diff --git a/configuration.nix b/configuration.nix
index 205b57f..28cee28 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -102,6 +102,7 @@
   services.openssh = {
     enable = true;
     settings = {
+      AllowUsers = [ username ];
       PasswordAuthentication = false;
       PermitRootLogin = "no";
     };
diff --git a/services/gitea.nix b/services/gitea.nix
index e5b07fb..ac337cc 100644
--- a/services/gitea.nix
+++ b/services/gitea.nix
@@ -16,10 +16,12 @@
 
     settings = {
       server = {
+        SSH_USER = "gitea";
         DOMAIN = service_configs.gitea.domain;
         ROOT_URL = "https://" + config.services.gitea.settings.server.DOMAIN;
         HTTP_PORT = service_configs.ports.gitea;
         LANDING_PAGE = "/explore/repos";
+        DISABLE_HTTP_GIT = true;
       };
       session = {
         # https cookies or smth
@@ -35,7 +37,8 @@
   '';
 
   systemd.tmpfiles.rules = [
-    "d ${config.services.gitea.stateDir} 0770 ${config.services.gitea.user} ${config.services.gitea.group}"
+    # 0700 for ssh permission reasons
+    "d ${config.services.gitea.stateDir} 0700 ${config.services.gitea.user} ${config.services.gitea.group}"
   ];
 
   services.postgresql = {
@@ -49,6 +52,8 @@
     ];
   };
 
+  services.openssh.settings.AllowUsers = [ config.services.gitea.user ];
+
   users.users.${username}.extraGroups = [
     config.services.gitea.group
   ];
diff --git a/services/postgresql.nix b/services/postgresql.nix
index b120aa0..afd552e 100644
--- a/services/postgresql.nix
+++ b/services/postgresql.nix
@@ -12,6 +12,7 @@
   };
 
   systemd.tmpfiles.rules = [
+    # postgresql requires 0700
     "d ${config.services.postgresql.dataDir} 0700 postgresql postgresql"
   ];