diff --git a/machines/newton/secrets.yaml b/machines/newton/secrets.yaml
index 108552f..903cb9d 100644
--- a/machines/newton/secrets.yaml
+++ b/machines/newton/secrets.yaml
@@ -15,6 +15,8 @@ nextcloud:
     password: ENC[AES256_GCM,data:uE507Ij34zJVYnd2YkNCGj8hpFpEM5w=,iv:x8BNCUaAas0poQ/Lo0izZApF6l52xal8DDrClIzWjvk=,tag:sA08dmcVQbKswX9hF/txag==,type:str]
 nextcloud-exporter:
     password: ENC[AES256_GCM,data:ziQ/rVJx9NELSQA6/BeniH7joJPnc6Q=,iv:LtZ2Inm0V4ZRv0blRUNfXJOyFY85NkZo+5r31fs0oXM=,tag:5maJ5fkJU+JnbpLGf/MhOg==,type:str]
+git:
+    password: ENC[AES256_GCM,data:uUN/BJ1JMwahgq6sqb+bWaIgolfu6pHq+pnt/2zl,iv:x8KjU4tNfK2xkxcIk9dkIs3j1V+CGY/rc4DbhEdoH+U=,tag:9lRP2CQHbAtrxvMAjqMJKg==,type:str]
 photos:
     secrets: ENC[AES256_GCM,data:eUlyoAx9odHPjuSSL63WFJJntRm77FvcxSzf8+6r6qNGtlnx,iv:IEq+NpZx4JIQ/hDCcNEHh+I2B7tD9BbbB7Y1XyW4yW0=,tag:+Ar83rwchWdaMvTYGHAoDQ==,type:str]
 grafana:
@@ -52,8 +54,8 @@ sops:
             NmNwT3N5UEVabFdLTDhseFRjeVZaWFkKL3HGFqfttU1tXY4OhnIr1ABFsHB0R0CX
             s6wxb0ilut32ijjtnGXMIIa9y6XsMTpYskTb9FdRP9VnQQGVrMfdew==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-17T21:17:38Z"
-    mac: ENC[AES256_GCM,data:pPuvSlWqiCsNFjAoQOH6/0D5lb9Z7giKCHpz0/kWvbug5K730bpeYSfqvEc01VLb+RV6JugvblwF/SXhMEhe1KmvvGOmWPPCufhw4LEhnLotegKkZ5h1bcKLREEqy3nhSDmqbfELNPWxLOxO/fzJjhBTpuNuWZ0nLIAQP+MidWY=,iv:uQaMI9MJ3SZB7h7W7SRBOC6Ig6yoiATGP4eU/kjoO+Q=,tag:YUvl0Og8ckVIBOlW/Zi/hQ==,type:str]
+    lastmodified: "2025-04-01T20:14:13Z"
+    mac: ENC[AES256_GCM,data:TYsCSFADZkIqN+CggAoyBLHYBnF8XG9c7zGzsjyDG35Xty/JP6K6pC/7IPUEKtvStm0hUCS5seil5gTNmBBIgynVI3xTqhzIQ5UJ6QgxbVIcKR9j3lXF0FpuVSwh8p2Q6jL3LRM3nItCvtYYdw2CFL7pBSuk5BKkPVWbb1n1oyU=,iv:xYZSTv25Af0XSO0SpbwA3F/ORYOdDCemSS8uyFTklXA=,tag:y03I0hQweArU83l1nKFxfw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.4
diff --git a/machines/newton/services.nix b/machines/newton/services.nix
index a1b58ad..dc65fd6 100644
--- a/machines/newton/services.nix
+++ b/machines/newton/services.nix
@@ -12,6 +12,9 @@ in
     "sso/felix/password-hash" = { };
     "sso/felix/totp-secret" = { };
     "paperless/password" = { };
+    "git/password" = {
+      owner = config.users.users.forgejo.name;
+    };
     "nextcloud/password" = {
       owner = config.users.users.nextcloud.name;
     };
@@ -85,9 +88,10 @@ in
       defaultUser = "felix";
       passwordFile = secrets."freshrss/password".path;
     };
-    # self-hosted git service
-    gitea = {
+    # self-hosted git server
+    git = {
       enable = true;
+      passwordFile = secrets."git/password".path;
     };
     # collaborative markdown editor
     hedgedoc = {
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 4a0de1a..86269d4 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -12,7 +12,7 @@
     ./finance
     ./freshrss
     ./fritzbox
-    ./gitea
+    ./git
     ./grafana
     ./hedgedoc
     ./home-automation
diff --git a/modules/services/gitea/default.nix b/modules/services/git/default.nix
similarity index 51%
rename from modules/services/gitea/default.nix
rename to modules/services/git/default.nix
index 428e299..6320f8a 100644
--- a/modules/services/gitea/default.nix
+++ b/modules/services/git/default.nix
@@ -6,17 +6,41 @@
   ...
 }:
 let
-  cfg = config.my.services.gitea;
+  cfg = config.my.services.git;
   inherit (config.networking) domain;
 in
 {
-  options.my.services.gitea = with lib; {
-    enable = mkEnableOption "Gitea";
+  options.my.services.git = {
+    enable = lib.mkEnableOption "Git server";
+
+    passwordFile = lib.mkOption {
+      type = lib.types.path;
+      example = "/var/lib/somewhere/password.txt";
+      description = ''
+        Path to a file containing the admin's password.
+      '';
+    };
   };
 
   config = lib.mkIf cfg.enable {
+
+    # configure admin user
+    systemd.services.forgejo.preStart =
+      let
+        adminCmd = "${lib.getExe config.services.forgejo.package} admin user";
+        user = "felix";
+      in
+      ''
+        admin="${adminCmd}"
+        if ! $admin list | grep "${user}"; then
+          ${adminCmd} create --admin --email "server@localhost" --username ${user} --password "$(tr -d '\n' < ${cfg.passwordFile})" || true
+        else
+          ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${cfg.passwordFile})" || true
+        fi
+      '';
+
     services = {
-      gitea = {
+      forgejo = {
         enable = true;
         settings = {
           server = {
@@ -35,10 +59,10 @@ in
       prometheus = {
         scrapeConfigs = [
           {
-            job_name = "gitea";
+            job_name = "forgejo";
             static_configs = [
               {
-                targets = [ "localhost:${toString config.services.gitea.settings.server.HTTP_PORT}" ];
+                targets = [ "localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}" ];
                 labels = {
                   instance = config.networking.hostName;
                 };
@@ -50,39 +74,39 @@ in
       grafana.provision = {
         dashboards.settings.providers = [
           {
-            name = "Gitea";
-            options.path = pkgs.grafana-dashboards.gitea;
+            name = "Forgejo";
+            options.path = pkgs.grafana-dashboards.forgejo;
             disableDeletion = true;
           }
         ];
       };
     };
 
-    # Proxy to Gitea
+    # Proxy to forgejo
     my.services = {
       webserver.virtualHosts = [
         {
           subdomain = "code";
-          port = config.services.gitea.settings.server.HTTP_PORT;
+          port = config.services.forgejo.settings.server.HTTP_PORT;
         }
       ];
 
       backup = {
         paths = [
-          config.services.gitea.lfs.contentDir
-          config.services.gitea.repositoryRoot
+          config.services.forgejo.lfs.contentDir
+          config.services.forgejo.repositoryRoot
         ];
       };
 
       prometheus.rules = {
-        gitea = {
-          condition = ''rate(promhttp_metric_handler_requests_total{job="gitea", code="500"}[5m]) > 3'';
-          description = "{{$labels.instance}}: gitea instances error rate went up: {{$value}} errors in 5 minutes";
+        forgejo = {
+          condition = ''rate(promhttp_metric_handler_requests_total{job="forgejo", code="500"}[5m]) > 3'';
+          description = "{{$labels.instance}}: forgejo instances error rate went up: {{$value}} errors in 5 minutes";
         };
       };
     };
 
-    webapps.apps.gitea = {
+    webapps.apps.git = {
       dashboard = {
         name = "Code";
         category = "app";
diff --git a/pkgs/grafana-dashboards/default.nix b/pkgs/grafana-dashboards/default.nix
index 0d508e5..d4ebc02 100644
--- a/pkgs/grafana-dashboards/default.nix
+++ b/pkgs/grafana-dashboards/default.nix
@@ -123,15 +123,15 @@ lib.makeScope pkgs.newScope (
       hash = "sha256-/scCKBKqTjRKKImIrEYLBKGweOUnkx+QsD5yLfdXW5o=";
     };
 
-    gitea =
+    forgejo =
       (buildGrafanaDashboard {
         id = 13192;
-        pname = "gitea";
+        pname = "forgejo";
         version = "1";
         hash = "sha256-IAaI/HvMxcWE3PGQFK8avNjgj88DgcDvkWRcDAWSejM=";
       }).overrideAttrs
         (_: {
-          src = ./gitea.json; # sadly not yet updated to latest grafana
+          src = ./forgejo.json; # sadly not yet updated to latest grafana
         });
 
     prometheus =
diff --git a/pkgs/grafana-dashboards/gitea.json b/pkgs/grafana-dashboards/forgejo.json
similarity index 100%
rename from pkgs/grafana-dashboards/gitea.json
rename to pkgs/grafana-dashboards/forgejo.json