diff --git a/services/self_host/git.nix b/services/self_host/git.nix
index c31e695..445dd22 100644
--- a/services/self_host/git.nix
+++ b/services/self_host/git.nix
@@ -1,49 +1,57 @@
 { config, pkgs, lib, ... }:
 
 let
-  giteaDomain = "git.enium.eu";
+  gitDomain = "git.enium.eu";
 in
 {
-  services.gitea = {
-    enable = true;
-    appName = "Enium Git";
-    user = "gitea";
-    group = "gitea";
-    database.type = "sqlite3";
+  services = {
+    forgejo = {
+      enable = true;
+      database.type = "postgres";
 
-    settings = {
-      server = {
-        DOMAIN = giteaDomain;
-        ROOT_URL = "https://${giteaDomain}/";
-        SSH_PORT = 42131;
-        HTTP_ADDR = "127.0.0.1";
-        HTTP_PORT = 3042;
-        DISABLE_REGISTRATION = true;
-        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
-        SHOW_REGISTRATION_BUTTON = false;
-        DISABLE_REGULAR_LOGIN = true;
-      };
+      settings = {
+        server = {
+          "DEFAULT.APP_NAME" = "Enium Git";
+          "DEFAULT.APP_SLOGAN" = "Born2Code";
+          DOMAIN = gitDomain;
+          ROOT_URL = "https://${gitDomain}/";
+          SSH_PORT = 42131;
+          HTTP_ADDR = "127.0.0.1";
+          HTTP_PORT = 3042;
+          DISABLE_REGISTRATION = true;
+          ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+          SHOW_REGISTRATION_BUTTON = false;
+          DISABLE_REGULAR_LOGIN = true;
+        };
 
-      service = {
-        DISABLE_REGISTRATION = true;
-        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
-      };
+        oauth2 = {
+          ENABLED = true;
+          NAME = "Enium";
+          CLIENT_ID = "forgejo";
+          CLIENT_SECRET = "${config.age.secrets.forgejo-oidc-secret.path}";
+          SCOPES = "openid email profile groups";
+          LOGIN_ATTRIBUTE_PATH = "preferred_username";
+          AUTH_URL = "https://git.enium.eu/ui/oauth2";
+          TOKEN_URL = "https://git.enium.eu/oauth2/token";
+          API_URL = "https://git.enium.eu/oauth2/openid/forgejo/userinfo";
+          CODE_CHALLENGE_METHOD = "S256";
+          ENABLE_AUTO_REGISTRATION = true;
+          UPDATE_AVATAR = true;
+        };
 
-      web = {
-        DISABLE_LOCAL_LOGIN = true;
-      };
-
-      oauth2_client = {
-        ENABLE_AUTO_REGISTRATION = true;
+        security = {
+          LOGIN_REMEMBER_DAYS = 14;
+        };
       };
     };
-  };
 
-  services.nginx.virtualHosts."${giteaDomain}" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:3042";
+    nginx.virtualHosts."${gitDomain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3042";
+        proxyWebsockets = true;
+      };
     };
   };
 }