diff --git a/secrets/etna/turnstileSecret.age b/secrets/etna/turnstileSecret.age
new file mode 100644
index 0000000..a16d10c
--- /dev/null
+++ b/secrets/etna/turnstileSecret.age
@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpSjVjZWp5M0lMRXNNYlBk
+SFFTVFVjakMzaUtkdW1JcmZLSTBlY1NJaVc4Cmx2aXFQdnk4SGJRTjZmZGNNQUJT
+ZkZnZ05QVStLaW9YekdvYzdnZC9SQ1kKLT4gWDI1NTE5IENvcGJiOC9QWHAxNjJJ
+S0VweVNaK294OHVJZFVPV2FCZlRBR1BjQm5VVmMKQXlPUi8zNjFJTVBFdjdOUi9z
+RytwbDFtVTRCbFhWREZuMithSXJSUXNXawotPiBYMjU1MTkgL3dJVFJ3MGkzbTVq
+N3BoZ0lvRnlKS0k2RHYrc3hZa082VW1Pcm9ESkxqawpJaUVtaGJxMmVNUnI1NDNI
+TFdJQ2d4aWc4TXh2dHd6TDEvL01LdG1aYUhvCi0tLSBnNnFuUS9zZEk1MFNYYkxt
+a29rQkg2ZGpmZnl2RnI0TE0rdS8zc2twSmljCpN1q6y8jYDL3thaSoNWFzaVkX1u
+qoaCneZN4acO3oyrESyANR8zWNV/VqTr/hMOUBiyzn+Ys7l5v/y4gfTDZA6/hsQf
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 6c354e6..b32c654 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -21,4 +21,5 @@ in {
   "etna/dendriteKey.age".publicKeys = main ++ [etna];
   "etna/nextcloudAdminPass.age".publicKeys = main ++ [etna];
   "etna/frpToken.age".publicKeys = main ++ [etna];
+  "etna/turnstileSecret.age".publicKeys = main ++ [etna];
 }
diff --git a/systems/etna/forgejo.nix b/systems/etna/forgejo.nix
index 3c469f9..51eea66 100644
--- a/systems/etna/forgejo.nix
+++ b/systems/etna/forgejo.nix
@@ -1,6 +1,15 @@
-_: {
+{
+  config,
+  mkSecret,
+  ...
+}: {
   cfTunnels."git.uku3lig.net" = "http://localhost:3000";
 
+  age.secrets = mkSecret "turnstileSecret" {
+    owner = "forgejo";
+    group = "forgejo";
+  };
+
   services = {
     forgejo = {
       enable = true;
@@ -10,6 +19,10 @@ _: {
         createDatabase = true;
       };
 
+      secrets = {
+        service.CF_TURNSTILE_SECRET = config.age.secrets.turnstileSecret.path;
+      };
+
       settings = {
         DEFAULT.APP_NAME = "uku's forge";
 
@@ -23,9 +36,9 @@ _: {
 
         service = {
           ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
-          # TODO enable turnstile once it gets fixed
-          # see codeberg:forgejo/forgejo#3832
           ENABLE_CAPTCHA = true;
+          CAPTCHA_TYPE = "cfturnstile";
+          CF_TURNSTILE_SITEKEY = "0x4AAAAAAAaemJiXmRluMxbQ";
         };
 
         oauth2 = {