:
         - created_at: "2024-01-31T01:20:03Z"
           enc: |-
@@ -31,4 +32,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
diff --git a/hosts/magnesium/services/default.nix b/hosts/magnesium/services/default.nix
index 0fd2a7f..9737c6c 100644
--- a/hosts/magnesium/services/default.nix
+++ b/hosts/magnesium/services/default.nix
@@ -1,6 +1,7 @@
 {
   imports = [
     ./coturn.nix
+    ./forgejo.nix
     ./gitlab-runner.nix
     ./mosquitto.nix
     ./public-ip-tunnel.nix
diff --git a/hosts/magnesium/services/forgejo.nix b/hosts/magnesium/services/forgejo.nix
new file mode 100644
index 0000000..98042a7
--- /dev/null
+++ b/hosts/magnesium/services/forgejo.nix
@@ -0,0 +1,68 @@
+args@{ config, custom-utils, ... }:
+let
+  domain = "git.jalr.de";
+  cfg = config.services.forgejo;
+  ports = import ../ports.nix args;
+in
+{
+  sops.secrets.forgejo-mail = {
+    owner = cfg.user;
+    sopsFile = ../secrets.yaml;
+  };
+  services.forgejo = {
+    enable = true;
+    lfs.enable = true;
+    mailerPasswordFile = config.sops.secrets.forgejo-mail.path;
+    settings = {
+      DEFAULT.APP_NAME = "jalr's git";
+      avatar.DISABLE_GRAVATAR = true;
+      mailer = {
+        ENABLED = true;
+        PROTOCOL = "smtps";
+        SMTP_ADDR = "hha.jalr.de";
+        FROM = "git@jalr.de";
+        USER = "git@jalr.de";
+      };
+      server = {
+        DOMAIN = domain;
+        PROTOCOL = "http+unix";
+        ROOT_URL = "https://${domain}/";
+
+        DISABLE_ROUTER_LOG = true;
+        OFFLINE_MODE = true;
+
+        BUILTIN_SSH_SERVER_USER = "git";
+        START_SSH_SERVER = true;
+        SSH_PORT = ports.forgejo-ssh.tcp;
+        SSH_SERVER_HOST_KEYS = "ssh/forgejo.ed25519";
+      };
+      service = {
+        DEFAULT_ALLOW_CREATE_ORGANIZATION = false;
+        DEFAULT_KEEP_EMAIL_PRIVATE = true;
+        ENABLE_NOTIFY_MAIL = false;
+        REGISTER_MANUAL_CONFIRM = true;
+        DISABLE_REGISTRATION = true;
+      };
+      session = {
+        PROVIDER = "file";
+        COOKIE_SECURE = true;
+      };
+      log.level = "Warn";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ cfg.settings.server.SSH_PORT ];
+
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://unix:/run/forgejo/forgejo.sock";
+    };
+
+    extraConfig = ''
+      client_max_body_size 1G;
+    '';
+  };
+}