diff --git a/hosts/boron.cx.ts.hillion.co.uk/default.nix b/hosts/boron.cx.ts.hillion.co.uk/default.nix
index 49615a0..bac1155 100644
--- a/hosts/boron.cx.ts.hillion.co.uk/default.nix
+++ b/hosts/boron.cx.ts.hillion.co.uk/default.nix
@@ -106,6 +106,8 @@
       interfaces = {
         eth0 = {
           allowedTCPPorts = lib.mkForce [
+            22 # SSH
+            3022 # SSH (Gitea) - redirected to 22
             53 # DNS
             80 # HTTP 1-2
             443 # HTTPS 1-2
diff --git a/hosts/jorah.cx.ts.hillion.co.uk/default.nix b/hosts/jorah.cx.ts.hillion.co.uk/default.nix
index fc6d4ee..d74668d 100644
--- a/hosts/jorah.cx.ts.hillion.co.uk/default.nix
+++ b/hosts/jorah.cx.ts.hillion.co.uk/default.nix
@@ -82,10 +82,7 @@
 
     networking.firewall = {
       trustedInterfaces = [ "tailscale0" ];
-      allowedTCPPorts = lib.mkForce [
-        22 # SSH
-        3022 # Gitea SSH (accessed via public 22)
-      ];
+      allowedTCPPorts = lib.mkForce [ ];
       allowedUDPPorts = lib.mkForce [ ];
       interfaces = {
         eth0 = {
diff --git a/modules/ids.nix b/modules/ids.nix
index 92d1d4a..929acfc 100644
--- a/modules/ids.nix
+++ b/modules/ids.nix
@@ -6,6 +6,7 @@
       ## Defined System Users (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
       unifi = 183;
       chia = 185;
+      gitea = 186;
 
       ## Consistent People
       jake = 1000;
@@ -15,6 +16,7 @@
       ##Â Defined System Groups (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
       unifi = 183;
       chia = 185;
+      gitea = 186;
 
       ##Â Consistent Groups
       mediaaccess = 1200;
diff --git a/modules/locations.nix b/modules/locations.nix
index 9c51f8a..5cf8630 100644
--- a/modules/locations.nix
+++ b/modules/locations.nix
@@ -24,7 +24,7 @@ in
             "jorah.cx.ts.hillion.co.uk"
           ];
           downloads = "tywin.storage.ts.hillion.co.uk";
-          gitea = "jorah.cx.ts.hillion.co.uk";
+          gitea = "boron.cx.ts.hillion.co.uk";
           homeassistant = "microserver.home.ts.hillion.co.uk";
           mastodon = "";
           matrix = "jorah.cx.ts.hillion.co.uk";
diff --git a/modules/services/gitea/gitea.nix b/modules/services/gitea/gitea.nix
index eb7520f..68f895e 100644
--- a/modules/services/gitea/gitea.nix
+++ b/modules/services/gitea/gitea.nix
@@ -50,6 +50,9 @@ in
       };
     };
 
+    users.users.gitea.uid = config.ids.uids.gitea;
+    users.groups.gitea.gid = config.ids.gids.gitea;
+
     services.gitea = {
       enable = true;
       package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea;
diff --git a/secrets/gitea/lfs_jwt_secret.age b/secrets/gitea/lfs_jwt_secret.age
index 40a2930..acf4112 100644
Binary files a/secrets/gitea/lfs_jwt_secret.age and b/secrets/gitea/lfs_jwt_secret.age differ
diff --git a/secrets/gitea/mailer_password.age b/secrets/gitea/mailer_password.age
index 8cc0537..620dc83 100644
--- a/secrets/gitea/mailer_password.age
+++ b/secrets/gitea/mailer_password.age
@@ -1,19 +1,19 @@
 age-encryption.org/v1
 -> ssh-rsa GxPFJQ
-gDF6kKcuWAKwIhdnB7zav8ZXdHEuq+4yYVc0ZOmpXpiRReo8yVgAcDcMIt5Wkfjk
-9quZWwFal2YZ9YH7HhG4vXVxzgL0s7oQfnzjsBwVO9lE/hly5gL9TqGY4fjuVv6Q
-kBbp+JaogGv6RsHVajNWNto1qKNJWB8JyewnIdZOVRHee21u/a3qRMHuyRhIeiWR
-QLMXxJxdvdgaCUjXMyOgMifsdklK/12kuRb6cTp9Zg+LzMUVloROSbhzofLUtjST
-GnJR8qKDIDAG6XIzi4+/VZCcHRA/NEAs965GQrK/qyvyTcFW6BUwuoHMq3Ia/9jM
-K+hgOULnfi+jIDw5U0HJKQ
+EpPN7UHHRuytMr2vXy9CHzjVkH1iCt9LiTLhFsqXbL03Rk+X82q233Lm12f0sQvz
+Hqjukkh9bU90TLKcEOFpKrU5FQwKUjzEy85A+4UoovWdJ8VwACOzoJf29Ys1bX3i
+Xp4gUT7ne5+4afNwKXVFDS1YCPjIoQPu2cGw6iTNIYwVY5fNxz5y5ZHLkI9lOqJD
+mT7jCgLLdkK8vJiDcu4Ofr21GaziQh93YXK69i3gyAt6pqSRyQdAfhMGkykOWdrO
+FXMtpzT82UCvfbFbbRCRuSFga0uq5zx2cwvBD4Xagw8Dfg9RQO0rX9NAbbgcoyfG
+qnk+0bYAk3pWfdXW9Z/psQ
 -> ssh-rsa K9mW1w
-TJKNczUv82J3W4sXH76qPmijKcOjvpLvZC7rKf85zBr2fdgOtXzXULQbFhW3l6gs
-V50Lkw3gwSBC6ckWWKqfJkSxqWgAQumy5/5yZc9zqnNDJPXCaBEOkz3IL43Eu13V
-4AihecOthSqFkfr1VsrllDckANsTse1Md/p8XDHOpNr/wyUHKRuFKnBmTG7nV2Ja
-3sqOmI9RzIArUHY868ecGqPrZXWR72vqZJ3twtivq6aQI9mTw+98VPZeAUZVSMVf
-5T7Z0XGfA3O5x8KDAtHcqUMA87vZ/NwsAHxsy7F64u4yaihIvG+8EQDmkGEP/7eG
-lPijgnL0SUte+Df3/wXt7Q
--> ssh-ed25519 Qo6/7A 7U/6Bj8AWyHKrCZ38LOyUSr/d4HOUXPqT0FoID0ON1A
-3jqYYywJlhN/i7QuXBWb0kajeZcZyBnNXpUWCMf9Kzc
---- pPjt0YCs2Wah1kyAp2qLbL9Q2z/K16jv4DJXAO7x2NU
--õ?ùÌQ5©`Y›_ËÐŒ§þ£5†È,u¶.:…ÅÊ»AžoTc¿”p°ûNÝá·F[äX¿‹°‘†’f³‘4§ê•¡ÄGs©¿
\ No newline at end of file
+NaR245c+88dGflT9cG73bQOBxQsVi5x8JkMTrqjabzwzHpRiBUdtP+Ou1w+klOI4
+cv1RLngEZH9jsSiEdvpvRkzE2ILOR/abgABXZi/4vl7iXiC8T23QSOPXnMxrAgpH
+RV9B3GcSClb70+Lf3pJtPBVHVENhFVFvj5JgxQ2Zi6eMpcMuL18r/Szn4erk8zXQ
+330oEau80X6WoPtRaSqSxVRrMGecGHdIE9chLosCf1x8CgIcYBTtviky+fDQMkKZ
+iwueW1luuBj1AuP33jUqjeyyMaJ6SqSmaxGqGHGXA/ayxF8HnHU9AJlhPH+tEEbs
+84Xu2vwg9ikUz7B1tTBYeA
+-> ssh-ed25519 iWiFbA CuUeGNUBc5K+AkXBRvp7SUTJNoMDW0bWRnYs3ZhFSGM
+UwwyxNA2L9q6yYK+BqYcqOq6F5CF+iCUpuceWsEj7ck
+--- 3XKIweSg0UFqbadbOP0APwaLyquaEdoanlvndvxcQkk
+ßüu_œnTx#H-7˜‰yó—Îç¨—B„ô»uµÕÉîj˜ZHÐ'&÷_ðœ#‘¾¼3àHÍ½0‘fšBê¹×Ö™ýèÂL¼î–z
\ No newline at end of file
diff --git a/secrets/gitea/oauth_jwt_secret.age b/secrets/gitea/oauth_jwt_secret.age
index 22c5966..bbebf6c 100644
Binary files a/secrets/gitea/oauth_jwt_secret.age and b/secrets/gitea/oauth_jwt_secret.age differ
diff --git a/secrets/gitea/security_internal_token.age b/secrets/gitea/security_internal_token.age
index 6ba7b19..8605173 100644
Binary files a/secrets/gitea/security_internal_token.age and b/secrets/gitea/security_internal_token.age differ
diff --git a/secrets/gitea/security_secret_key.age b/secrets/gitea/security_secret_key.age
index d1954f3..eeecfd0 100644
Binary files a/secrets/gitea/security_secret_key.age and b/secrets/gitea/security_secret_key.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index fffbea9..404dddc 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -110,11 +110,11 @@ in
   "deluge/auth.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
 
   # Gitea Secrets
-  "gitea/lfs_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
-  "gitea/mailer_password.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
-  "gitea/oauth_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
-  "gitea/security_secret_key.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
-  "gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
+  "gitea/lfs_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
+  "gitea/mailer_password.age".publicKeys = jake_users ++ [ ts.cx.boron ];
+  "gitea/oauth_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
+  "gitea/security_secret_key.age".publicKeys = jake_users ++ [ ts.cx.boron ];
+  "gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.boron ];
 
   "gitea/actions/boron.age".publicKeys = jake_users ++ [ ts.cx.boron ];
   "gitea/actions/jorah.age".publicKeys = jake_users ++ [ ts.cx.jorah ];