diff --git a/hosts/astral/default.nix b/hosts/astral/default.nix
index 4e019e7..1e85c02 100644
--- a/hosts/astral/default.nix
+++ b/hosts/astral/default.nix
@@ -1,10 +1,12 @@
-{ modulesPath, nixosModules, agenix, lib, pkgs, config, ... }: {
+{ modulesPath, nixosModules, agenix, lib, pkgs, ... }: {
   imports = [
     "${modulesPath}/virtualisation/amazon-image.nix"
     nixosModules.nano
     nixosModules.nettika
     nixosModules.promptmoji
     agenix.nixosModules.default
+    ./forgejo.nix
+    ./vaultwarden.nix
   ];
 
   boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
@@ -26,8 +28,6 @@
     firewall.allowedTCPPorts = [ 80 443 ];
   };
 
-  age.secrets.vaultwarden-env.file = ./secrets/vaultwarden-env.age;
-
   users.defaultUserShell = pkgs.fish;
 
   security.sudo.wheelNeedsPassword = false;
@@ -39,27 +39,10 @@
         respond "astral is online"
         header Strict-Transport-Security: "max-age=63072000; includeSubDomains"
       '';
-      "vault.leaf.ninja".extraConfig = ''
-        reverse_proxy localhost:8222
-      '';
     };
   };
 
-  services.vaultwarden = {
-    enable = true;
-    config = {
-      domain = "https://vault.leaf.ninja";
-      signupsAllowed = false;
-      rocketAddress = "0.0.0.0";
-      rocketPort = 8222;
-      smtpHost = "smtp.migadu.com";
-      smtpFrom = "vaultwarden@leaf.ninja";
-      smtpPort = 587;
-      smtpSecurity = "starttls";
-      smtpUsername = "vaultwarden@leaf.ninja";
-    };
-    environmentFile = config.age.secrets.vaultwarden-env.path;
-  };
+  services.postgresql.enable = true;
 
   programs.fish.enable = true;
 
diff --git a/hosts/astral/forgejo.nix b/hosts/astral/forgejo.nix
new file mode 100644
index 0000000..8c29daf
--- /dev/null
+++ b/hosts/astral/forgejo.nix
@@ -0,0 +1,36 @@
+{ config, ... }:
+let domain = "git.leaf.ninja";
+in {
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = domain;
+        ROOT_URL = "https://${domain}/";
+        HTTP_PORT = 3000;
+      };
+      service.DISABLE_REGISTRATION = true;
+      mailer = {
+        ENABLED = true;
+        SMTP_ADDR = "smtp.migadu.com";
+        FROM = "forgejo@leaf.ninja";
+        USER = "forgejo@$leaf.ninja";
+      };
+    };
+    secrets = {
+      mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path;
+    };
+  };
+
+  services.caddy.virtualHosts.${domain}.extraConfig = ''
+    reverse_proxy localhost:3000
+  '';
+
+  age.secrets.forgejo-mailer-password = {
+    file = ./secrets/forgejo-mailer-password.age;
+    mode = "400";
+    owner = "forgejo";
+  };
+}
diff --git a/hosts/astral/secrets/forgejo-mailer-password.age b/hosts/astral/secrets/forgejo-mailer-password.age
new file mode 100644
index 0000000..411e34a
--- /dev/null
+++ b/hosts/astral/secrets/forgejo-mailer-password.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 f+PJrQ 6h8dfxbHOBbyTK6iwzbqVpUUYJtJhg6XMAoRWDhbdT8
+kZSsccA4qkiTS8wNdZphZ9cioiFbXjR4xkVZBi1j0aM
+-> ssh-ed25519 nz/vnw Q+BuraNFun6RwcLPFcKcjBptgpZdddI+hQP2UVKFJmA
+WJNvdIDTDBXbaXYw7gom7YQTTNrxlsP1EvTDNN5G9+0
+--- a6gvFS7YixX30i1Jm04vrwzq3Xh9iXufdnZMnPPI+Mw
+ÒÍÔ‡]‡¤h6µ+„2xDŸÇUŸãZºâeAzêÿ³DkÔLÇ;½†Iª ê/Œæ'®éøï4nL»T<4Ó}iãÁí _ÛÝ‹à
\ No newline at end of file
diff --git a/hosts/astral/vaultwarden.nix b/hosts/astral/vaultwarden.nix
new file mode 100644
index 0000000..1041d65
--- /dev/null
+++ b/hosts/astral/vaultwarden.nix
@@ -0,0 +1,25 @@
+{ config, ... }:
+let domain = "vault.leaf.ninja";
+in {
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      domain = "https://${domain}";
+      signupsAllowed = false;
+      rocketAddress = "0.0.0.0";
+      rocketPort = 8222;
+      smtpHost = "smtp.migadu.com";
+      smtpFrom = "vaultwarden@leaf.ninja";
+      smtpPort = 587;
+      smtpSecurity = "starttls";
+      smtpUsername = "vaultwarden@leaf.ninja";
+    };
+    environmentFile = config.age.secrets.vaultwarden-env.path;
+  };
+
+  services.caddy.virtualHosts.${domain}.extraConfig = ''
+    reverse_proxy localhost:8222
+  '';
+
+  age.secrets.vaultwarden-env.file = ./secrets/vaultwarden-env.age;
+}
diff --git a/secrets.nix b/secrets.nix
index 48f0c4b..1d322d3 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -11,4 +11,6 @@ in {
   "hosts/quasar/secrets/matrix-synapse-secrets.age".publicKeys =
     [ marauder quasar ];
   "hosts/astral/secrets/vaultwarden-env.age".publicKeys = [ marauder astral ];
+  "hosts/astral/secrets/forgejo-mailer-password.age".publicKeys =
+    [ marauder astral ];
 }