diff --git a/flake.lock b/flake.lock
index 47c2782..c0cec35 100644
--- a/flake.lock
+++ b/flake.lock
@@ -377,11 +377,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1713776544,
-        "narHash": "sha256-EQW8P1TfkYQV0EEK1n3Gh9wRp9KlC0EbidH2j+niCaE=",
+        "lastModified": 1713863887,
+        "narHash": "sha256-TwlNZjJloyZ0/5KCPeSWrnyDfEFokayovRPQY7xqq1g=",
         "ref": "refs/heads/main",
-        "rev": "61410d68f15b3b970067a3fdd39667fdd9a89edd",
-        "revCount": 12,
+        "rev": "b8c66d7b0ca9fc21bc5332801b0203033cc3a772",
+        "revCount": 13,
         "type": "git",
         "url": "ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets"
       },
diff --git a/roles/common/programs/git.nix b/roles/common/programs/git.nix
index f9f2b4e..02dc612 100644
--- a/roles/common/programs/git.nix
+++ b/roles/common/programs/git.nix
@@ -1,4 +1,9 @@
 {...}: {
+  programs.ssh.knownHosts = {
+    "[git.everest.sable-pancake.ts.net]:4222".publicKey = ''
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoUcWx56NZ3kqydN3d0gLNz6SlBm1ArkHhqR9Fwd8qs
+    '';
+  };
   home-manager.users.toast = {
     programs.git = {
       enable = true;
diff --git a/roles/server/forgejo.nix b/roles/server/forgejo.nix
index b8f04c9..e89fee9 100644
--- a/roles/server/forgejo.nix
+++ b/roles/server/forgejo.nix
@@ -1,8 +1,26 @@
 {
   config,
   lib,
+  flakeSelf,
   ...
-}: {
+}: let
+  hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/";
+in {
+  age.secrets = {
+    forgejo-host-key = {
+      file = hostSecrets + "forgejoPrivateKey.age";
+      mode = "0400";
+      owner = "forgejo";
+      group = "forgejo";
+    };
+    "forgejo-host-key.pub" = {
+      file = hostSecrets + "forgejoPublicKey.age";
+      mode = "0400";
+      owner = "forgejo";
+      group = "forgejo";
+    };
+  };
+
   specialisation.forgejoEnableRegistration.configuration.services.forgejo.settings.service.DISABLE_REGISTRATION = false;
   services.forgejo = {
     enable = true;
@@ -14,6 +32,8 @@
         ROOT_URL = "http://git.everest.sable-pancake.ts.net";
         START_SSH_SERVER = true;
         SSH_PORT = 4222;
+        SSH_SERVER_HOST_KEYS = config.age.secrets.forgejo-host-key.path;
+        SSH_SERVER_HOST_KEY = "forgejo-host-key";
       };
       repository = {
         ENABLE_PUSH_CREATE_USER = true;