diff --git a/.sops.yaml b/.sops.yaml
index 88fceb6..0831305 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,6 +1,7 @@
 keys:
   - &vili-bw age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
   - &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
+  - &forgejo age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7
   - &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9
 creation_rules:
   - path_regex: ^secrets/helium/.*\.yaml$
@@ -13,6 +14,11 @@ creation_rules:
     - age:
       - *vili-bw
       - *helium
+  - path_regex: ^secrets/forgejo.yaml$
+    key_groups:
+    - age:
+      - *vili-bw
+      - *forgejo
   - path_regex: ^secrets/vaultwarden.yaml$
     key_groups:
     - age:
diff --git a/secrets/forgejo.yaml b/secrets/forgejo.yaml
new file mode 100644
index 0000000..21f6050
--- /dev/null
+++ b/secrets/forgejo.yaml
@@ -0,0 +1,25 @@
+smtp-pass: ENC[AES256_GCM,data:1V5EHK5itI44ZmSALPF/SA==,iv:vGSipMUvWT+qAo7JXeCGFdiiRATnYPl77SODm4SQD5c=,tag:eboMUsoJDjVIPcqT+liQCg==,type:str]
+sops:
+    age:
+        - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArbHZvZHBFcVlON0FaQ0lP
+            bjBSQS9RcXlrM25nUElDQzc5ZFVMN3ZuWTMwCkx3WWVDNm4xRVBFYmIwcnM4blQ2
+            d1A5R2hwTjNUcWFJRXlqUFBYN1BoK0kKLS0tIFQ4dG1RdUNDamFaa1FZazAzVVB4
+            Vm84bEdPNVErWTM3TkVVSmdYa3kvcWcKix28pKgG2Nm2kPo/IC8VMxWpd9D9CUNp
+            4QFed716oCATJnW0qYww/sM8dc+DHa8dABNzdh25yX85LuleCrRj8Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMVAwb1VONlUrL0l3RUQy
+            K3RpMk1icVlja0Y3dlJvYi9CQzUzMDN5NkhnCjlWaGhBaXhZMzZDL1cwV1B4MWpC
+            bEJYa0NHeGRKa0s4aDBleUc3TnRTYzAKLS0tIFR5b1EzR2xBZEtIdFNzSkZWVmVE
+            dHQ5M2JwUE5tdjBBZklXYW0wZGNlTEkKssrzEuDJXjzLBAoW5ZvOMynREFpkTbT+
+            tVhQdg+llvM1D3xV7SlCt8hTIZkv6mIIGAq/0VC7lgVjq6bilny/Sg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-21T12:59:33Z"
+    mac: ENC[AES256_GCM,data:Y0Z39BJDJJZlvlJ33pQzEYWpDzw1qSMMPufQ8iPvmNpjIXpCHxQ2LDLXyV91bMPY0OTG6cfLkF4bAOl21L5xjJ45nVNsgrqEFeWc3mxLQNnqiDP8Av0Z2L/sQbJpWppN44y/ussGQNMdndze57eNiKUp8GLRqAGJ9bFyxg8uiLE=,iv:Ddh9njJr7Ao8GMaMHPEDsz+uu9RMRIXzZNVcYAyPb1U=,tag:EjqM8DNohUcoiGwf4v8tAg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/servers/forgejo.nix b/servers/forgejo.nix
index 4390a6a..c0e5bda 100644
--- a/servers/forgejo.nix
+++ b/servers/forgejo.nix
@@ -5,12 +5,17 @@
     ./utils/acme-http-client.nix
   ];
 
+  sops.secrets.smtp-pass = {
+    sopsFile = ../secrets/forgejo.yaml;
+    restartUnits = [ "forgejo.service" ];
+  };
+
   services = {
     forgejo = {
       enable = true;
       lfs.enable = true;
 
-      secrets.mailer.PASSWD = "${config.services.forgejo.stateDir}/smtp_pass";
+      secrets.mailer.PASSWD = config.sops.secrets.smtp-pass.path;
       settings = {
         DEFAULT.APP_NAME = "Forgejo for Vili Sinervä";
         repository = {