diff --git a/hosts/nachtigall/apps/forgejo.nix b/hosts/nachtigall/apps/forgejo.nix
new file mode 100644
index 0000000..fb7a8d0
--- /dev/null
+++ b/hosts/nachtigall/apps/forgejo.nix
@@ -0,0 +1,94 @@
+{
+  config,
+  lib,
+  pkgs,
+  flake,
+  ...
+}: {
+  age.secrets.forgejo-database-password = {
+    file = "${flake.self}/secrets/forgejo-database-password.age";
+    mode = "600";
+    owner = "gitea";
+  };
+
+  age.secrets.forgejo-mailer-password = {
+    file = "${flake.self}/secrets/forgejo-mailer-password.age";
+    mode = "600";
+    owner = "gitea";
+  };
+
+  services.nginx.virtualHosts."git.pub.solar" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/user/login".extraConfig = ''
+        return 302 /user/oauth2/keycloak;
+    '';
+
+    locations."/".proxyPass = "http://localhost:3000";
+  };
+
+  services.gitea = {
+    enable = true;
+    package = pkgs.forgejo;
+    appName = "pub.solar git server";
+    database = {
+      type = "postgres";
+      passwordFile = config.age.secrets.forgejo-database-password.path;
+    };
+    stateDir = "/var/lib/forgejo";
+    lfs.enable = true;
+    mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
+    settings = {
+      server = {
+        ROOT_URL = "https://git.pub.solar";
+        DOMAIN = "git.pub.solar";
+        HTTP_ADDR = "127.0.0.1";
+        HTTP_PORT = 3000;
+      };
+      mailer = {
+        ENABLED = true;
+        PROTOCOL = "smtps";
+        SMTP_ADDR = "mx2.greenbaum.cloud";
+        SMTP_PORT = 465;
+        FROM = ''"pub.solar git server" <forgejo@pub.solar>'';
+        USER = "admins@pub.solar";
+      };
+      "repository.signing" = {
+        SIGNING_KEY = "default";
+        MERGES = "always";
+      };
+      openid = {
+        ENABLE_OPENID_SIGNIN = true;
+        ENABLE_OPENID_SIGNUP = true;
+      };
+      # uncomment after initial deployment, first user is admin user
+      # required to setup SSO (oauth openid-connect, keycloak auth provider)
+      service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+      service.ENABLE_NOTIFY_MAIL = true;
+      session.COOKIE_SECURE = lib.mkForce true;
+    };
+  };
+
+  # See: https://docs.gitea.io/en-us/signing/#installing-and-generating-a-gpg-key-for-gitea
+  # Required for gitea server side gpg signatures
+  # configured/setup manually in:
+  # /var/lib/gitea/data/home/.gitconfig
+  # /var/lib/gitea/data/home/.gnupg/
+  # sudo su gitea
+  # export GNUPGHOME=/var/lib/gitea/data/home/.gnupg
+  # gpg --quick-gen-key 'pub.solar gitea <gitea@pub.solar>' ed25519
+  # TODO: implement declarative GPG key generation and
+  # gitea gitconfig
+  programs.gnupg.agent = {
+    enable = true;
+    pinentryFlavor = "curses";
+  };
+  # Required to make gpg work without a graphical environment?
+  # otherwise generating a new gpg key fails with this error:
+  # gpg: agent_genkey failed: No pinentry
+  # see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
+  environment.variables = {
+    GPG_TTY = "$(tty)";
+  };
+}
diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix
index 603f93a..5ee4ba9 100644
--- a/hosts/nachtigall/default.nix
+++ b/hosts/nachtigall/default.nix
@@ -17,5 +17,6 @@
       ./apps/mastodon.nix
       ./apps/opensearch.nix
       ./apps/postgresql.nix
+      ./apps/forgejo.nix
     ];
 }
diff --git a/secrets/forgejo-database-password.age b/secrets/forgejo-database-password.age
new file mode 100644
index 0000000..54f6e4f
--- /dev/null
+++ b/secrets/forgejo-database-password.age
@@ -0,0 +1,27 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg RIy4MC1iLzjOVc1ENd8Hic3b6yVsey1jGKKfpH5QznI
+jCdBc7BcfAa0/BxN40P9neRJcRyz/mbXCHkQZ98MjqI
+-> ssh-ed25519 uYcDNw bmxhArWdUbbC2zCb1FQmtz5UXBKM9nYdGnmRQNVjsiY
+IUsRWcBZf2HJpibhqaqBUGTaOTL865Y2ZR2ZM8Ocmr0
+-> ssh-rsa kFDS0A
+XuCHi1ekeI+EG3JpNpze/XZWImIFHd4itCzjxApHINBdUqRA7yqVq1k557GcXU3S
+dSW4Li2yQaGTDfWYbks5gyOxHjJ75mQ+McnzROdMuMTNYYpTs5CDmGUKDs7Fp86l
+/YLfoo/hYd7/sKObJLSC/STEk/ObAxDNIe2eEK+esbAlBC0Lym9mi/vtuY8WzWAY
+dsPvGk6497ap5lcZiLiJRChqumYSoTryKAMAvfiTtytcNCFh7hWnw5DFKcA/vlkx
+cGDrM99itWtEO01oWA6SAVL6JfpWyjpQZqEKt3f3U0xsJbLUXEEiH+kUWpros6Nk
+PJKVR2mcW3DiBKpR2QJDIkXJ5tUWzDn9Dgw54NniF2D91xs3MzQuvScrfb+/XR6H
+Xc9BiytdOP/WW3PnvAu2jfMzXJlmlUJTQTWYRZs5tp8daKFN7MP3cIMwx/r+qc+o
+JbqFxOewnNO0hEwfwYPCFnMEam8rmRmU8GI1RiBAGpQbBv02ihX4U5eWuLXrpmHK
+0VOgkesWsAOHpV+tRJ3cxA8t/pjIWmN0nccRz+qz/1Ec6O5circBneVBgJow/MKh
+M0f0b+HPr+ld0z4FA7rDESGhgQHEsyU9UUWU8U++Mdh64c/mRMCnYokoemve0w1G
+9cJjR0rcknDgo+KQutinh3pTqbvYrtfP4iuzWBd8LV8
+-> ssh-ed25519 YFSOsg m6r2ew7bjrpbA0QMs7O5MhSm0UpKCWHEJTlwm384MxI
+a/mnaNz14aFuZCtcq46ANVydKRJw0e61N5e+kGGkuYQ
+-> ssh-ed25519 iHV63A MQu2VYkY/Cs5bhYe95wpdlpLfe/lHwhk60WA9EgN3wc
+gbZyVF9l0W8+BO59ddsZ7c+VgzdPkNbq9U9oG0Kjebo
+-> ssh-ed25519 BVsyTA XWMWR2qUI1KFhcZxGgxuWOq+DLrTwHvEpI7xee/GD3I
+jVckHGgjXWlz0kvad6EDZ1vDrXGjBM2dxT5qJswX2Kc
+-> W},tK-grease
+4P6Gr7nsS9raE/XVkCkDawtWkS7a3o7r7tXe9w
+--- de3b3x+RtRpsIBf3Sh72AydLgEHUcGeRvoDE0rPFZ2o
+ZË8æö¾€pM£¿Aúʨ$Ë[’ùÙËó¥Ÿ�‚<íøý
t£ÊIOr›Öq™½oÛñ»ácÐeî,œ;MK_¯©¦ž3-Ó�íߘõ
À§£é\RQ&ÀžGá’·®ÅR}
\ No newline at end of file
diff --git a/secrets/forgejo-mailer-password.age b/secrets/forgejo-mailer-password.age
new file mode 100644
index 0000000..fd4a5c1
--- /dev/null
+++ b/secrets/forgejo-mailer-password.age
@@ -0,0 +1,27 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg qOInns0pyNkaFNGoodX1QrRCSRDL5ncmJWSyDxCo7Rc
+8mJO69rBO8IaVRYG94hidY6MU7UEn+ENejdHOkzn7h8
+-> ssh-ed25519 uYcDNw FdZ8Z50hcHrRVuBC7HPnVPNdnJgyudepe/smnTkcmzg
+ELojSvwv3K6YVLXEAmjoQxt5szvs68oRZ9fZ+QcaVEU
+-> ssh-rsa kFDS0A
+cbDwTYbZf9SZJ4SmjdBD7hSWMZWi87KUbAHTS2snWi1wjf0m5KngbdlWVcTOgwE5
+Gnn1m9cZKx6z7s/AUsPRRQizoYsUY91osPmc7lNVZ8mjJ6ztLhX1JhAy3PobmxDi
+BI3WsZtMpL+JihSE1DfJ05dkY/tWYZu/yXDmaig/E54YsuyXeATikm/IzxbSXDDT
+crSOE2YVS0+GjhEfJft6ckw9YdbzqjoXwdutrzQWdivvXU17xH11cM3xC579OUNF
+c+EobYRjCfzsk27vFGxieV+0mAmJSM5V5mBQ9VBaqDiZ43gI5enCIVJIkK36f4P3
+lt9PQ9UmWJ8RPQis+Aaq5Ld5y8aVho16BQjCqDzsRoFTalVNYa5ElrB2nuJPYQIw
+DV9Hj3R2wG4IZSIEq5WnLtk7Gda2x4VlfdlMhGXixPJ0xjYKWg8Sj0qlmCAVqqEc
+QyWpVFEu1ogk8Gw2jQK6TvrxUT94UAyEBwqBbumqaB3JfsnDaxbFlLG1wWr10nXh
+axplDvM7tuU5RvjPGSwUezkryfn8SjEod+04rQRLhe9JMD5C33JBI1p5JNi2ZAB/
+SyujIVCh+DRzq9IjMYCgCYmYp5P7pJlk+GZCeeMSbvf2d45mX1P2D6PrCm8uSL8m
+Fw7mOliDyBGPizpQ2lOJaL1q4A5KGjAaRVuRJSaNlBg
+-> ssh-ed25519 YFSOsg c3VN03glwExVKBi83ftg6jNZ2Yzx4PGmRiQOpgQl9AI
+sKrGt7U5XwNkyydwmXBxPvHwKloY6V/mn+5ipq2GYZo
+-> ssh-ed25519 iHV63A mH5q5q6ZPlddNsil1NjVLcT2gIxh+PlhA6JT9HBD/VE
+O9OxtyCtIhNMFMUPCyPL4ycT75t/g1nvli6XXVifXGo
+-> ssh-ed25519 BVsyTA iPdUjSRVamrCzUJVhpzMyUhyxHisRofkKswvCb/qUCo
+Z5UOndKbp5GPIzxB4xsNlGqC30dnMx557n07NkS3aOk
+-> fqFqA!-grease >^roC?oN
+kKQNtgmcdmj4h1fFB4Fse21BfLrq73SdIZ/cyD1qxBR8VUtIPReLpiYJSm30Eg
+--- mUQvto08o1xaSIbSE+zi9IPCIuZZF5G9xlwKUApylMY
+6M€£ú‡‚Æ
çU܈GWR"*#¶BwøK`ÈÀÈŒtèsoga‘3ržœñ_ÃT9š™
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 63a57f8..c988a21 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -34,4 +34,8 @@ in {
   "mastodon-extra-env-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
 
   "keycloak-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
+
+  "forgejo-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
+
+  "forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ baseKeys;
 }