diff --git a/hosts/tsuki/services/gitea/default.nix b/hosts/tsuki/services/gitea/default.nix
index 283836d..fb8dd2c 100644
--- a/hosts/tsuki/services/gitea/default.nix
+++ b/hosts/tsuki/services/gitea/default.nix
@@ -10,6 +10,7 @@
     group = "gitea";
     isSystemUser = true;
     uid = config.ids.uids.git;
+    packages = with unstable-pkgs; [ gitea ];
   };
 
   services.gitea = {
@@ -29,7 +30,10 @@
     };
 
     database = {
-      user = "git";
+      type = "postgres";
+      user = "gitea";
+      passwordFile = secrets.keys.postgres.gitea;
+      createDatabase = false;
     };
 
     settings = {
@@ -85,6 +89,10 @@
     };
   };
 
+  # TODO: remove when updating to nixpkgs 22.11
+  systemd.services.gitea.serviceConfig.SystemCallFilter = 
+    lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap";
+
   system.activationScripts.linkGiteaThemes.text = let
     themes = pkgs.stdenv.mkDerivation {
       pname = "gitea-themes";