diff --git a/nginx-config/nginx-locations.conf b/nginx-config/nginx-locations.conf
index 17358c303c28e1f736732c394af7d984fad5a80c..aa01d08300a9cb726f5efbb08b51dab425dd20da 100644
--- a/nginx-config/nginx-locations.conf
+++ b/nginx-config/nginx-locations.conf
@@ -11,6 +11,31 @@ location = /nix-cache-info { proxy_pass http://localhost:3000; }
 
 # Cuirass.
 
+# Enable HTTP Basic Authentication for events coming from the Forgejo
+# instance at Codeberg.
+location ~ ^/admin/forgejo/event {
+    auth_basic "Forgejo";
+
+    # The file below must contain "USER:PASSWORD" lines, where
+    # PASSWORD is the password encrypted with crypt(3), available from
+    # the command line as "openssl password".  Make sure to:
+    #
+    #   chown nginx:nginx /etc/nginx-htpasswd
+    #
+    # The Forgejo instance must itself send HTTP headers like:
+    #
+    #   Authorization: Basic STR
+    #
+    # where STR is the base64-encoded string obtained with:
+    #
+    #   echo -n "USER:CLEARTEXTPASSWORD" | base64
+    #
+    # According to <https://datatracker.ietf.org/doc/html/rfc7617#section-2>,
+    # CLEARTEXTPASSWORD must not contain control characters.
+    auth_basic_user_file /etc/nginx-htpasswd;
+    proxy_pass http://localhost:8081;
+}
+
 # The included file should define the variable $GITLAB_TOKEN using the
 # set directive: "set $GITLAB_TOKEN value;". It should be created
 # manually.