diff --git a/hosts/muho/configuration.nix b/hosts/muho/configuration.nix
index 44718ca..22716c4 100644
--- a/hosts/muho/configuration.nix
+++ b/hosts/muho/configuration.nix
@@ -38,6 +38,7 @@ in {
   mods.server.homebox.enable = true;
   mods.server.share.enable = true;
   mods.server.vault.enable = true;
+  mods.server.git.enable = true;
 
   mods.tailscale.enable = true;
   mods.wireguard.id = 3;
diff --git a/hosts/ports.nix b/hosts/ports.nix
index 3f02287..de80ebc 100644
--- a/hosts/ports.nix
+++ b/hosts/ports.nix
@@ -2,9 +2,10 @@
   mods.server.nginx.ports = {
     photos = 3001;
     homebox = 3002;
-    git = 3003;
+    # immich-machine-learning = 3003;
     share = 3004;
     vault = 3005;
+    git = 3006;
 
     search = 8081;
     videos = 8082;
diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix
index bd7aa5a..b3ef4ad 100644
--- a/modules/nixos/server/default.nix
+++ b/modules/nixos/server/default.nix
@@ -16,5 +16,6 @@
     ./homebox.nix
     ./share.nix
     ./vault.nix
+    ./git.nix
   ];
 }
diff --git a/modules/nixos/server/git.nix b/modules/nixos/server/git.nix
index 018a73e..6605555 100644
--- a/modules/nixos/server/git.nix
+++ b/modules/nixos/server/git.nix
@@ -15,13 +15,13 @@ in with lib; {
   config = mkIf cfg.enable {
     services.forgejo = {
       enable = true;
-      stateDir = "/srv/forgejo";
       lfs.enable = true;
       settings.server = {
         HTTP_ADDR = "0.0.0.0";
         HTTP_PORT = port;
-        SSH_PORT = 91722;
+        SSH_PORT = 22917;
         DOMAIN = "git.muon.host";
+        ROOT_URL = "https://git.muon.host";
       };
     };
   };
diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix
index 2cf0163..d5394db 100644
--- a/modules/nixos/server/nginx.nix
+++ b/modules/nixos/server/nginx.nix
@@ -53,7 +53,7 @@ in with lib; {
         # add_header Strict-Transport-Security $hsts_header;
 
         # Enable CSP for your services.
-        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+        add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
 
         # Minimize information leaked to other domains
         add_header 'Referrer-Policy' 'origin-when-cross-origin';
@@ -69,6 +69,9 @@ in with lib; {
 
         # required when the server wants to use HTTP Authentication
         proxy_pass_header Authorization;
+
+        # This is necessary to pass the correct IP to be hashed
+        real_ip_header X-Real-IP;
       '';
 
       virtualHosts = let