diff --git a/machines/nixos/storage01/forgejo.nix b/machines/nixos/storage01/forgejo.nix
index 8e9c6d7..0308716 100644
--- a/machines/nixos/storage01/forgejo.nix
+++ b/machines/nixos/storage01/forgejo.nix
@@ -2,11 +2,32 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-{ config, nixpkgs, ... }:
+{
+  config,
+  nixpkgs,
+  lib,
+  ...
+}:
 
 let
   port = 3000;
   host = "git.dgnum.eu";
+
+  bannedUserAgentPatterns = [
+    "Trident/"
+    "Android\\s[123456789]\\."
+    "iPod"
+    "iPad\\sOS\\s"
+    "iPhone\\sOS\\s[23456789]"
+    "Opera/[89]"
+    "(Chrome|CriOS)/(\\d\\d?\\.|1[01]|12[4])"
+    "(Firefox|FxiOS)/(\\d\\d?\\.|1[01]|12[012345679]\\.)"
+    "PPC\\sMac\\sOS"
+    "Windows\\sCE"
+    "Windows\\s95"
+    "Windows\\s98"
+    "Windows\\sNT\\s[12345]\\."
+  ];
 in
 {
   services = {
@@ -87,6 +108,23 @@ in
     inherit host port;
   };
 
+  services.nginx = {
+    appendHttpConfig = ''
+      map $http_user_agent $badagent {
+        default 0;
+        ${lib.concatMapStringsSep "\n" (pattern: ''
+          ~${pattern} 1;
+        '') bannedUserAgentPatterns}
+      }
+    '';
+    virtualHosts.${host}.locations."/".extraConfig = ''
+      if ($badagent) {
+        access_log /var/log/nginx/abuse.log;
+        return 403;
+      }
+    '';
+  };
+
   users.users.git = {
     description = "Git Service";
     home = "/var/lib/git";