diff --git a/modules/features/forgejo.nix b/modules/features/forgejo.nix
index ebd711d..57dbdd8 100644
--- a/modules/features/forgejo.nix
+++ b/modules/features/forgejo.nix
@@ -2,6 +2,7 @@
   flake.modules.nixos.forgejo = {config, pkgs, lib, ... }:
     let
       cfg = config.forgejo;
+      needsPrivilegedPort = cfg.port < 1024;
     in
     {
       options.forgejo = {
@@ -25,6 +26,12 @@
       config = lib.mkIf cfg.enable {
         networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ];
 
+        systemd.services.forgejo.serviceConfig = lib.mkIf needsPrivilegedPort {
+          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+          PrivateUsers = lib.mkForce false;
+        };
+
         sops.secrets = {
           "forgejo/secret_key".owner = config.services.forgejo.user;
           "forgejo/internal_token".owner = config.services.forgejo.user;