diff --git a/hosts/common/optional/forgejo.nix b/hosts/common/optional/forgejo.nix
index 13245f2..77e60f5 100644
--- a/hosts/common/optional/forgejo.nix
+++ b/hosts/common/optional/forgejo.nix
@@ -1,6 +1,7 @@
 {
   pkgs,
   configVars,
+  lib,
   ...
 }: let
   forgejoDomain = configVars.domains.forgejo;
@@ -16,16 +17,35 @@ in {
     ];
   };
 
+  users.groups.git = {
+    gid = 1009;
+  };
+
+  users.users.git = {
+    isNormalUser = true;
+    home = "/var/lib/forgejo";
+    uid = 1009;
+    extraGroups = ["git"];
+  };
+
+  services.openssh = {
+    authorizedKeysFiles = lib.mkForce [ "/var/lib/forgejo/.ssh/authorized_keys" ];
+  };
+
   services.forgejo = {
     enable = true;
     package = pkgs.forgejo;
     database.type = "sqlite3";
     lfs.enable = true;
+    user = "git";
+    group = "git";
     settings = {
       server = {
+        RUN_USER = "git";
         DOMAIN = "git.${forgejoDomain}";
         ROOT_URL = "https://git.${forgejoDomain}/";
         HTTP_PORT = forgejoPort;
+        SSH_USER = "git";
       };
       service.DISABLE_REGISTRATION = false;
       actions = {
diff --git a/hosts/common/optional/nginx/vaultwarden.nix b/hosts/common/optional/nginx/vaultwarden.nix
index 097912f..a4f7dd3 100644
--- a/hosts/common/optional/nginx/vaultwarden.nix
+++ b/hosts/common/optional/nginx/vaultwarden.nix
@@ -13,7 +13,7 @@ in {
     enable = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
-    virtualHosts."${domain}" = {
+    virtualHosts."password.${domain}" = {
       enableACME = true;
       forceSSL = true;
       locations."/" = {