diff --git a/assets/forgejo/apple-touch-icon.png b/assets/forgejo/apple-touch-icon.png
new file mode 100644
index 0000000..78da40f
Binary files /dev/null and b/assets/forgejo/apple-touch-icon.png differ
diff --git a/assets/forgejo/avatar_default.png b/assets/forgejo/avatar_default.png
new file mode 100644
index 0000000..ce6f772
Binary files /dev/null and b/assets/forgejo/avatar_default.png differ
diff --git a/assets/forgejo/favicon.png b/assets/forgejo/favicon.png
new file mode 100644
index 0000000..f6e48b9
Binary files /dev/null and b/assets/forgejo/favicon.png differ
diff --git a/assets/forgejo/favicon.svg b/assets/forgejo/favicon.svg
new file mode 100644
index 0000000..7cf10f5
--- /dev/null
+++ b/assets/forgejo/favicon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round" viewBox="0 0 380 380" width="32" height="32"><path d="M149.575 234.069q-1.811-19.766-14.887-37.117l-3.95-2.915q11.298-2.199 20.018-8.145l2.017 2.236q9.436.497 18.673-2.59c-1.959-4.581-5.162-9.942-9.113-15.187 6.358-5.113 10.839-9.91 12.947-15.288q-10.332-.871-17.08.648l4.084-3.329c9.155-4.309 12.227-16.306 12.515-36.033.26-17.767-1.208-32.111-7.701-43.184q-34.73 24.961-35.481 42.674-13.548-18.255-35.253-18.564c.448 5.884 2.21 12.099 5.565 17.243-2.604.285-4.894 1.216-7.859 2.411-12.156-13.612-23.673-29.376-34.414-47.008-8.039 23.269-11.333 40.023-11.455 50.284-.185 15.523 2.061 27.432 8.313 35.773l3.091 3.727-16.713-1.928c2.54 8.707 7.805 10.601 12.388 14.2-3.162 5.672-6.712 11.419-5.2 16.186 4.853 1.053 10.244.317 15.543-.116q12.885 6.631 30.679 9.057c-3.911.199-8.614.271-18.699-1.928q1.927 7.567 10.869 12.33-5.961 4.674-7.947 10.518 5.58-.468 10.226-1.169-3.624 8.152-4.909 17.239" style="fill:#fff;fill-rule:nonzero" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M85.842 234.094q1.285-9.087 4.909-17.239-4.646.701-10.226 1.169 1.986-5.844 7.947-10.518-8.942-4.763-10.869-12.33c10.085 2.199 14.788 2.127 18.699 1.928q-17.793-2.425-30.679-9.058c-5.299.434-10.69 1.17-15.543.117-1.512-4.767 2.038-10.514 5.2-16.186-4.583-3.6-9.848-5.493-12.388-14.2l16.713 1.928M56.514 155.978c-6.252-8.341-8.498-20.25-8.313-35.773.122-10.261 3.416-27.015 11.455-50.284q16.112 26.448 34.068 46.565" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M108.929 122.454q-13.353 2.18-23.373.049c8.248-6.371 12.822-8.004 18.865-8.135" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M102.706 115.642c-3.863-5.34-5.86-12.045-6.342-18.367q21.705.31 35.253 18.563.751-17.712 35.481-42.673c6.493 11.073 7.961 25.417 7.701 43.184-.288 19.727-3.36 31.724-12.515 36.033M158.2 155.711q6.748-1.52 17.08-.648c-2.108 5.378-6.589 10.175-12.947 15.288 3.951 5.245 7.154 10.606 9.113 15.187q-9.237 3.087-18.673 2.59M130.738 194.037q11.298-2.199 20.018-8.145M149.575 234.069q-1.811-19.766-14.887-37.117M65.551 146.77l29.868-1.53M70.019 170.273q-4.531-9.216 1.71-23.819" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M82.462 145.904c-1.913 14.213.121 23.042 6.417 23.03 6.855-.014 8.935-9.064 6.54-23.694" style="fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M122.796 145.382q13.86-3.124 28.791-1.607" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M143.816 143.298c5.18 5.875 5.983 14.532 4.825 24.09" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M122.796 145.382c-1.413 14.984.295 21.028 5.401 21.024 11.093-.008 5.742-13.933 6.606-22.844" style="fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M100.913 170.171a31 31 0 0 1 7.467-.581M94.877 182.466c3.607 2.981 6.483 2.176 12.251-2.727 6.426 1.759 13.671 4.519 16.185-1.431" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M60.711 175.474q2.568-2.85 6.354-2.742c-.29 2.933-.746 3.681-1.211 5.237-.775 2.588 6.18-1.728 9.088-3.278M140.128 175.257l4.115-3.759c.165 2.013-.146 5.293.486 6.06 2.44-.927 4.167-3.564 6.223-5.412" style="fill:none;fill-rule:nonzero;stroke:#c41818;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/></svg>
\ No newline at end of file
diff --git a/assets/forgejo/logo.png b/assets/forgejo/logo.png
new file mode 100644
index 0000000..ca1d390
Binary files /dev/null and b/assets/forgejo/logo.png differ
diff --git a/assets/forgejo/logo.svg b/assets/forgejo/logo.svg
new file mode 100644
index 0000000..7cf10f5
--- /dev/null
+++ b/assets/forgejo/logo.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round" viewBox="0 0 380 380" width="32" height="32"><path d="M149.575 234.069q-1.811-19.766-14.887-37.117l-3.95-2.915q11.298-2.199 20.018-8.145l2.017 2.236q9.436.497 18.673-2.59c-1.959-4.581-5.162-9.942-9.113-15.187 6.358-5.113 10.839-9.91 12.947-15.288q-10.332-.871-17.08.648l4.084-3.329c9.155-4.309 12.227-16.306 12.515-36.033.26-17.767-1.208-32.111-7.701-43.184q-34.73 24.961-35.481 42.674-13.548-18.255-35.253-18.564c.448 5.884 2.21 12.099 5.565 17.243-2.604.285-4.894 1.216-7.859 2.411-12.156-13.612-23.673-29.376-34.414-47.008-8.039 23.269-11.333 40.023-11.455 50.284-.185 15.523 2.061 27.432 8.313 35.773l3.091 3.727-16.713-1.928c2.54 8.707 7.805 10.601 12.388 14.2-3.162 5.672-6.712 11.419-5.2 16.186 4.853 1.053 10.244.317 15.543-.116q12.885 6.631 30.679 9.057c-3.911.199-8.614.271-18.699-1.928q1.927 7.567 10.869 12.33-5.961 4.674-7.947 10.518 5.58-.468 10.226-1.169-3.624 8.152-4.909 17.239" style="fill:#fff;fill-rule:nonzero" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M85.842 234.094q1.285-9.087 4.909-17.239-4.646.701-10.226 1.169 1.986-5.844 7.947-10.518-8.942-4.763-10.869-12.33c10.085 2.199 14.788 2.127 18.699 1.928q-17.793-2.425-30.679-9.058c-5.299.434-10.69 1.17-15.543.117-1.512-4.767 2.038-10.514 5.2-16.186-4.583-3.6-9.848-5.493-12.388-14.2l16.713 1.928M56.514 155.978c-6.252-8.341-8.498-20.25-8.313-35.773.122-10.261 3.416-27.015 11.455-50.284q16.112 26.448 34.068 46.565" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M108.929 122.454q-13.353 2.18-23.373.049c8.248-6.371 12.822-8.004 18.865-8.135" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M102.706 115.642c-3.863-5.34-5.86-12.045-6.342-18.367q21.705.31 35.253 18.563.751-17.712 35.481-42.673c6.493 11.073 7.961 25.417 7.701 43.184-.288 19.727-3.36 31.724-12.515 36.033M158.2 155.711q6.748-1.52 17.08-.648c-2.108 5.378-6.589 10.175-12.947 15.288 3.951 5.245 7.154 10.606 9.113 15.187q-9.237 3.087-18.673 2.59M130.738 194.037q11.298-2.199 20.018-8.145M149.575 234.069q-1.811-19.766-14.887-37.117M65.551 146.77l29.868-1.53M70.019 170.273q-4.531-9.216 1.71-23.819" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M82.462 145.904c-1.913 14.213.121 23.042 6.417 23.03 6.855-.014 8.935-9.064 6.54-23.694" style="fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M122.796 145.382q13.86-3.124 28.791-1.607" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M143.816 143.298c5.18 5.875 5.983 14.532 4.825 24.09" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M122.796 145.382c-1.413 14.984.295 21.028 5.401 21.024 11.093-.008 5.742-13.933 6.606-22.844" style="fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M100.913 170.171a31 31 0 0 1 7.467-.581M94.877 182.466c3.607 2.981 6.483 2.176 12.251-2.727 6.426 1.759 13.671 4.519 16.185-1.431" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M60.711 175.474q2.568-2.85 6.354-2.742c-.29 2.933-.746 3.681-1.211 5.237-.775 2.588 6.18-1.728 9.088-3.278M140.128 175.257l4.115-3.759c.165 2.013-.146 5.293.486 6.06 2.44-.927 4.167-3.564 6.223-5.412" style="fill:none;fill-rule:nonzero;stroke:#c41818;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/></svg>
\ No newline at end of file
diff --git a/flake.nix b/flake.nix
index c49e260..821117f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -65,6 +65,10 @@
               # racket
               "*.rkt"
               "**/rashrc"
+
+              # custom assets
+              "*.png"
+              "*.svg"
             ];
             settings.on-unmatched = "fatal";
           };
diff --git a/hosts/kazuki/default.nix b/hosts/kazuki/default.nix
index df92f1c..8464cb5 100644
--- a/hosts/kazuki/default.nix
+++ b/hosts/kazuki/default.nix
@@ -15,7 +15,6 @@
         ./storage.nix
         ./ntfy.nix
         ./zitadel.nix
-        ./forgejo.nix
         ./prometheus.nix
       ];
 
diff --git a/hosts/kazuki/forgejo.nix b/hosts/kazuki/forgejo.nix
deleted file mode 100644
index 9f200e2..0000000
--- a/hosts/kazuki/forgejo.nix
+++ /dev/null
@@ -1,62 +0,0 @@
-{ config, ... }:
-{
-  age.secrets.rab-lol-cf = {
-    file = ../../secrets/rab-lol-cf.age;
-    owner = config.services.nginx.user;
-  };
-
-  services.forgejo = {
-    enable = true;
-    settings = {
-      server = {
-        DOMAIN = "git.rab.lol";
-        ROOT_URL = "https://git.rab.lol/";
-      };
-      oauth2_client = {
-        REGISTER_EMAIL_CONFIRM = false;
-        ENABLE_AUTO_REGISTRATION = true;
-        ACCOUNT_LINKING = "auto";
-        UPDATE_AVATAR = true;
-      };
-      service = {
-        DISABLE_REGISTRATION = false;
-        ALLOW_ONLY_INTERNAL_REGISTRATION = false;
-        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
-      };
-      federation.ENABLED = true;
-    };
-    repositoryRoot = "/storage-box/forgejo/repos";
-    lfs = {
-      enable = true;
-      contentDir = "/storage-box/forgejo/lfs";
-    };
-  };
-
-  services.nginx = {
-    enable = true;
-    recommendedProxySettings = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedTlsSettings = true;
-    virtualHosts."git.rab.lol" = {
-      forceSSL = true;
-      enableACME = true;
-      acmeRoot = null;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:3000";
-        extraConfig = ''
-          proxy_set_header Connection $http_connection;
-          proxy_set_header Upgrade $http_upgrade;
-        '';
-      };
-    };
-  };
-
-  users.users.nginx.extraGroups = [ "acme" ];
-  security.acme.acceptTerms = true;
-  security.acme.certs."git.rab.lol" = {
-    dnsProvider = "cloudflare";
-    credentialsFile = config.age.secrets.rab-lol-cf.path;
-    email = "nikodem@rabulinski.com";
-  };
-}
diff --git a/modules/system/containers.nix b/modules/system/containers.nix
index a0942f9..26e7e7e 100644
--- a/modules/system/containers.nix
+++ b/modules/system/containers.nix
@@ -85,6 +85,12 @@ let
 
           services.openssh.hostKeys = [ ];
           system.stateVersion = lib.mkDefault config.system.stateVersion;
+
+          networking.useHostResolvConf = false;
+          networking.nameservers = [
+            "1.1.1.1"
+            "1.0.0.1"
+          ];
         };
 
         bindMounts = {
@@ -95,6 +101,11 @@ let
         privateNetwork = lib.mkForce true;
       }
     ) config.settei.containers;
+
+    networking.nat = lib.mkIf (config.settei.containers != { }) {
+      enable = true;
+      internalInterfaces = [ "ve-+" ];
+    };
   };
 
   darwinConfig = lib.optionalAttrs (!isLinux) {
diff --git a/services/default.nix b/services/default.nix
index 1837462..dfee582 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -2,5 +2,6 @@
   imports = [
     ./attic.nix
     ./forgejo-runner.nix
+    ./forgejo.nix
   ];
 }
diff --git a/services/forgejo.nix b/services/forgejo.nix
new file mode 100644
index 0000000..4b9ea02
--- /dev/null
+++ b/services/forgejo.nix
@@ -0,0 +1,98 @@
+{
+  services.forgejo = {
+    host = "kazuki";
+    ports = [ 3000 ];
+    config =
+      { config, pkgs, ... }:
+      {
+        age.secrets.rab-lol-cf = {
+          file = ../secrets/rab-lol-cf.age;
+          owner = config.services.nginx.user;
+        };
+
+        services.forgejo = {
+          enable = true;
+          package = pkgs.forgejo;
+          settings = {
+            server = {
+              DOMAIN = "git.rab.lol";
+              ROOT_URL = "https://git.rab.lol/";
+            };
+            security = {
+              DISABLE_GIT_HOOKS = false;
+            };
+            oauth2_client = {
+              REGISTER_EMAIL_CONFIRM = false;
+              ENABLE_AUTO_REGISTRATION = true;
+              ACCOUNT_LINKING = "auto";
+              UPDATE_AVATAR = true;
+            };
+            service = {
+              DISABLE_REGISTRATION = false;
+              ALLOW_ONLY_INTERNAL_REGISTRATION = false;
+              ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+            };
+            session = {
+              SESSION_LIFE_TIME = 86400 * 30;
+            };
+            federation.ENABLED = true;
+          };
+          repositoryRoot = "/forgejo/repos";
+          lfs = {
+            enable = true;
+            contentDir = "/forgejo/lfs";
+          };
+        };
+
+        systemd.tmpfiles.rules =
+          let
+            cfg = config.services.forgejo;
+            imgDir = pkgs.runCommand "forgejo-img-dir" { } ''
+              cp -R ${../assets/forgejo} "$out"
+            '';
+          in
+          [
+            "d '${cfg.customDir}/public' 0750 ${cfg.user} ${cfg.group} - -"
+            "d '${cfg.customDir}/public/assets' 0750 ${cfg.user} ${cfg.group} - -"
+            "L+ '${cfg.customDir}/public/assets/img' - - - - ${imgDir}"
+          ];
+
+        services.nginx = {
+          enable = true;
+          recommendedProxySettings = true;
+          recommendedGzipSettings = true;
+          recommendedOptimisation = true;
+          recommendedTlsSettings = true;
+          virtualHosts."git.rab.lol" = {
+            forceSSL = true;
+            enableACME = true;
+            acmeRoot = null;
+            locations."/" = {
+              proxyPass = "http://127.0.0.1:3000";
+              extraConfig = ''
+                proxy_set_header Connection $http_connection;
+                proxy_set_header Upgrade $http_upgrade;
+              '';
+            };
+          };
+        };
+
+        users.users.nginx.extraGroups = [ "acme" ];
+        security.acme.acceptTerms = true;
+        security.acme.certs."git.rab.lol" = {
+          dnsProvider = "cloudflare";
+          credentialsFile = config.age.secrets.rab-lol-cf.path;
+          email = "nikodem@rabulinski.com";
+        };
+
+        fileSystems."/forgejo" = {
+          device = "/dev/disk/by-label/forgejo";
+          fsType = "btrfs";
+          options = [
+            "compress=zstd"
+            "noatime"
+          ];
+        };
+      };
+  };
+}