diff --git a/services/acme-cert-store.nix b/services/acme-cert-store.nix
index 7f05bb8..30f24ce 100644
--- a/services/acme-cert-store.nix
+++ b/services/acme-cert-store.nix
@@ -5,6 +5,7 @@
     description = "Read-only access to certs";
     openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHj2PK6LHsanSqaz8Gf/VqHaurd5e6Y7KnZNBiHb9adT nextcloud"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiJZWlmiEkVzlf5/KV/jKkCGlgp8mnEeCnwk/dhdctJ gitea"
     ];
   };
 
diff --git a/services/gitea.nix b/services/gitea.nix
index 1f7708d..d805bbc 100644
--- a/services/gitea.nix
+++ b/services/gitea.nix
@@ -1,11 +1,8 @@
 { config, ... }:
 {
-  imports = [ ./acme-dns.nix ];
+  imports = [ ./cert-store-client.nix ];
 
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
+  networking.firewall.allowedTCPPorts = [ 443 ];
   networking.firewall.allowedUDPPorts = [ 443 ];
 
   services = {
@@ -53,8 +50,8 @@
       virtualHosts.${config.services.gitea.settings.server.DOMAIN} = {
         forceSSL = true;
         kTLS = true;
-        enableACME = true;
-        acmeRoot = null;
+        sslCertificate = "/mnt/acme/fullchain.pem";
+        sslCertificateKey = "/mnt/acme/key.pem";
         locations."/" = {
           proxyPass = "http://localhost:8000";
         };
diff --git a/services/nextcloud.nix b/services/nextcloud.nix
index 72cf342..a065e72 100644
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@@ -2,10 +2,7 @@
 {
   imports = [ ./cert-store-client.nix ];
 
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
+  networking.firewall.allowedTCPPorts = [ 443 ];
   networking.firewall.allowedUDPPorts = [ 443 ];
 
   services = {