diff --git a/common.nix b/common.nix
index 1f5cef1..6c6fa21 100644
--- a/common.nix
+++ b/common.nix
@@ -24,14 +24,8 @@
       PasswordAuthentication = false;
       KbdInteractiveAuthentication = false;
       PermitRootLogin = "no";
-      AllowUsers = [ "ellie" "forgejo" ];
+      AllowUsers = [ "ellie" "borg" ];
     };
-    extraConfig = ''
-      Match User forgejo Address 10.10.0.1
-        AllowTcpForwarding no
-        X11Forwarding no
-        PermitTunnel no
-    '';
   };
 
   services.fail2ban = {
diff --git a/flake.nix b/flake.nix
index 215818c..ab82480 100644
--- a/flake.nix
+++ b/flake.nix
@@ -86,7 +86,6 @@
           ./services/coturn.nix
           ./services/wireguard-outer.nix
           ./services/borgbackup-vps.nix
-          ./services/syncthing-relay.nix
         ];
       };
 
diff --git a/services/forgejo.nix b/services/forgejo.nix
index e34b984..0009360 100644
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@@ -1,17 +1,8 @@
 { ... }:
 
 {
-  systemd.services.forgejo = {
-    wants = [ "network-online.target" ];
-    after = [ "network-online.target" ];
-    preStart = ''
-      mkdir -p /var/lib/forgejo/.ssh
-      chmod 700 /var/lib/forgejo/.ssh
-    '';
-  };
-
   networking.firewall.interfaces.wg0.allowedTCPPorts = [
-    22
+    2222
     3000
   ];
 
@@ -24,9 +15,10 @@
       ROOT_URL = "https://forgejo.ellie.town/";
       HTTP_ADDR = "10.10.0.2";
       HTTP_PORT = 3000;
-      START_SSH_SERVER = false;
+      START_SSH_SERVER = true;
       SSH_DOMAIN = "forgejo.ellie.town";
       SSH_PORT = 2222;
+      SSH_LISTEN_PORT = 2222;
     };
   };
 }
diff --git a/services/wireguard-outer.nix b/services/wireguard-outer.nix
index 03957ec..1c6d072 100644
--- a/services/wireguard-outer.nix
+++ b/services/wireguard-outer.nix
@@ -1,6 +1,8 @@
 { lib, pkgs, config, ... }:
 
 {
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+
   sops.secrets."wireguard/private_key" = {
     sopsFile = ./secrets/wireguard_vps.yaml;
     mode = "0400";
@@ -21,9 +23,20 @@
 
     peers = [
       {
+        # Home server
         publicKey = "s2plHABMTF83iqrCHlQ+o5ieJSAfudx3upm3v77y1DI=";
         allowedIPs = [ "10.10.0.2/32" ];
       }
+      {
+        # Desktop
+        publicKey = "nMQY5RsyTkUi3p6i8pElY9b2Z0vFEeSUdqtw7eQnbQM=";
+        allowedIPs = [ "10.10.0.3/32" ];
+      }
+      {
+        # Phone
+        publicKey = "4MDcBaF7oafv5ZC2fjgFHuXnrpwaRglM7fmSw7zo6CQ=";
+        allowedIPs = [ "10.10.0.4/32" ];
+      }
     ];
   };
 
@@ -97,7 +110,7 @@
       }
 
       upstream forgejo_ssh {
-        server 10.10.0.2:22;
+        server 10.10.0.2:2222;
       }
       server {
         listen 2222;