diff --git a/server-modules/gitea.nix b/server-modules/gitea.nix
index 8924887..44b1d7b 100644
--- a/server-modules/gitea.nix
+++ b/server-modules/gitea.nix
@@ -3,6 +3,10 @@
   services.gitea = {
     enable = true;
     appName = "Git Server"; # A name for your Gitea instance
+
+    user = "git";
+    group = "git";
+
     settings = {
       server = {
         PROTOCOL = "http"; # Use http for now, caddy will handle https
@@ -10,7 +14,10 @@
         ROOT_URL = "https://git.jelles.net/";
         HTTP_ADDR = "127.0.0.1";
         HTTP_PORT = 3001;
-        DISABLE_SSH = true; # Disable the built-in SSH server, use HTTPS for cloning
+
+        START_SSH_SERVER = false;
+        DISABLE_SSH = false; # Disable the built-in SSH server, use HTTPS for cloning
+        SSH_PORT = 22;
       };
 
       service = {
@@ -20,4 +27,20 @@
   };
 
   services.caddy.virtualHosts."git.jelles.net".extraConfig = "reverse_proxy :3001";
+
+  users.users.git = {
+    isSystemUser = true;
+    description = "Gitea Service User";
+    home = config.services.gitea.stateDir;
+    createHome = true;
+    homeMode = "750";
+    useDefaultShell = true;
+    group = "git";
+  };
+
+  users.groups.git = { };
+
+  systemd.tmpfiles.rules = [
+    "Z /var/lib/gitea 0750 git git - -"
+  ];
 }
diff --git a/server-modules/ssh.nix b/server-modules/ssh.nix
index 0e0e809..cb17788 100644
--- a/server-modules/ssh.nix
+++ b/server-modules/ssh.nix
@@ -10,7 +10,10 @@ in
     settings = {
       PermitRootLogin = "no";
       PasswordAuthentication = false;
-      AllowUsers = [ username ];
+      AllowUsers = [
+        username
+        "git"
+      ];
     };
   };