diff --git a/secrets/gitea-runner-gospel.age b/secrets/gitea-runner-gospel.age
index c902be2..77456f9 100644
Binary files a/secrets/gitea-runner-gospel.age and b/secrets/gitea-runner-gospel.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index b9696db..4d53ec0 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,15 +7,17 @@ let
     node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETLBnc8kJokmFiA28BaSYpeE7flY1W0SM5C1pWv/tOv";
     pi4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9fnNXzEmDdmtR+KWj/M9vQioFR0s/4jMnIkUFcj8As";
     proxy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAf6Z7SZEOH3H51T/GPIc/B0OpbaydM5l2PP3nMnwpFl";
+    git = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8JLy/ipBfOet3/KT7rXOXHDjjmt+VqqQb3V+ILIuDN";
   };
 in {
   "cf_dns_kilonull.age".publicKeys = [users.me machines.node machines.gospel machines.pi4 machines.proxy];
-  "nextcloud_admin.age".publicKeys = [users.me machines.node machines.gospel];
-  "theengs_ble_mqtt.age".publicKeys = [users.me machines.pi4 machines.gospel];
-  "hass_mqtt.age".publicKeys = [users.me machines.pi4 machines.node machines.gospel];
-  "teslamate_db.age".publicKeys = [users.me machines.node machines.gospel];
-  "teslamate_mqtt.age".publicKeys = [users.me machines.pi4 machines.node machines.gospel];
-  "teslamate_encryption.age".publicKeys = [users.me machines.node machines.gospel];
-  "hydra-aws-creds.age".publicKeys = [users.me machines.gospel];
   "gitea-runner-gospel.age".publicKeys = [users.me machines.gospel];
+  "hass_mqtt.age".publicKeys = [users.me machines.pi4 machines.node machines.gospel];
+  "hydra-aws-creds.age".publicKeys = [users.me machines.gospel];
+  "nextcloud_admin.age".publicKeys = [users.me machines.node machines.gospel];
+  "tailscale_git_server.age".publicKeys = [users.me machines.git]; # This key expires, might have to update
+  "teslamate_db.age".publicKeys = [users.me machines.node machines.gospel];
+  "teslamate_encryption.age".publicKeys = [users.me machines.node machines.gospel];
+  "teslamate_mqtt.age".publicKeys = [users.me machines.pi4 machines.node machines.gospel];
+  "theengs_ble_mqtt.age".publicKeys = [users.me machines.pi4 machines.gospel];
 }
diff --git a/secrets/tailscale_git_server.age b/secrets/tailscale_git_server.age
new file mode 100644
index 0000000..1b73a72
Binary files /dev/null and b/secrets/tailscale_git_server.age differ
diff --git a/systems/x86_64-linux/git/default.nix b/systems/x86_64-linux/git/default.nix
index 291d4c7..eea3bd9 100644
--- a/systems/x86_64-linux/git/default.nix
+++ b/systems/x86_64-linux/git/default.nix
@@ -4,9 +4,12 @@
   ...
 }: let
   domain = "git.alejandr0angul0.dev";
+  secrets = config.age.secrets;
 in {
   imports = ["${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-config.nix"];
 
+  age.secrets.authKeyFile.file = ../../../secrets/tailscale_git_server.age;
+
   aa = {
     nix.enable = true;
 
@@ -17,6 +20,10 @@ in {
 
     services = {
       openssh.enable = true;
+      tailscale = {
+        enable = true;
+        configureClientRouting = true;
+      };
     };
   };
 
@@ -25,6 +32,11 @@ in {
     enableACME = true;
   };
 
+  services.tailscale = {
+    authKeyFile = secrets.authKeyFile.path;
+    extraUpFlags = ["--ssh"];
+  };
+
   security.acme = {
     acceptTerms = true;
     defaults = {
diff --git a/systems/x86_64-linux/gospel/default.nix b/systems/x86_64-linux/gospel/default.nix
index 6417f98..e72a6d2 100644
--- a/systems/x86_64-linux/gospel/default.nix
+++ b/systems/x86_64-linux/gospel/default.nix
@@ -76,18 +76,21 @@
     })
   ];
 
-  services.gitea-actions-runner.instances = {
-    gospel = {
-      enable = true;
-      name = config.networking.hostName;
-      url = "https://gitea.kilonull.com";
-      tokenFile = config.age.secrets.gitea-runner-gospel.path;
-      labels = [
-        "ubuntu-latest:docker://node:16-bullseye"
-        "ubuntu-22.04:docker://node:16-bullseye"
-        "ubuntu-20.04:docker://node:16-bullseye"
-        "ubuntu-18.04:docker://node:16-buster"
-      ];
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances = {
+      gospel = {
+        enable = true;
+        name = config.networking.hostName;
+        url = "https://git.alejandr0angul0.dev";
+        tokenFile = config.age.secrets.gitea-runner-gospel.path;
+        labels = [
+          "ubuntu-latest:docker://node:16-bullseye"
+          "ubuntu-22.04:docker://node:16-bullseye"
+          "ubuntu-20.04:docker://node:16-bullseye"
+          "ubuntu-18.04:docker://node:16-buster"
+        ];
+      };
     };
   };
   virtualisation = {