diff --git a/hosts/liminal/configuration.nix b/hosts/liminal/configuration.nix
index de7d9c9..d20e170 100644
--- a/hosts/liminal/configuration.nix
+++ b/hosts/liminal/configuration.nix
@@ -285,6 +285,7 @@
       clangStdenv
       cmake
       just
+      dtach
     ];
   };
   users.users.hunner = {
@@ -394,6 +395,7 @@
       bitwarden-desktop
       bitwarden-cli
       itch
+      dtach
     ];
   };
   systemd.user.services = {
@@ -534,8 +536,8 @@
   # services.openssh.enable = true;
 
   # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [ 8080 8081 8082 1234 4096 4747 ];
-  networking.firewall.allowedUDPPorts = [ 8080 8081 8082 1234 4096 4747 ];
+  networking.firewall.allowedTCPPorts = [ 8080 8081 8082 1234 4096 ];
+  networking.firewall.allowedUDPPorts = [ 8080 8081 8082 1234 4096 ];
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
   systemd.services.upower.enable = true;
diff --git a/hosts/ruil/configuration.nix b/hosts/ruil/configuration.nix
index 046d857..5f9df53 100644
--- a/hosts/ruil/configuration.nix
+++ b/hosts/ruil/configuration.nix
@@ -5,6 +5,7 @@
     ./hardware-configuration.nix
     ./modules/vaultwarden.nix
     ./modules/etherpad-lite.nix
+    ./modules/forgejo.nix
     (modulesPath + "/virtualisation/digital-ocean-config.nix")
   ];
 
diff --git a/hosts/ruil/modules/forgejo.nix b/hosts/ruil/modules/forgejo.nix
new file mode 100644
index 0000000..0e655b4
--- /dev/null
+++ b/hosts/ruil/modules/forgejo.nix
@@ -0,0 +1,51 @@
+{ config, ... }:
+
+let
+  domain = "git.hunner.dev";
+  port = 3000;
+in
+{
+  services.forgejo = {
+    enable = true;
+    user = "git";
+    group = "git";
+    lfs.enable = true;
+
+    settings = {
+      DEFAULT.APP_NAME = domain;
+
+      server = {
+        DOMAIN = domain;
+        ROOT_URL = "https://${domain}/";
+        HTTP_ADDR = "127.0.0.1";
+        HTTP_PORT = port;
+        DISABLE_SSH = false;
+        SSH_DOMAIN = domain;
+        SSH_PORT = 22;
+      };
+
+      session.COOKIE_SECURE = true;
+      service.DISABLE_REGISTRATION = false;
+    };
+  };
+
+  # Forgejo on git.hunner.dev (Cloudflare proxy -> nginx -> localhost:3000).
+  services.nginx.virtualHosts.${domain} = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString port}";
+      proxyWebsockets = true;
+      recommendedProxySettings = true;
+    };
+  };
+
+  users.users.git = {
+    home = config.services.forgejo.stateDir;
+    useDefaultShell = true;
+    group = "git";
+    isSystemUser = true;
+  };
+
+  users.groups.git = { };
+}