diff --git a/flake.nix b/flake.nix
index 58787fe..1376e94 100644
--- a/flake.nix
+++ b/flake.nix
@@ -30,6 +30,7 @@
         ./networking/vpn-host.nix
         ./services/jellyfin.nix
         ./services/site.nix
+        ./services/forgejo.nix
         {
           environment.systemPackages = [ agenix.packages.x86_64-linux.default ];
           age.secrets.tailscale.file = ./tailscale.age;
diff --git a/services/forgejo.nix b/services/forgejo.nix
new file mode 100644
index 0000000..35c99ce
--- /dev/null
+++ b/services/forgejo.nix
@@ -0,0 +1,18 @@
+{ pkgs, ... }: {
+  services.forgejo = {
+    enable = true;
+    settings = {
+      server = {
+        ROOT_URL = "https://git.per-aspera.space";
+        HTTP_ADDR = "0.0.0.0";
+        HTTP_PORT = 3000;
+        SSH_DOMAIN = "git.per-aspera.space";
+        SSH_PORT = 2222;
+      };
+      service = { DISABLE_REGISTRATION = false; };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 3000 2222 ];
+}
+
diff --git a/services/site.nix b/services/site.nix
index b3fb44d..0aa3848 100644
--- a/services/site.nix
+++ b/services/site.nix
@@ -7,6 +7,7 @@ let
   dnsRecords = [
     domain
     "jellyfin.${domain}"
+    "git.${domain}"
     # Add more records here as needed
     # "api.${domain}"
     # "mail.${domain}"
@@ -85,6 +86,18 @@ in {
 
       locations."/" = { proxyPass = "http://localhost:8096"; };
     };
+
+    virtualHosts."git.${domain}" = {
+      forceSSL = true;
+      enableACME = true;
+
+      locations."/" = { proxyPass = "http://localhost:3000"; };
+    };
+
+    # Local git access to avoid NAT hairpinning
+    virtualHosts."git.homelab" = {
+      locations."/" = { proxyPass = "http://localhost:3000"; };
+    };
   };
 
   security.acme = {