diff --git a/hosts/nidaros/default.nix b/hosts/nidaros/default.nix
index 4c861cf..8372b60 100644
--- a/hosts/nidaros/default.nix
+++ b/hosts/nidaros/default.nix
@@ -4,8 +4,10 @@
   imports = with lib.custom; [
     (relativeToBase "modules")
     ./boot.nix
+    ./forgejo.nix
     ./hardware.nix
     ./keycloak.nix
+    ./podman.nix
     ./postgres.nix
     ./security
   ];
diff --git a/hosts/nidaros/forgejo.nix b/hosts/nidaros/forgejo.nix
new file mode 100644
index 0000000..70ed2a6
--- /dev/null
+++ b/hosts/nidaros/forgejo.nix
@@ -0,0 +1,73 @@
+{
+  config,
+  pkgs,
+  lib,
+  common,
+  ...
+}:
+let
+  domain = "beta.code.${common.domain}";
+  passwordKey = "forgejo/admin-pass";
+  runnerTokenKey = "forgejo/runner-token";
+in
+{
+  services = {
+    forgejo = {
+      enable = true;
+      database.type = "postgres";
+      # Enable support for Git Large File Storage
+      lfs.enable = true;
+
+      settings = {
+        server = {
+          DOMAIN = domain;
+          # You need to specify this to remove the port from URLs in the web UI.
+          ROOT_URL = "https://${domain}/";
+          HTTP_PORT = 8002;
+        };
+        # You can temporarily allow registration to create an admin user.
+        service.DISABLE_REGISTRATION = true;
+        # Add support for actions, based on act: https://github.com/nektos/act
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "github";
+        };
+        # TODO set up mailer
+      };
+    };
+    gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
+      instances.default = {
+        enable = true;
+        name = "monolith";
+        url = "https://${domain}";
+        # Obtaining the path to the runner token file may differ
+        # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
+        tokenFile = config.sops.secrets.${runnerTokenKey}.path;
+        labels = [
+          "docker:docker://node:22-bullseye"
+          "native:host"
+        ];
+      };
+    };
+  };
+
+  sops.secrets = {
+    ${passwordKey}.owner = "forgejo";
+    ${runnerTokenKey}.owner = "forgejo";
+  };
+
+  # Create a single admin user / update password if exists
+  systemd.services.forgejo.preStart =
+    let
+      adminCmd = "${lib.getExe config.services.forgejo.package} admin user";
+      pwd = config.sops.secrets.${passwordKey};
+      user = "martin"; # Note, Forgejo doesn't allow creation of an account named "admin"
+      email = "git@${common.domain}";
+    in
+    ''
+      ${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+      ## Alter an existing user. Will prompt new password on login
+      # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+    '';
+}
diff --git a/hosts/nidaros/podman.nix b/hosts/nidaros/podman.nix
new file mode 100644
index 0000000..3bf1c51
--- /dev/null
+++ b/hosts/nidaros/podman.nix
@@ -0,0 +1,23 @@
+{ pkgs, ... }:
+
+{
+  virtualisation = {
+    # Enable common container config files in /etc/containers
+    containers.enable = true;
+    podman = {
+      enable = true;
+
+      # Create a `docker` alias for podman, to use it as a drop-in replacement
+      dockerCompat = true;
+
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+
+  # Useful other development tools
+  environment.systemPackages = with pkgs; [
+    podman-tui # status of containers in the terminal
+    podman-compose # start group of containers for dev
+  ];
+}