diff --git a/hosts/cirrus/default.nix b/hosts/cirrus/default.nix
index 3411dce..ee774d8 100644
--- a/hosts/cirrus/default.nix
+++ b/hosts/cirrus/default.nix
@@ -29,6 +29,7 @@
       forgejo = {
         enable = true;
         domain = "git.sstork.dev";
+        ssh.enable = true;
       };
 
       caddy.virtualHosts = {
diff --git a/modules/system/services/forgejo/ssh.nix b/modules/system/services/forgejo/ssh.nix
new file mode 100644
index 0000000..6d1eeac
--- /dev/null
+++ b/modules/system/services/forgejo/ssh.nix
@@ -0,0 +1,18 @@
+{ config, lib, ... }:
+{
+  options.custom.services.forgejo.ssh.enable = lib.mkEnableOption "";
+
+  config = lib.mkIf config.custom.services.forgejo.ssh.enable {
+    services.openssh = {
+      enable = true;
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = "no";
+        AllowUsers = [ config.users.users.forgejo.name ];
+        # https://forgejo.org/docs/latest/admin/recommendations/#git-over-ssh
+        AcceptEnv = "GIT_PROTOCOL";
+      };
+    };
+  };
+}