diff --git a/hosts/nachtigall/apps/forgejo.nix b/hosts/nachtigall/apps/forgejo.nix
index fdc941fb..d6bb7e04 100644
--- a/hosts/nachtigall/apps/forgejo.nix
+++ b/hosts/nachtigall/apps/forgejo.nix
@@ -41,6 +41,9 @@
 
   users.groups.gitea = {};
 
+  # Expose SSH port only for forgejo SSH
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
   services.forgejo = {
     enable = true;
     user = "gitea";
@@ -63,6 +66,7 @@
         DOMAIN = "git.pub.solar";
         HTTP_ADDR = "127.0.0.1";
         HTTP_PORT = 3000;
+        START_SSH_SERVER = true;
       };
 
       log.LEVEL = "Warn";
diff --git a/modules/networking.nix b/modules/networking.nix
index 21242d32..9c81c1e0 100644
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -1,10 +1,11 @@
 { pkgs, lib, ... }: {
   # Don't expose SSH via public interfaces
-  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
+  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 2222 ];
 
   services.openssh = {
     enable = true;
     openFirewall = lib.mkDefault false;
+    ports = [ 2222 ];
     settings = {
       PermitRootLogin = "prohibit-password";
       PasswordAuthentication = false;