diff --git a/hosts/ward/guests/forgejo.nix b/hosts/ward/guests/forgejo.nix
index d3f4c24..3f521ae 100644
--- a/hosts/ward/guests/forgejo.nix
+++ b/hosts/ward/guests/forgejo.nix
@@ -10,20 +10,20 @@
   forgejoDomain = "git.${sentinelCfg.repo.secrets.local.personalDomain}";
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [
-    config.services.gitea.settings.server.HTTP_PORT
+    config.services.forgejo.settings.server.HTTP_PORT
   ];
 
   age.secrets.forgejo-mailer-password = {
     rekeyFile = config.node.secretsDir + "/forgejo-mailer-password.age";
     mode = "440";
-    inherit (config.services.gitea) group;
+    inherit (config.services.forgejo) group;
   };
 
   # Mirror the original oauth2 secret
   age.secrets.forgejo-oauth2-client-secret = {
     inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-forgejo) rekeyFile;
     mode = "440";
-    inherit (config.services.gitea) group;
+    inherit (config.services.forgejo) group;
   };
 
   nodes.sentinel = {
@@ -53,7 +53,7 @@ in {
 
     services.nginx = {
       upstreams.forgejo = {
-        servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.gitea.settings.server.HTTP_PORT}" = {};
+        servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.forgejo.settings.server.HTTP_PORT}" = {};
         extraConfig = ''
           zone forgejo 64k;
           keepalive 2;
@@ -84,18 +84,16 @@ in {
 
   environment.persistence."/persist".directories = [
     {
-      directory = config.services.gitea.stateDir;
-      user = "gitea";
-      group = "gitea";
+      directory = config.services.forgejo.stateDir;
+      user = "forgejo";
+      group = "forgejo";
       mode = "0700";
     }
   ];
 
-  services.gitea = {
+  services.forgejo = {
     enable = true;
-    package = pkgs.forgejo;
     appName = "Redlew Git"; # tungsten inert gas?
-    stateDir = "/var/lib/forgejo";
     # TODO db backups
     # dump.enable = true;
     lfs.enable = true;
@@ -112,7 +110,7 @@ in {
       # federation.ENABLED = true;
       mailer = {
         ENABLED = true;
-        HOST = config.repo.secrets.local.forgejo.mail.host;
+        SMTP_ADDR = config.repo.secrets.local.forgejo.mail.host;
         FROM = config.repo.secrets.local.forgejo.mail.from;
         USER = config.repo.secrets.local.forgejo.mail.user;
         SEND_AS_PLAIN_TEXT = true;
@@ -166,10 +164,10 @@ in {
     };
   };
 
-  systemd.services.gitea = {
+  systemd.services.forgejo = {
     serviceConfig.RestartSec = "600"; # Retry every 10 minutes
     preStart = let
-      exe = lib.getExe config.services.gitea.package;
+      exe = lib.getExe config.services.forgejo.package;
       providerName = "kanidm";
       clientId = "forgejo";
       args = lib.escapeShellArgs [
@@ -185,8 +183,6 @@ in {
         "email"
         "--scopes"
         "profile"
-        "--scopes"
-        "groups"
         "--group-claim-name"
         "groups"
         "--admin-group"
diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix
index bd2db4b..e9666cb 100644
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@@ -1,7 +1,6 @@
 {
   config,
   nodes,
-  pkgs,
   ...
 }: let
   inherit (sentinelCfg.repo.secrets.local) personalDomain;
@@ -180,6 +179,5 @@ in {
     };
   };
 
-  environment.systemPackages = [pkgs.kanidm];
   systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute
 }
diff --git a/modules/config/users.nix b/modules/config/users.nix
index df68bed..2fd56c3 100644
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@@ -23,7 +23,7 @@
     influxdb2 = uidGid 986;
     telegraf = uidGid 985;
     rtkit = uidGid 984;
-    gitea = uidGid 983;
+    forgejo = uidGid 983;
     redis-paperless = uidGid 982;
     nixseparatedebuginfod = uidGid 981;
     msr = uidGid 980;
diff --git a/pkgs/default.nix b/pkgs/default.nix
index abb3a1d..5ebe973 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -22,7 +22,6 @@
       doCheck = false;
     });
     kanidm-provision = prev.callPackage ./kanidm-provision.nix {};
-    kanidm-secret-manipulator = prev.callPackage ./kanidm-secret-manipulator.nix {};
     segoe-ui-ttf = prev.callPackage ./segoe-ui-ttf.nix {};
     zsh-histdb-skim = prev.callPackage ./zsh-skim-histdb.nix {};
     awakened-poe-trade = prev.callPackage ./awakened-poe-trade.nix {};
diff --git a/pkgs/kanidm-secret-manipulator.nix b/pkgs/kanidm-secret-manipulator.nix
deleted file mode 100644
index 30d2d36..0000000
--- a/pkgs/kanidm-secret-manipulator.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-{
-  lib,
-  rustPlatform,
-  fetchFromGitHub,
-  pkg-config,
-  sqlite,
-}:
-rustPlatform.buildRustPackage rec {
-  pname = "kanidm-secret-manipulator";
-  version = "1.0.1";
-
-  src = fetchFromGitHub {
-    owner = "oddlama";
-    repo = "kanidm-secret-manipulator";
-    rev = "v${version}";
-    hash = "sha256-Vv5edTBz5MWHHCWYN5z4KnqPpLZIDTzTcWXnrLBqdgM=";
-  };
-
-  cargoHash = "sha256-x/oTiaI4RHdt8pndPhsYQn8PclM0q6RDqTaQ0ODCrh4=";
-
-  nativeBuildInputs = [pkg-config];
-  buildInputs = [sqlite];
-
-  meta = with lib; {
-    description = "A helper utility that modifies the kanidm database to allow provisioning declarative secrets with NixOS";
-    license = licenses.mit;
-    maintainers = with maintainers; [oddlama];
-    mainProgram = "kanidm-secret-manipulator";
-  };
-}