diff --git a/README.md b/README.md
index 5132468..4805dcf 100644
--- a/README.md
+++ b/README.md
@@ -17,8 +17,9 @@ This is a work-in-progress and currently is not production ready. Please check b
   - [x] Configure Caddy for internal service port forwarding (difficult!)
   - [ ] Install Tailscale
   - [ ] Install Portainer for other servers & basic admin tasks
-  - [ ] Install Forgejo
+  - [x] Install Forgejo
   - [x] Install Personal Website
+  - [x] Install mCaptcha
   - [ ] Install Passbolt
   - [ ] Install Pterodactyl Panel
   - [ ] Install Immich
diff --git a/hosts/andromeda/configuration.nix b/hosts/andromeda/configuration.nix
index 7fb8bb4..8ccc55f 100755
--- a/hosts/andromeda/configuration.nix
+++ b/hosts/andromeda/configuration.nix
@@ -19,6 +19,7 @@
     ./stacks/traefik/docker-compose.nix
     ./stacks/caddy/docker-compose.nix
     ./stacks/forgejo/docker-compose.nix
+    ./stacks/mcaptcha/docker-compose.nix
     ./stacks/terah.dev/docker-compose.nix
   ];
 
diff --git a/hosts/andromeda/stacks/mcaptcha/docker-compose.nix b/hosts/andromeda/stacks/mcaptcha/docker-compose.nix
new file mode 100644
index 0000000..4c512ed
--- /dev/null
+++ b/hosts/andromeda/stacks/mcaptcha/docker-compose.nix
@@ -0,0 +1,175 @@
+# Auto-generated using compose2nix v0.3.1.
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ../../../../system/sops.nix
+  ];
+
+  # Containers
+  virtualisation.oci-containers.containers."mcaptcha-cache" = {
+    image = "mcaptcha/cache:latest";
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=cache"
+      "--network=mcaptcha_default"
+    ];
+  };
+
+  systemd.services."docker-mcaptcha-cache" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "no";
+    };
+    after = [
+      "docker-network-mcaptcha_default.service"
+    ];
+    requires = [
+      "docker-network-mcaptcha_default.service"
+    ];
+    partOf = [
+      "docker-compose-mcaptcha-root.target"
+    ];
+    wantedBy = [
+      "docker-compose-mcaptcha-root.target"
+    ];
+  };
+
+  virtualisation.oci-containers.containers."mcaptcha-db" = {
+    image = "postgres:16.8";
+    environmentFiles = [ config.sops.secrets.mcaptcha_db_docker_env ];
+    environment = {
+      "PGDATA" = "/var/lib/postgresql/data/mcaptcha/";
+      "POSTGRES_PASSWORD" = "password";
+    };
+    volumes = [
+      "mcaptcha_db:/var/lib/postgresql:rw"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=db"
+      "--network=mcaptcha_default"
+    ];
+  };
+
+  systemd.services."docker-mcaptcha-db" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "no";
+    };
+    after = [
+      "docker-network-mcaptcha_default.service"
+      "docker-volume-mcaptcha_db.service"
+    ];
+    requires = [
+      "docker-network-mcaptcha_default.service"
+      "docker-volume-mcaptcha_db.service"
+    ];
+    partOf = [
+      "docker-compose-mcaptcha-root.target"
+    ];
+    wantedBy = [
+      "docker-compose-mcaptcha-root.target"
+    ];
+  };
+
+  virtualisation.oci-containers.containers."mcaptcha-mcaptcha" = {
+    image = "mcaptcha/mcaptcha:latest";
+    labels = {
+      "traefik.http.routers.mcaptchaterahdev.rule" = "Host(`mcaptcha.terah.dev`)";
+      "traefik.http.services.mcaptchaterahdev.loadbalancer.server.port" = "7000";
+    };
+    environmentFiles = [ config.sops.secrets.mcaptcha_mcaptcha_docker_env.path ];
+    environment = {
+      "MCAPTCHA__server_IP" = "0.0.0.0";
+      "MCAPTCHA_allow_demo" = "false";
+      "MCAPTCHA_allow_registration" = "false";
+      "MCAPTCHA_captcha_DEFAULT_DIFFICULTY_STRATEGY_avg_traffic_difficulty" = "50000";
+      "MCAPTCHA_captcha_DEFAULT_DIFFICULTY_STRATEGY_avg_traffic_time" = "1";
+      "MCAPTCHA_captcha_DEFAULT_DIFFICULTY_STRATEGY_broke_my_site_traffic_difficulty" = "5000000";
+      "MCAPTCHA_captcha_DEFAULT_DIFFICULTY_STRATEGY_broke_my_site_traffic_time" = "5";
+      "MCAPTCHA_captcha_DEFAULT_DIFFICULTY_STRATEGY_duration" = "30";
+      "MCAPTCHA_captcha_DEFAULT_DIFFICULTY_STRATEGY_peak_sustainable_traffic_difficulty" = "3000000";
+      "MCAPTCHA_captcha_DEFAULT_DIFFICULTY_STRATEGY_peak_sustainable_traffic_time" = "3";
+      "MCAPTCHA_captcha_ENABLE_STATS" = "true";
+      "MCAPTCHA_captcha_GC" = "30";
+      "MCAPTCHA_captcha_QUEUE_LENGTH" = "2000";
+      "MCAPTCHA_captcha_RUNNERS" = "4";
+      "MCAPTCHA_commercial" = "false";
+      "MCAPTCHA_database_POOL" = "4";
+      "MCAPTCHA_debug" = "false";
+      "MCAPTCHA_redis_POOL" = "4";
+      "MCAPTCHA_redis_URL" = "redis://cache";
+      "MCAPTCHA_server_DOMAIN" = "mcaptcha.terah.dev";
+      "MCAPTCHA_source_code" = "https://github.com/mCaptcha/mCaptcha";
+      "PORT" = "7000";
+    };
+    ports = [
+      "7000:7000/tcp"
+    ];
+    dependsOn = [
+      "mcaptcha-cache"
+      "mcaptcha-db"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=mcaptcha"
+      "--network=mcaptcha_default"
+    ];
+  };
+
+  systemd.services."docker-mcaptcha-mcaptcha" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "no";
+    };
+    after = [
+      "docker-network-mcaptcha_default.service"
+    ];
+    requires = [
+      "docker-network-mcaptcha_default.service"
+    ];
+    partOf = [
+      "docker-compose-mcaptcha-root.target"
+    ];
+    wantedBy = [
+      "docker-compose-mcaptcha-root.target"
+    ];
+  };
+
+  # Networks
+  systemd.services."docker-network-mcaptcha_default" = {
+    path = [ pkgs.docker ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "docker network rm -f mcaptcha_default";
+    };
+    script = ''
+      docker network inspect mcaptcha_default || docker network create mcaptcha_default
+    '';
+    partOf = [ "docker-compose-mcaptcha-root.target" ];
+    wantedBy = [ "docker-compose-mcaptcha-root.target" ];
+  };
+
+  # Volumes
+  systemd.services."docker-volume-mcaptcha_db" = {
+    path = [ pkgs.docker ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      docker volume inspect mcaptcha_db || docker volume create mcaptcha_db
+    '';
+    partOf = [ "docker-compose-mcaptcha-root.target" ];
+    wantedBy = [ "docker-compose-mcaptcha-root.target" ];
+  };
+
+  # Root service
+  # When started, this will automatically create all resources and start
+  # the containers. When stopped, this will teardown all resources.
+  systemd.targets."docker-compose-mcaptcha-root" = {
+    unitConfig = {
+      Description = "Root target generated by compose2nix.";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+}
diff --git a/secrets b/secrets
index 60d55ae..641331a 160000
--- a/secrets
+++ b/secrets
@@ -1 +1 @@
-Subproject commit 60d55ae56d5ca38e387e33e8fd186d83e8320839
+Subproject commit 641331a16088e444d4d22ac421916b5bde369f89
diff --git a/system/sops.nix b/system/sops.nix
index 2ff718f..7b29c20 100755
--- a/system/sops.nix
+++ b/system/sops.nix
@@ -25,6 +25,8 @@ in
       caddy_docker_env = {};
       forgejo_db_docker_env = {};
       forgejo_server_docker_env = {};
+      mcaptcha_db_docker_env = {};
+      mcaptcha_mcaptcha_docker_env = {};
     };
   };
 }