diff --git a/hosts/hetzner-arm/containers/forgejo/default.nix b/hosts/hetzner-arm/containers/forgejo/default.nix
new file mode 100644
index 0000000..3ee3e67
--- /dev/null
+++ b/hosts/hetzner-arm/containers/forgejo/default.nix
@@ -0,0 +1,71 @@
+{
+  self,
+  hostPath,
+  tree,
+  inputs,
+  pkgs,
+  config,
+  ...
+}: let
+  containerName = "forgejo";
+
+  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
+
+  hostIP = containerAddresses.host;
+  containerIP = containerAddresses.containers.${containerName};
+
+  pathInContainer = path: "/var/lib/nixos-containers/${containerName}" + path;
+in {
+  containers.forgejo = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = hostIP;
+    localAddress = containerIP;
+
+    specialArgs = {
+      inherit inputs;
+      inherit tree;
+      inherit self;
+      inherit hostPath;
+    };
+
+    config = {...}: {
+      nixpkgs.pkgs = pkgs;
+
+      imports = with tree;
+        [
+          presets.nixos.containerBase
+          profiles.sshd
+          profiles.firewallAllow.ssh
+        ]
+        ++ (with hosts.hetzner-arm.containers.forgejo; [
+          profiles.forgejo
+        ]);
+
+      networking.firewall.allowedTCPPorts = [2222];
+
+      home-manager.users.root.home.stateVersion = "23.05";
+      system.stateVersion = "23.05";
+    };
+  };
+
+  networking = {
+    nat.forwardPorts = [
+      {
+        sourcePort = 2222;
+        destination = "${containerIP}\:2222";
+      }
+    ];
+
+    firewall.allowedTCPPorts = [2222];
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."forgejo.owo.monster" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://unix:${pathInContainer "/var/sockets/forgejo.sock"}";
+    };
+  };
+}
diff --git a/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix b/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix
new file mode 100644
index 0000000..51ee95f
--- /dev/null
+++ b/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix
@@ -0,0 +1,81 @@
+{pkgs, ...}: {
+  services.forgejo = {
+    enable = true;
+    database.type = "sqlite3";
+    lfs.enable = true;
+    settings = {
+      DEFAULT.APP_NAME = "chaos's Forgejo";
+      server = rec {
+        DOMAIN = "forgejo.owo.monster";
+        ROOT_URL = "https://${DOMAIN}";
+        # Can't access /run out of container
+        HTTP_ADDR = "/var/sockets/forgejo.sock";
+        PROTOCOL = "http+unix";
+        START_SSH_SERVER = true;
+        SSH_PORT = 2222;
+        SSH_LISTEN_PORT = SSH_PORT;
+        OFFLINE_MODE = true;
+        ENABLE_GZIP = true;
+      };
+      repository = {
+        DISABLED_REPO_UNITS = "repo.ext_issues,repo.pulls,repo.wiki,repo.ext_wiki,repo.projects,repo.packages";
+        DEFAULT_REPO_UNITS = "repo.code,repo.releases,repo.issues,repo.actions";
+      };
+      ui = {
+        DEFAULT_THEME = "forgejo-dark";
+      };
+      "ui.meta" = {
+        AUTHOR = "chaos's Forgejo";
+        DESCRIPTION = "chaos's personal Forgejo instance";
+        KEYWORDS = "";
+      };
+      indexer = {
+        REPO_INDEXER_ENABLED = true;
+      };
+      security = {
+        #INSTALL_LOCK = false;
+      };
+      service = {
+        DISABLE_REGISTRATION = true;
+      };
+      "ssh.minimum_key_sizes" = {
+        ECDSA = -1;
+        RSA = -1;
+        DSA = -1;
+      };
+      session = {
+        PROVIDER = "db";
+      };
+      oauth = {
+        ENABLE = false;
+      };
+      time = {
+        DEFAULT_UI_LOCATION = "Europe/London";
+      };
+      packages = {
+        ENABLE = false;
+      };
+    };
+
+    dump = {
+      enable = true;
+      interval = "hourly";
+      file = "forgejo-dump";
+      type = "tar.zst";
+    };
+  };
+
+  environment.systemPackages = [
+    (pkgs.writeShellScriptBin "forgejo" ''
+      sudo -u forgejo ${pkgs.forgejo}/bin/gitea -w /var/lib/forgejo "$@"
+    '')
+  ];
+
+  systemd.services.forgejo.serviceConfig.ReadWritePaths = [
+    "/var/sockets"
+  ];
+
+  systemd.tmpfiles.rules = [
+    "d /var/sockets - forgejo forgejo"
+  ];
+}
diff --git a/hosts/hetzner-arm/data/containerAddresses.nix b/hosts/hetzner-arm/data/containerAddresses.nix
index 3d1cbe2..80264cc 100644
--- a/hosts/hetzner-arm/data/containerAddresses.nix
+++ b/hosts/hetzner-arm/data/containerAddresses.nix
@@ -5,5 +5,6 @@
     social = "192.168.100.12";
     music = "192.168.100.13";
     quassel = "192.168.100.14";
+    forgejo = "192.168.100.15";
   };
 }
diff --git a/hosts/hetzner-arm/hetzner-arm.nix b/hosts/hetzner-arm/hetzner-arm.nix
index a1f6db3..2b9a3f1 100644
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@@ -27,6 +27,7 @@ in {
       "piped-db"
       "piped-fi"
       "mail"
+      "forgejo"
     ] (name: ./containers + "/${name}"))
     ++ (with hosts.hetzner-arm.profiles; [
       gitlabStaticSites