diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix
index 5725664..9b0b95b 100644
--- a/modules/hosts/nixos/nixnuc/default.nix
+++ b/modules/hosts/nixos/nixnuc/default.nix
@@ -73,16 +73,26 @@ in {
 
   networking = {
     # Open ports in the firewall.
-    firewall.allowedTCPPorts = [
-      22 # ssh
-      80 # http to local Nginx
-      443 # https to local Nginx
-      3000 # PsiTransfer in oci-container
-      8080 # Tandoor in docker compose
-      8090 # Wallabag in docker compose
-      13378 # Audiobookshelf in oci-container
-    ];
-    # firewall.allowedUDPPorts = [ ... ];
+    firewall = {
+      allowedTCPPorts = [
+        22    # ssh
+        80    # http to local Nginx
+        443   # https to local Nginx
+        3000  # PsiTransfer in oci-container
+        3030  # Forgejo
+        8001  # Tube Archivist
+        8080  # Tandoor in docker compose
+        8384  # Syncthing gui
+        8888  # Atuin
+        8090  # Wallabag in docker compose
+        13378 # Audiobookshelf in oci-container
+        22000 # Syncthing transfers
+      ];
+      allowedUDPPorts = [
+        21027 # Syncthing discovery
+        22000 # Syncthing transfers
+      ];
+    };
     # Or disable the firewall altogether.
     # firewall.enable = false;
 
@@ -126,6 +136,11 @@ in {
 
   # List services that you want to enable:
   services = {
+    atuin = {
+      enable = true;
+      host = "127.0.0.1";
+      maxHistoryLength = 2000000000;
+    };
     ##
     ## Gandi (gandi.net)
     ##
@@ -150,12 +165,60 @@ in {
       '';
       passwordFile = "${config.sops.secrets.gandi_api.path}";
     };
+    forgejo = {
+      enable = true;
+      database.type = "postgres";
+      lfs.enable = true;
+      settings = {
+        # Add support for actions, based on act: https://github.com/nektos/act
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "github";
+        };
+        DEFAULT.APP_NAME = "Beantown's Code";
+        repository = {
+          DEFAULT_PUSH_CREATE_PRIVATE = true;
+          ENABLE_PUSH_CREATE_ORG = true;
+          ENABLE_PUSH_CREATE_USER = true;
+        };
+        server = {
+          DOMAIN = "git.${home_domain}";
+          HTTP_PORT = 3030;
+          LANDING_PAGE = "explore";
+          ROOT_URL = "https://git.${home_domain}/";
+        };
+        service.DISABLE_REGISTRATION = true;
+        session.COOKIE_SECURE = true;
+      };
+      stateDir = "/orico/forgejo";
+    };
     fwupd.enable = true;
     jellyfin = {
       enable = true;
       openFirewall = true;
     };
     lldpd.enable = true;
+    mealie = {
+      enable = true;
+      credentialsFile = config.sops.secrets.mealie.path;
+      listenAddress = "0.0.0.0";
+      port = 9000;
+      settings = {
+        ALLOW_SIGNUP = "false";
+        BASE_URL = "https://mealie.${home_domain}";
+        DATA_DIR = "/var/lib/mealie";
+        DB_ENGINE = "postgres";
+        POSTGRES_USER = "mealie";
+        POSTGRES_DB = "mealie";
+        POSTGRES_SERVER = "localhost";
+        POSTGRES_PORT = config.services.postgresql.settings.port;
+        SMTP_HOST = "localhost";
+        SMTP_PORT = 25;
+        SMTP_FROM_NAME = "Mealie";
+        SMTP_FROM_EMAIL = "mealie@${home_domain}";
+        SMTP_AUTH_STRATEGY = "NONE";
+      };
+    };
     nextcloud = {
       enable = true;
       hostName = "nextcloud.home.technicalissues.us";
@@ -281,7 +344,17 @@ in {
           enableACME = true;
           acmeRoot = null;
           forceSSL = true;
-          locations."/".proxyPass = "http://${mini_watcher}:9999";
+          locations."/".proxyPass = "http://${backend_ip}:8888";
+        };
+        "git.${home_domain}" = {
+          listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations."/".proxyPass = "http://${backend_ip}:3030";
+          extraConfig = ''
+            client_max_body_size 0;
+          '';
         };
         "immich.${home_domain}" = {
           listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
@@ -297,6 +370,16 @@ in {
             send_timeout       600s;
           '';
         };
+        "mealie.${home_domain}" = {
+          listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations."/".proxyPass = "http://${backend_ip}:9000";
+          extraConfig = ''
+            client_max_body_size 10M;
+          '';
+        };
         "nc.${home_domain}" = {
           listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
           enableACME = true;
@@ -358,13 +441,22 @@ in {
     };
     resolved.enable = true;
     restic.backups.daily.paths = [
+      config.services.forgejo.stateDir
+      config.services.mealie.settings.DATA_DIR
       config.services.nextcloud.home
       "${config.users.users.${username}.home}/compose-files/tandoor"
       "${config.users.users.${username}.home}/compose-files/wallabag"
+      "/orico/immich/library"
       "/orico/jellyfin/data"
       "/orico/jellyfin/staging/downloaded-files"
       "/var/backup/postgresql"
     ];
+    syncthing = {
+      enable = true;
+      dataDir = "/orico/syncthing";
+      openDefaultPorts = true;
+      guiAddress = "0.0.0.0:8384";
+    };
     tandoor-recipes = {
       enable = true;
       address = "0.0.0.0";
@@ -406,6 +498,7 @@ in {
         owner = "${username}";
         path = "/home/${username}/.private-env";
       };
+      mealie.mode = "0444";
       nextcloud_admin_pass.owner = config.users.users.nextcloud.name;
       tandoor_db_pass.mode = "0444";
       tandoor_db_pass.path = "/orico/tandoor-recipes/.dbpass";
@@ -415,6 +508,10 @@ in {
   };
 
   systemd.services = {
+    "mealie" = {
+      requires = ["postgresql.service"];
+      after = ["postgresql.service"];
+    };
     "nextcloud-setup" = {
       requires = ["postgresql.service"];
       after = ["postgresql.service"];
diff --git a/modules/hosts/nixos/nixnuc/secrets.yaml b/modules/hosts/nixos/nixnuc/secrets.yaml
index 174ffef..f42306c 100644
--- a/modules/hosts/nixos/nixnuc/secrets.yaml
+++ b/modules/hosts/nixos/nixnuc/secrets.yaml
@@ -1,6 +1,7 @@
 tailscale_key: ENC[AES256_GCM,data:aB3KUD4QYm+ZDrjjLcU3gQ8kneVGkVYBsrkVcioOhxunal2FekLDrpKxJwNXuiwx2M5vipnGAEPO,iv:e+tPPfVYkv4U0KRGwspWb1O3ZQom/WFFGm9H9cd/KKE=,tag:ZG5z1C18bj1L7DcGzunQ0w==,type:str]
 local_git_config: ENC[AES256_GCM,data:Nqwog5C4wnRzNoS4oqaYQ4J1DIj7fUL1y/nXESquR0N7KQ+ebhvuJnM=,iv:Q6o45LZStS3k8iO7s2P6u7OrKFu5alplshZuGgeRKmk=,tag:NcLJrI9AK4eDroODX15lcA==,type:str]
 local_private_env: ENC[AES256_GCM,data:qOPXTS2uo/1jyVEKCtBvuK/dzZaPf1K5tHuSVF2hBg4fdPYIsDPkM108cGVxJviebB3xVZejn/JVOdUDXQj6,iv:TtyMTOJXaPUrbSaAdtMaGPBlwLl/Y/IBYVCzhhiZozY=,tag:hUyVL8xk3w1iMwNAZw5QUw==,type:str]
+mealie: ENC[AES256_GCM,data:HuO2c5na5r271x98GLqYBP/ME+phH58e2scelEH7F3R+2liLRGK9xCA0ciHLJCo8,iv:bo6hTIsWfnWueRCiLcpxYoiol8oGOoPTHDgPQ7FnYqM=,tag:rHRfIv4vnIjO/eotxYmI/Q==,type:str]
 nextcloud_admin_pass: ENC[AES256_GCM,data:KztB3Tkqlt73PEO41lthGYElrbwVdfqQgT6f,iv:kRwXqGJO4AUOMq+uYzndGhscaJiyvG4ANKabHHd78YM=,tag:dP3PgKafDTv8x7huKJGDqA==,type:str]
 psitransfer_dot_env: ENC[AES256_GCM,data:bhvU0AOCjecZ62BtLw4H1DdkLeatI+uUl6L7UkdDRkBF3sayO45Z1eR4q60tflXucyTGhT8WgKFz53I+C2dn265wzojIRc3Xr4TBLyWpfJ7/dct40SckgUiRvOnrefiriWQ=,iv:DGMhDkzgeupzzTJnCdVWDPUSo2wxI3MAypKQwVfHExE=,tag:KbteGqrkqgj2XB1lvlk/yQ==,type:str]
 tandoor_db_pass: ENC[AES256_GCM,data:X0unx5jquLsUXadbF6xLjjeGY+f8Ec4kdc15JQ==,iv:XptlJHfAkF+3jbgJTqxhVReYjuVVdk3NzfPepP78DRI=,tag:3RG5P9QGCJ/fjdxWpY1xWA==,type:str]
@@ -20,8 +21,8 @@ sops:
             bHZlNTZDV2NYU1hQQy9mem80SFF6TFkKfmjkJBfTdh0vTtGaVx1t3tHJvSsAwdYD
             PF025X9U+yG2oIopwXEVBkxcD70eyuJn3OqH0xoVLBkbhNM9i8LHrA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-04T21:34:21Z"
-    mac: ENC[AES256_GCM,data:gL7TbCjZNu3yF8oyEcFr367XymzSYRvltGJPG5jK/nbztKFV72Fl2gpdprch+P67dDxDFoJL1NvDDmHt6yM0WfdDPJS/ivMlgi9Sg5ZG2S5OyBBUxDbkp/6BXwJQ9eY72ee3SmufE+cTjUNF0ANxueznHpFhXLp/1Fj9TixgHM4=,iv:s2cE9lrjNvuYT96WXOJZaAomt3VWIzHFQqPncZyydhk=,tag:MGI4OmNfEDSB8jE7wxDamQ==,type:str]
+    lastmodified: "2024-07-14T20:03:31Z"
+    mac: ENC[AES256_GCM,data:HBQLqcgvYQMgI9gsaWHeO/aaU1BAB94S/Amo2eNiFwbF4Fv75Leb+7tA/Us4WrsVpjAPCNL8rz6bB8eqqhB3z6WRZPsBaTSNcw0zD+CMevviMrTvXI2LDrQKbuKBXbUQrr++Yfwasw47XstdpeqlBsr7vwqTXN9uBiGAEN6pMyw=,iv:StSyeRw528BlMGVxDHFqth7DSWp2p2PGJv8/Ud8rKVc=,tag:TIPiIkmwzi3GpqWnSfI40A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/modules/system/common/secrets.yaml b/modules/system/common/secrets.yaml
index b34a777..83c6bcf 100644
--- a/modules/system/common/secrets.yaml
+++ b/modules/system/common/secrets.yaml
@@ -90,8 +90,8 @@ sops:
             N2VYRDNrUk5wd3JQRVZabUhlRTF2UHMKCjCaXJ394MfsOKSWCuRVa8EA2pcLu1TU
             VaXATezktIU+ZrXOrpwRc9u9uac9V3PmxykpzjEvyo2BQ7Ji0wOeEw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-15T21:02:47Z"
-    mac: ENC[AES256_GCM,data:vZie4+27bytMtLHLO3cR5X6XsvVjoLWXbZ9gSyeJAg//TYDdojfCKtLatBb22oVyjjeoFKKqcHwVPv888Kpc8SwFIY7C0YxgmFbHXZMkUk4EWsolGPJ4V3p2GdWSRJkn/B9fM0TjvWiHASvtDNUNw03Rs6PT8fP0YTSzomKGR+U=,iv:5UY3+wj8h/uW/l3gkBPub+bWWt2kKabH5jErjmNp4sM=,tag:2DrAzNOS+dd3bNCs42PPbw==,type:str]
+    lastmodified: "2024-09-11T17:22:16Z"
+    mac: ENC[AES256_GCM,data:WbuN9UpP0OP69ta29VW2LlCFfyTWI3v8IiwUu3tLOxtY3gjdJLZTpaG2hBR985qjLYL3MT7eR7eWp4p99DAKupVBvA6tJl8/+N9+0W/dapcec+qv7u9wRHcFjP9wtggq66vUdGqH8IIHYuGlIhAvCbDouoXuLoFIcB2i2lYNB4Q=,iv:u+KsBgHxLgwSgFLYtY0F6HjCUbSCvNAatIIwrCGGyJg=,tag:bHO4vovTLPVK2vsQvliwzQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1