diff --git a/infra/flake-part.nix b/infra/flake-part.nix
index 76329a6..9926af6 100644
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@@ -17,7 +17,10 @@
           };
           nixpkgs = inputs.nixpkgs;
           nixos.module = {
-            imports = [ ./vm02116 ];
+            imports = [
+              ./vm02116
+              inputs.agenix.nixosModules.default
+            ];
           };
         };
 
diff --git a/infra/vm02116/forgejo.nix b/infra/vm02116/forgejo.nix
index 157e8d6..b72466b 100644
--- a/infra/vm02116/forgejo.nix
+++ b/infra/vm02116/forgejo.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 let
   domain = "git.fediversity.eu";
 in
@@ -27,15 +27,23 @@ in
       FROM = "git@fediversity.eu";
       USER = "git@fediversity.eu";
     };
-    secrets.mailer.PASSWD = "/var/lib/forgejo/data/keys/forgejo-mailpw";
+    secrets.mailer.PASSWD = config.age.secrets.forgejo-email-password.path;
 
     database = {
       type = "mysql";
       socket = "/run/mysqld/mysqld.sock";
-      passwordFile = "/var/lib/forgejo/data/keys/forgejo-dbpassword";
+      passwordFile = config.age.secrets.forgejo-database-password.path;
     };
   };
 
+  age.secrets.forgejo-database-password = {
+    file = ../../secrets/forgejo-database-password.age;
+    owner = "forgejo";
+    group = "forgejo";
+    mode = "440";
+  };
+  age.secrets.forgejo-email-password.file = ../../secrets/forgejo-email-password.age;
+
   users.groups.keys.members = [ "forgejo" ];
 
   services.mysql = {
diff --git a/secrets/forgejo-database-password.age b/secrets/forgejo-database-password.age
new file mode 100644
index 0000000..435d5a0
Binary files /dev/null and b/secrets/forgejo-database-password.age differ
diff --git a/secrets/forgejo-email-password.age b/secrets/forgejo-email-password.age
new file mode 100644
index 0000000..9de91e3
--- /dev/null
+++ b/secrets/forgejo-email-password.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 1MUEqQ Y+wylE1yiRBPh5aX3LNeX7/5YQ/EfPOplCBmIoR69yA
+Vfvi1DZo927okyWLcfoVhVOada5bVdgcLXWzroIycGU
+-> ssh-ed25519 Fa25Dw PFDPqt30lbvvf1Mu/AVMKfv/XyC2fIfnpvKrmyjDiRw
+S9Qn+jNMpS4T5OlTIq0SFMTyKlq4Sz7ADdtKDuQoGB4
+--- 8/wxDtoP6ZfHqvQS8ld264jPEunSzbFP7Yqy664fyQ0
+~��C�s��%}+�	xΥNX�^�����
+s�$b�b�ٝ����N
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3ef18c8..54a86bc 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -18,6 +18,7 @@ let
   ## Machines in this list MAY be mentioned later on as able to decrypt some of
   ## the encrypted `.age` files.
 
+  vm02116 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr";
   vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM";
   vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW";
 
@@ -36,6 +37,8 @@ concatMapAttrs
   ## are able to decrypt them.
 
   {
+    forgejo-database-password = [ vm02116 ];
+    forgejo-email-password = [ vm02116 ];
     forgejo-runner-token = [
       vm02179
       vm02186