diff --git a/.sops.yaml b/.sops.yaml
index 0251fcc..f283a56 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -6,9 +6,10 @@ keys:
   - &minime age1chq5k0t38882rtyljez8cwmvtcstu4tafzvveuhjrujvsqk72f9s9guc06
   # microvms
   - &auth age1vzwz5s35w9g8ck9l5zaq5skrnl3mqzf3hsnc9w22sj4k8tu8kqfstpg2a8
-  - &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c
+  - &forgejo age1gknaqevzuq7dtqalng3547w5qflk9a0kugymea5h54eg6twu43pqpkr4zt
   - &immich age1afyntwvj672lcq2e4dpxmw3syplzurnnd8q8j3265843jeedpveqkp465z
   - &miniflux age15ja22wd9tt60vn32sk59pp6c7vtjsn8y3rypn8qfnvxthug8sp0q6f72uh
+  - &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c
 creation_rules:
   - path_regex: hosts/toaster/[^/]+\.yaml$
     key_groups:
@@ -52,3 +53,9 @@ creation_rules:
         - *admin_oxa
         age:
         - *miniflux
+  - path_regex: hosts/forgejo/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+        - *admin_oxa
+        age:
+        - *forgejo
diff --git a/flake.nix b/flake.nix
index 541db86..e7ae1b4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -64,6 +64,7 @@
         let
           microvm-list = [
             "auth"
+            "forgejo"
             "immich"
             "miniflux"
             "radicale"
diff --git a/hosts/forgejo/default.nix b/hosts/forgejo/default.nix
new file mode 100644
index 0000000..7e983f1
--- /dev/null
+++ b/hosts/forgejo/default.nix
@@ -0,0 +1,77 @@
+{ config, lib, ... }:
+let
+  mac = "02:00:00:00:00:04";
+in
+{
+  # imports = [
+  #   ./forgejo.nix
+  # ];
+  # sops.defaultSopsFile = ./secrets.yaml;
+  # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  # sops.secrets = {
+  #   "wg/0xa-proxy" = {
+  #     owner = config.users.users.systemd-network.name;
+  #   };
+  # };
+
+  microvm = {
+    hypervisor = "qemu";
+    mem = 3 * 1024;
+    vcpu = 2;
+    interfaces = [
+      {
+        type = "tap";
+        id = "uvm-forgejo";
+        mac = mac;
+      }
+    ];
+    shares =
+      [
+        {
+          source = "/nix/store";
+          mountPoint = "/nix/.ro-store";
+          tag = "store";
+          proto = "virtiofs";
+          socket = "store.socket";
+        }
+      ]
+      ++ map
+        (dir: {
+          source = dir;
+          mountPoint = "/${dir}";
+          tag = dir;
+          proto = "virtiofs";
+          socket = "${dir}.socket";
+        })
+        [
+          "etc"
+          "var"
+          "home"
+        ];
+  };
+
+  networking.useNetworkd = true;
+  networking.firewall.enable = lib.mkForce false; # firewalling done by the host
+
+  systemd.network = {
+    enable = true;
+    networks."11-host" = {
+      matchConfig.MACAddress = mac;
+      networkConfig = {
+        Address = "10.99.99.14/24";
+        DHCP = "no";
+      };
+      routes = [
+        {
+          Gateway = "10.99.99.1";
+          Destination = "0.0.0.0/0";
+          Metric = 1024;
+        }
+      ];
+    };
+  };
+
+  networking.hostName = "forgejo";
+  system.stateVersion = "24.11";
+}