diff --git a/flake.nix b/flake.nix
index fdc9637..ce5a634 100644
--- a/flake.nix
+++ b/flake.nix
@@ -14,13 +14,15 @@
         };
         # 8080 on host is 80 on guest
         # 2222 on host is 22 on guest
+        # 22222 on host is 222 on guest
         virt-module = {
           virtualisation.vmVariant = {
             virtualisation.cores = 4;
             virtualisation.memorySize = 4096;
             virtualisation.forwardPorts = [
-              { from = "host"; host.port = 8080; guest.port = 80; }
-              { from = "host"; host.port = 2222;  guest.port = 22; }
+              { from = "host"; host.port = 8080;  guest.port = 80;  }
+              { from = "host"; host.port = 2222;  guest.port = 22;  }
+              { from = "host"; host.port = 22222; guest.port = 222; }
             ];
           };
         };
diff --git a/host.nix b/host.nix
index 66883dd..bbf306d 100644
--- a/host.nix
+++ b/host.nix
@@ -1,12 +1,12 @@
 state-version: { pkgs, ... }:
-let services = with builtins;
+let lib = import ./lib.nix { inherit pkgs; };
+    services = with builtins;
       let services_no_ip =
-        map (s: import (./services + "/${s}") { inherit pkgs; })
+        map (s: import (./services + "/${s}") { inherit pkgs lib; })
             (filter (s: ! isNull (match ".*\.nix" s)) 
                     (attrNames (readDir ./services)));
       in genList (i: elemAt services_no_ip i // { ip = "10.10.0.${toString (i+2)}"; }) (length services_no_ip);
 
-    lib = import ./lib.nix;
     secrets = import ./secrets/secrets.nix;
 
     hostIp = "10.10.0.1";
@@ -32,6 +32,11 @@ lib.flatMap ({ name, config, ip, ports, volumes, ... }:
         };
       }
       ) volumes;
+      forwardPorts = builtins.map ({ container, host, proto }: {
+        containerPort = container;
+        hostPort = host;
+        protocol = proto;
+      }) ports.forward;
       config = config // {
         boot.isContainer = true;
 
@@ -56,8 +61,14 @@ lib.flatMap ({ name, config, ip, ports, volumes, ... }:
 
 //
 
+
 {
 
+  imports = builtins.map (service:
+    if service ? hostConfig
+      then service.hostConfig
+      else {}) services;
+
   system.activationScripts.makeBindMounts = with builtins;
     lib.flatMapS (name: ''
       mkdir -p ${hostVolumeDir + name}
@@ -86,6 +97,7 @@ lib.flatMap ({ name, config, ip, ports, volumes, ... }:
   # [SSHD]
   services.openssh = {
     enable = true;
+    ports = [ 222 ];
     settings = {
       PermitRootLogin = "no";
       PasswordAuthentication = false;
@@ -96,7 +108,7 @@ lib.flatMap ({ name, config, ip, ports, volumes, ... }:
   networking = {
     hostName = "cafe";
 
-    firewall.allowedTCPPorts = [ 22 80 443 ];
+    firewall.allowedTCPPorts = [ 22 222 80 443 ];
     firewall.allowedUDPPorts = [ ];
 
     nat = {
diff --git a/lib.nix b/lib.nix
index 2803aca..f344c23 100644
--- a/lib.nix
+++ b/lib.nix
@@ -1,4 +1,19 @@
+{ pkgs, ... }:
 {
   flatMap = (f: list: builtins.foldl' (acc: elem: acc // elem) {} (builtins.map f list));
   flatMapS = (f: list: builtins.foldl' (acc: elem: acc + elem) "" (builtins.map f list));
+  git-forward-shell = pkgs.stdenv.mkDerivation {
+    name = "git-forward-shell";
+    passthru = {
+      shellPath = "/bin/git-forward-shell";
+    };
+    phases = [ "installPhase" ];
+    src = pkgs.writeScriptBin "git-forward-shell" ''
+    #!/bin/sh
+    ssh -p 2222 -o StrictHostKeyChecking=no git@gitea.containers "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" bash $@"
+    '';
+    installPhase = ''
+      cp -r $src $out
+    '';
+  };
 }
diff --git a/secrets/giteaForward b/secrets/giteaForward
new file mode 100644
index 0000000..c669f87
Binary files /dev/null and b/secrets/giteaForward differ
diff --git a/secrets/giteaForward.pub b/secrets/giteaForward.pub
new file mode 100644
index 0000000..1da1a4e
Binary files /dev/null and b/secrets/giteaForward.pub differ
diff --git a/services/gitea.nix b/services/gitea.nix
index 1cc974b..6dc14f2 100644
--- a/services/gitea.nix
+++ b/services/gitea.nix
@@ -1,9 +1,11 @@
-{ pkgs, ... }: {
+{ pkgs, lib, ... }: 
+{
   name = "gitea";
   config = {
     services.gitea = {
       enable = true;
       appName = "My awesome Gitea server"; # Give the site a name
+      user = "git";
       database = {
         type = "postgres";
         host = "postgres.containers";
@@ -19,15 +21,33 @@
         HTTP_PORT = 3001;
       };
     };
+
+    services.openssh = {
+      enable = true;
+      settings = {
+        PermitRootLogin = "no";
+        PasswordAuthentication = false;
+      };
+    };
+
+    users.users.git = {
+      home = "/var/lib/gitea";
+      group = "git";
+      shell = pkgs.bashInteractive;
+      isSystemUser = true;
+    };
+
+    users.groups.git = {};
   };
   ports = {
-    tcp = [ 3001 ];
+    tcp = [ 3001 22 ];
     udp = [];
     http = 3001;
+    forward = [ { container = 22; host = 22; proto = "tcp"; } ];
   };
   hosts = [ "localhost" ];
   volumes = [{
     name = "gitea-statedir";
     mountPoint = "/var/lib/gitea";
-  }]; # TODO
+  }];
 }
diff --git a/services/postgres.nix b/services/postgres.nix
index eccab69..674d99c 100644
--- a/services/postgres.nix
+++ b/services/postgres.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }: {
+{ pkgs, lib, ... }: {
   name = "postgres";
   config = {
     services.postgresql = {
@@ -19,6 +19,7 @@
     tcp = [ 3306 ];
     udp = [];
     http = null;
+    forward = [];
   };
   hosts = [ ];
   volumes = [{
diff --git a/services/readme.md b/services/readme.md
index 9eded8a..509fd3b 100644
--- a/services/readme.md
+++ b/services/readme.md
@@ -1,18 +1,17 @@
 # Services
 
-TODO: volumes
-
 Contains files defining services.
 
 Services are of the form:
 ```nix
-{ pkgs, ... }: {
+{ pkgs, lib, ... }: {
   name = "name";
   config = { ... };
   ports = {
     tcp = [ 80 ];
     udp = [ 111 ];
     http = 80;
+    forward = [ { container = 22; host = 22; proto = "tcp"; } ];
   };
   hosts = [ "myservice.domain.mjau" ];
   volumes = [
@@ -22,5 +21,6 @@ Services are of the form:
     readOnly = false;
   };
   ];
+  hostConfig = { ... }
 }
 ```