diff --git a/common.nix b/common.nix
index 6c6fa21..1f5cef1 100644
--- a/common.nix
+++ b/common.nix
@@ -24,8 +24,14 @@
       PasswordAuthentication = false;
       KbdInteractiveAuthentication = false;
       PermitRootLogin = "no";
-      AllowUsers = [ "ellie" "borg" ];
+      AllowUsers = [ "ellie" "forgejo" ];
     };
+    extraConfig = ''
+      Match User forgejo Address 10.10.0.1
+        AllowTcpForwarding no
+        X11Forwarding no
+        PermitTunnel no
+    '';
   };
 
   services.fail2ban = {
diff --git a/flake.nix b/flake.nix
index ab82480..215818c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -86,6 +86,7 @@
           ./services/coturn.nix
           ./services/wireguard-outer.nix
           ./services/borgbackup-vps.nix
+          ./services/syncthing-relay.nix
         ];
       };
 
diff --git a/services/forgejo.nix b/services/forgejo.nix
index 0009360..e34b984 100644
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@@ -1,8 +1,17 @@
 { ... }:
 
 {
+  systemd.services.forgejo = {
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+    preStart = ''
+      mkdir -p /var/lib/forgejo/.ssh
+      chmod 700 /var/lib/forgejo/.ssh
+    '';
+  };
+
   networking.firewall.interfaces.wg0.allowedTCPPorts = [
-    2222
+    22
     3000
   ];
 
@@ -15,10 +24,9 @@
       ROOT_URL = "https://forgejo.ellie.town/";
       HTTP_ADDR = "10.10.0.2";
       HTTP_PORT = 3000;
-      START_SSH_SERVER = true;
+      START_SSH_SERVER = false;
       SSH_DOMAIN = "forgejo.ellie.town";
       SSH_PORT = 2222;
-      SSH_LISTEN_PORT = 2222;
     };
   };
 }
diff --git a/services/wireguard-outer.nix b/services/wireguard-outer.nix
index 1c6d072..03957ec 100644
--- a/services/wireguard-outer.nix
+++ b/services/wireguard-outer.nix
@@ -1,8 +1,6 @@
 { lib, pkgs, config, ... }:
 
 {
-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-
   sops.secrets."wireguard/private_key" = {
     sopsFile = ./secrets/wireguard_vps.yaml;
     mode = "0400";
@@ -23,20 +21,9 @@
 
     peers = [
       {
-        # Home server
         publicKey = "s2plHABMTF83iqrCHlQ+o5ieJSAfudx3upm3v77y1DI=";
         allowedIPs = [ "10.10.0.2/32" ];
       }
-      {
-        # Desktop
-        publicKey = "nMQY5RsyTkUi3p6i8pElY9b2Z0vFEeSUdqtw7eQnbQM=";
-        allowedIPs = [ "10.10.0.3/32" ];
-      }
-      {
-        # Phone
-        publicKey = "4MDcBaF7oafv5ZC2fjgFHuXnrpwaRglM7fmSw7zo6CQ=";
-        allowedIPs = [ "10.10.0.4/32" ];
-      }
     ];
   };
 
@@ -110,7 +97,7 @@
       }
 
       upstream forgejo_ssh {
-        server 10.10.0.2:2222;
+        server 10.10.0.2:22;
       }
       server {
         listen 2222;