diff --git a/modules/forgejo.nix b/modules/forgejo.nix
new file mode 100644
index 0000000..f9e3175
--- /dev/null
+++ b/modules/forgejo.nix
@@ -0,0 +1,68 @@
+{ config, lib, ... }:
+let
+  cfg = import ./vars.nix;
+  service = "forgejo";
+  dbport = cfg."${service}".dbport;
+  domain = cfg."${service}".domain;
+  port = cfg."${service}".port;
+  sshport = cfg."${service}".sshport;
+in
+
+{
+
+  imports = [
+    ./podman-postgresql.nix # for the database
+    ./nginx.nix             # for the webserver
+  ];
+
+  sops.secrets."gitea/db" = {};
+
+  services.podman-postgresql."${service}" = {
+    enable = true;
+    image = "docker.io/library/postgres:17-alpine";
+    port = (lib.strings.toInt dbport);
+    passwordFile = config.sops.secrets."gitea/db".path;
+  };
+
+  virtualisation.oci-containers.containers."${service}" = {
+    image = "codeberg.org/forgejo/forgejo:10";
+    environment = {
+      TZ = "Europe/Berlin";
+    };
+    ports = [
+      "${port}:3000"
+      "${sshport}:22"
+    ];
+    volumes = [
+      "/var/lib/${service}:/data"
+    ];
+    extraOptions = cfg.podman.extraOptions;
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      "/" = {
+        proxyPass = "http://localhost:${port}";
+        extraConfig = ''
+          proxy_set_header Connection $http_connection;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          client_max_body_size 512M;
+        '';
+      };
+
+    };
+    extraConfig = ''
+      access_log  /var/log/nginx/${domain}_access.log;
+      error_log   /var/log/nginx/${domain}_error.log;
+    '';
+
+  };
+
+}
+# vim: set et ts=2 sw=2 ai: