diff --git a/.sops.yaml b/.sops.yaml
index 8044652..2d74601 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,8 +1,10 @@
 keys:
   - &muon age1m97a3eptxwpdd7h5kkqe9gkmhg6rquc64qjmlsfqfhfqv8q72crqrylhgc
+  - &muho age1v4s4hg7u3vjjkarvrk7v6ev7w3wja2r5xm7f4t06culw3fuq7qns8sfju7
 
 creation_rules:
   - path_regex: modules/nixos/sops/secrets.ya?ml$
     key_groups:
     - age:
       - *muon
+      - *muho
diff --git a/hosts/ports.nix b/hosts/ports.nix
index 4d150db..0c61806 100644
--- a/hosts/ports.nix
+++ b/hosts/ports.nix
@@ -2,6 +2,7 @@
   mods.server.nginx.ports = {
     photos = 3001;
     homebox = 3002;
+    git = 3003;
 
     search = 8081;
     videos = 8082;
diff --git a/modules/nixos/core/user.nix b/modules/nixos/core/user.nix
index 1d53af0..67f2989 100644
--- a/modules/nixos/core/user.nix
+++ b/modules/nixos/core/user.nix
@@ -8,7 +8,6 @@
     users.users.${config.mods.user.name} = {
       isNormalUser = true;
       extraGroups = [ "wheel" ];
-      initialPassword = "changeme";
       hashedPasswordFile = config.sops.secrets.muon-password.path;
       shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
     };
diff --git a/modules/nixos/server/git.nix b/modules/nixos/server/git.nix
new file mode 100644
index 0000000..a3f25fb
--- /dev/null
+++ b/modules/nixos/server/git.nix
@@ -0,0 +1,16 @@
+{ pkgs, lib, config, ... }:
+let
+  cfg = config.mods.server.git;
+  port = config.mods.server.nginx.ports.git;
+in with lib; {
+  options.mods.server = {
+    git = {
+      enable = mkEnableOption {
+        default = false;
+        description = "enables forgejo server";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable { services.forgejo = { enable = true; }; };
+}