diff --git a/hosts/ward/guests/forgejo.nix b/hosts/ward/guests/forgejo.nix
index fbf2aa3..d9d881c 100644
--- a/hosts/ward/guests/forgejo.nix
+++ b/hosts/ward/guests/forgejo.nix
@@ -78,14 +78,26 @@ in {
     };
   };
 
-  # Recommended by forgejo: https://forgejo.org/docs/latest/admin/recommendations/#git-over-ssh
-  services.openssh.settings.AcceptEnv = "GIT_PROTOCOL";
+  users.groups.git = {};
+  users.users.git = {
+    isSystemUser = true;
+    useDefaultShell = true;
+    group = "git";
+    home = config.services.forgejo.stateDir;
+  };
+
+  services.openssh = {
+    authorizedKeysFiles = lib.mkForce [
+      "${config.services.forgejo.stateDir}/.ssh/authorized_keys"
+    ];
+    # Recommended by forgejo: https://forgejo.org/docs/latest/admin/recommendations/#git-over-ssh
+    settings.AcceptEnv = "GIT_PROTOCOL";
+  };
 
   environment.persistence."/persist".directories = [
     {
       directory = config.services.forgejo.stateDir;
-      user = "forgejo";
-      group = "forgejo";
+      inherit (config.services.forgejo) user group;
       mode = "0700";
     }
   ];
@@ -94,6 +106,8 @@ in {
     enable = true;
     # TODO db backups
     # dump.enable = true;
+    user = "git";
+    group = "git";
     lfs.enable = true;
     mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
     settings = {
@@ -148,6 +162,7 @@ in {
         ROOT_URL = "https://${forgejoDomain}/";
         LANDING_PAGE = "login";
         SSH_PORT = 9922;
+        SSH_USER = "git";
       };
       service = {
         DISABLE_REGISTRATION = false;
diff --git a/modules/config/users.nix b/modules/config/users.nix
index 2fd56c3..5693e9d 100644
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@@ -23,7 +23,7 @@
     influxdb2 = uidGid 986;
     telegraf = uidGid 985;
     rtkit = uidGid 984;
-    forgejo = uidGid 983;
+    git = uidGid 983;
     redis-paperless = uidGid 982;
     nixseparatedebuginfod = uidGid 981;
     msr = uidGid 980;