diff --git a/hosts/pi4/default.nix b/hosts/pi4/default.nix
index e4ec094..325cf69 100644
--- a/hosts/pi4/default.nix
+++ b/hosts/pi4/default.nix
@@ -4,8 +4,10 @@
   imports = with lib.custom; [
     (relativeToBase "modules")
     ./boot.nix
+    ./forgejo.nix
     ./hardware.nix
     ./nextcloud.nix
+    ./podman.nix
     ./security
   ];
 }
diff --git a/hosts/pi4/forgejo.nix b/hosts/pi4/forgejo.nix
new file mode 100644
index 0000000..4f67bf3
--- /dev/null
+++ b/hosts/pi4/forgejo.nix
@@ -0,0 +1,81 @@
+{
+  config,
+  pkgs,
+  lib,
+  common,
+  ...
+}:
+let
+  domain = "beta.code.${common.domain}";
+  passwordKey = "forgejo/admin-pass";
+  runnerTokenKey = "forgejo/runner-token";
+in
+{
+  services = {
+    forgejo = {
+      enable = true;
+      database.type = "postgres";
+      # Enable support for Git Large File Storage
+      lfs.enable = true;
+      settings = {
+        server = {
+          DOMAIN = domain;
+          # You need to specify this to remove the port from URLs in the web UI.
+          ROOT_URL = "https://${domain}/";
+          HTTP_PORT = 8002;
+        };
+        # You can temporarily allow registration to create an admin user.
+        service.DISABLE_REGISTRATION = true;
+        # Add support for actions, based on act: https://github.com/nektos/act
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "github";
+        };
+        # Sending emails is completely optional
+        # You can send a test email from the web UI at:
+        # Profile Picture > Site Administration > Configuration >  Mailer Configuration
+        mailer = {
+          ENABLED = true;
+          SMTP_ADDR = "mail.${common.domain}";
+          FROM = "noreply-forgejo@${common.domain}";
+          USER = "noreply@${common.domain}";
+        };
+      };
+      #mailerPasswordFile = config.sops.secrets."forgejo/mailer-password".path;
+    };
+    gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
+      instances.default = {
+        enable = true;
+        name = "monolith";
+        url = "https://${domain}";
+        # Obtaining the path to the runner token file may differ
+        # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
+        tokenFile = config.sops.secrets.${runnerTokenKey}.path;
+        labels = [
+          "docker:docker://node:20-bullseye"
+          "native:host"
+        ];
+      };
+    };
+  };
+
+  sops.secrets = {
+    ${passwordKey}.owner = "forgejo";
+    ${runnerTokenKey}.owner = "forgejo";
+  };
+
+  # Create a single admin user / update password if exists
+  systemd.services.forgejo.preStart =
+    let
+      adminCmd = "${lib.getExe config.services.forgejo.package} admin user";
+      pwd = config.sops.secrets.${passwordKey};
+      user = "martin"; # Note, Forgejo doesn't allow creation of an account named "admin"
+      email = "git@${common.domain}";
+    in
+    ''
+      ${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+      ## Alter an existing user
+      ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+    '';
+}
diff --git a/hosts/pi4/podman.nix b/hosts/pi4/podman.nix
new file mode 100644
index 0000000..3bf1c51
--- /dev/null
+++ b/hosts/pi4/podman.nix
@@ -0,0 +1,23 @@
+{ pkgs, ... }:
+
+{
+  virtualisation = {
+    # Enable common container config files in /etc/containers
+    containers.enable = true;
+    podman = {
+      enable = true;
+
+      # Create a `docker` alias for podman, to use it as a drop-in replacement
+      dockerCompat = true;
+
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+
+  # Useful other development tools
+  environment.systemPackages = with pkgs; [
+    podman-tui # status of containers in the terminal
+    podman-compose # start group of containers for dev
+  ];
+}
diff --git a/shared/secrets/secrets.yaml b/shared/secrets/secrets.yaml
index 2dd4638..2e97795 100644
--- a/shared/secrets/secrets.yaml
+++ b/shared/secrets/secrets.yaml
@@ -1,41 +1,40 @@
+forgejo:
+    admin-pass: ENC[AES256_GCM,data:RGTOw0Yo5rJGEVLGsQgyk9Wc,iv:SuN770eAgFIVd4pJ6vmPIvVCMqTW/2sBUYUbqym2cHo=,tag:YlyNR/fFchdBwzCuIsWGMA==,type:str]
+    #ENC[AES256_GCM,data:oMpYBQ30sdCTtgxEZvYxTd9oi9QM0bYp5NisMdQHYT/nF2k=,iv:H9/g7XttJScVXV38+yHdbgWNFDhBYyudjK5BKHTt5wo=,tag:FNfkKfkKWDBUAXiGXkDchw==,type:comment]
+    runner-token: ENC[AES256_GCM,data:xbULBWrqosktW7XHViLH7Sk76upH31RFQNsBcXWWN7bpRadF3tpBA/hksMyEdg==,iv:v3vzUb5wsWeKWRYWT+ks4ZWGXQRhZ+td3N3bpuwoVc8=,tag:rEVoEw/QOSs8puujsRBxXQ==,type:str]
 password-hash: ENC[AES256_GCM,data:FsGHBAw/z4tcBRObVlo//UotWHyHns0+vdJVgt2lfGiIfQG+1I60g2Tzgv/O+gz3oz41NIwAYf61SR9AfXhpnc1AxiZRlCBwMQ==,iv:oiJndSVZQ+00UPz0TuJXV+T8x9mtecrNDUaablOGffU=,tag:wQuow7C8KqelJOE9KqCxMA==,type:str]
 nextcloud:
-  admin-pass: ENC[AES256_GCM,data:RBuuNc7J/CCJXG8n73B5cw==,iv:uKNj40SdJn6LbZoV1i9fq+5TGmRDPYVhCxAUghV4vqs=,tag:wUHBPo5T+2tyjsQFlUXDEQ==,type:str]
+    admin-pass: ENC[AES256_GCM,data:RBuuNc7J/CCJXG8n73B5cw==,iv:uKNj40SdJn6LbZoV1i9fq+5TGmRDPYVhCxAUghV4vqs=,tag:wUHBPo5T+2tyjsQFlUXDEQ==,type:str]
 sops:
-  kms: []
-  gcp_kms: []
-  azure_kv: []
-  hc_vault: []
-  age:
-    - recipient: age1j66v6z6hlsgqjfv5fz7fldm5q9jay4j5v5du6ymfda6hv40nsqesg89g7p
-      enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyMHl6emFJdE4rVGduT2V1
-        Y1hFdlRxVHJ1NlV0R2JRZm5SMVVzVmpRQlM0CjhUN0dqajNpQXg4a29Ca1VLMDJ1
-        UmpsMFRJd254TlpGNzdDV2ZQTU9icDAKLS0tIG0wSVppUmU5TVdlMHhsQ3pMNDhJ
-        TFkrWitpb3h3UDhFNUN5Yi80YXlLbjQKxdG0m3CZ+elvzSNC9+aD15AOejkT5hJR
-        hhjtn+aUF8JvAIgggLqE1qU1XYIkbzk5//TWz5FaKeszinv9x8plvA==
-        -----END AGE ENCRYPTED FILE-----
-    - recipient: age1fxr5s6d6ar0xy5pr63kpq93tk7jha5k96jcxnyquj6s2mw8mmcpss8w29w
-      enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzRGNSYjM2Qkx5M294QWVS
-        ZkJzR0VuTzdOR1FIc2c2bWx0akVPZVB0T1hvCmxuMjZWWlVmSUhKUys0QlMxMDV3
-        ZCt1ZjJNZlV5K0Zpd3NGcldhWDFDcjgKLS0tIG9mSHA1Um5Hb2NtVm5XRFdvVHVT
-        NHp1WThrcU1hOEI5RExCbVlnV2VYNlEKV4DSgHYs/zhF34h14RX2rvVXNo2uxCpD
-        uUiwU4and1T5Q09MOjqdbs2e7QM+VjKB4P/w34KkcqXTkJeR/IBF/g==
-        -----END AGE ENCRYPTED FILE-----
-    - recipient: age1xlnprpvshv93eerthxzg6cahklsfc4efh8dd6u8dte9u6cl0u5qsz48qlt
-      enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1c3p0N0c2RGJZMmxzcUgw
-        bHZhcnlnWlczSGJRMVJRNitqVmV6YThIRWlBCitWUzVCN25JbzhJeG9haEVORUk5
-        QmhIc0R0c0diNmNPc0dYM2YyNVdScVUKLS0tIG1waU1QYXNVMXU4bC9rNUxwUDIz
-        SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
-        YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
-        -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-05-27T17:56:45Z"
-  mac: ENC[AES256_GCM,data:rXUdrKF4qcuKkk9QASAti2yk+mWLRPzqHPLV85P1nJBoqa6bnLaEoWwfclwr2riTeLjK8ASRHGzi9xiY9867+lhui7+nd0ISBPZlRKTxfXNddBNMqSh+MguJ9e02mTm6OpbSVlovT5NPLiJcQyTodtI5Cvkc0LU5v8yCwRF98jI=,iv:TCSHdf4Y9QPOFNOVjKL3vro65C9SEUhSSNFXNYchzmk=,tag:wGbBdQwPXO30ymyhtAguYg==,type:str]
-  pgp: []
-  unencrypted_suffix: _unencrypted
-  version: 3.9.4
+    age:
+        - recipient: age1j66v6z6hlsgqjfv5fz7fldm5q9jay4j5v5du6ymfda6hv40nsqesg89g7p
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyMHl6emFJdE4rVGduT2V1
+            Y1hFdlRxVHJ1NlV0R2JRZm5SMVVzVmpRQlM0CjhUN0dqajNpQXg4a29Ca1VLMDJ1
+            UmpsMFRJd254TlpGNzdDV2ZQTU9icDAKLS0tIG0wSVppUmU5TVdlMHhsQ3pMNDhJ
+            TFkrWitpb3h3UDhFNUN5Yi80YXlLbjQKxdG0m3CZ+elvzSNC9+aD15AOejkT5hJR
+            hhjtn+aUF8JvAIgggLqE1qU1XYIkbzk5//TWz5FaKeszinv9x8plvA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1fxr5s6d6ar0xy5pr63kpq93tk7jha5k96jcxnyquj6s2mw8mmcpss8w29w
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzRGNSYjM2Qkx5M294QWVS
+            ZkJzR0VuTzdOR1FIc2c2bWx0akVPZVB0T1hvCmxuMjZWWlVmSUhKUys0QlMxMDV3
+            ZCt1ZjJNZlV5K0Zpd3NGcldhWDFDcjgKLS0tIG9mSHA1Um5Hb2NtVm5XRFdvVHVT
+            NHp1WThrcU1hOEI5RExCbVlnV2VYNlEKV4DSgHYs/zhF34h14RX2rvVXNo2uxCpD
+            uUiwU4and1T5Q09MOjqdbs2e7QM+VjKB4P/w34KkcqXTkJeR/IBF/g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xlnprpvshv93eerthxzg6cahklsfc4efh8dd6u8dte9u6cl0u5qsz48qlt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1c3p0N0c2RGJZMmxzcUgw
+            bHZhcnlnWlczSGJRMVJRNitqVmV6YThIRWlBCitWUzVCN25JbzhJeG9haEVORUk5
+            QmhIc0R0c0diNmNPc0dYM2YyNVdScVUKLS0tIG1waU1QYXNVMXU4bC9rNUxwUDIz
+            SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
+            YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-31T15:36:05Z"
+    mac: ENC[AES256_GCM,data:Um09D7CR5+c4L6bTdRvz1Cy5qHthlKfLfH6k9Z2NTuD2QY9Ua4kXV8byvXiP+GrrKgzV11c0a3Hk7zaQoutXmwatnaOJRT9EH3FIEADLGAFwbsSAgV7ZJ+oamZnIw/XSW/LGpwvPrX5gaTnc7jJJ3V3+tWqgBUmL4wNb2SigglM=,iv:wAXaPUs20wqh7cn8ZmFI7XLlaOYLkjtcVRm1sosO9U4=,tag:FwfNbEf+YoQBHsYBw5k6mw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2