diff --git a/nixos/boxes/colony/vms/git/default.nix b/nixos/boxes/colony/vms/git/default.nix
index 2f789fc..d0781ea 100644
--- a/nixos/boxes/colony/vms/git/default.nix
+++ b/nixos/boxes/colony/vms/git/default.nix
@@ -1,6 +1,7 @@
 { lib, ... }:
 let
   inherit (lib.my) net;
+  inherit (lib.my.c) pubDomain;
   inherit (lib.my.c.colony) domain prefixes;
 in
 {
diff --git a/nixos/boxes/colony/vms/git/gitea.nix b/nixos/boxes/colony/vms/git/gitea.nix
index 6830d9e..3f89323 100644
--- a/nixos/boxes/colony/vms/git/gitea.nix
+++ b/nixos/boxes/colony/vms/git/gitea.nix
@@ -25,6 +25,18 @@ in
 
     systemd = {
       services = {
+        # TODO: Figure out a way to do this properly... redirecting localhost is awkward...
+        local-http-forward = {
+          description = "Forward local HTTP connections";
+          serviceConfig.ExecStart = "${pkgs.socat}/bin/socat tcp-listen:80,fork tcp:${allAssignments.middleman.internal.ipv4.address}:80";
+          wantedBy = [ "multi-user.target" ];
+        };
+        local-https-forward = {
+          description = "Forward local HTTPS connections";
+          serviceConfig.ExecStart = "${pkgs.socat}/bin/socat tcp-listen:443,fork tcp:${allAssignments.middleman.internal.ipv4.address}:443";
+          wantedBy = [ "multi-user.target" ];
+        };
+
         gitea.preStart =
         let
           repSec = "${pkgs.replace-secret}/bin/replace-secret";
diff --git a/nixos/modules/firewall.nix b/nixos/modules/firewall.nix
index fff40fe..30ee703 100644
--- a/nixos/modules/firewall.nix
+++ b/nixos/modules/firewall.nix
@@ -131,6 +131,9 @@ in
                 chain prerouting {
                   type nat hook prerouting priority dstnat;
                 }
+                chain output {
+                  type nat hook output priority dstnat;
+                }
                 chain postrouting {
                   type nat hook postrouting priority srcnat;
                 }
diff --git a/secrets/gitea/actions-runner.env.age b/secrets/gitea/actions-runner.env.age
index 6f127da..12b3e99 100644
--- a/secrets/gitea/actions-runner.env.age
+++ b/secrets/gitea/actions-runner.env.age
@@ -1,12 +1,12 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGpJOFJBZyBobGg0
-Sk1uMGtHZ1FLK3ZJYlhBQTNlOUo1YXQ0L0FqN00vVEtxT2NYVm5VCkV1bUZXdGZn
-bXh6TnMwN3p6Rm5WRWxpTkoyeGx1NFB3bTBwdGcrT0JWMzgKLT4gWDI1NTE5IER4
-S1FsK2JhK243QkJWSkFweWVOZTQzZnR1YlZjVGw1Uk1jMmdNVks1SEkKMU50cjha
-c1U0MVVZNmMvYitZYWorQ0R1VXhibWZvYzR6TUFTclVrREJ6MAotPiBPQ11RLWdy
-ZWFzZSBkPFlEeiFFfCBMImhVR0poUiBjL1MjP0kKTkJWWngvankzc3ByREJaYUhM
-emZ1akNSSmJIcjB1d2RoTE90bDZld0YwelN5STlaSTBwQjV2Q0sKLS0tIHRHK0V4
-UkgrQ21PSFVpWms0THdmOVRlK09zV3Y4ZnFTd2JvbnZaSWk2ZjgKYWufQ+yFOWWJ
-mXe4hvy3X6iAdBW52dJVpu//ql2tBMKS05hcYo4uSa1QjURMANeinStojEQPnMRc
-Ci5WovrSssqjOYYoVgx/41DL5BPSBw==
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGpJOFJBZyA2dlpB
+M3RNNmF6TG9SSmM1Y0E3ZVdGczEyMENsTnFjc0t2K2ZnbEZIdlFrClJrN3d1eXhi
+aU1iNnJoY08yNTd0S1BHeGpUQWhMdTlqdDdjbzA1QVY3dGMKLT4gWDI1NTE5IGw3
+R1FTRXZHdkVtSk9NN09iR0VjYjd0ZGlmVi9MTkpuYmo0eDFGTFJIbGcKYzlmRDNY
+VjRhZjhaeTZ1cEhJQTJURlRCUkdWNTNyYlNHcU1SbGNTcnpXQQotPiBPMlNGYy1n
+cmVhc2UgMyBHaWN+bntrXSA0cltsNQpXZzZqSVJmcG9raFhTWXp0Wm9STWgzR0lG
+NHc0dGQzK2g5eWRQb2dEcytSL1ZRUWxRL3lIbjFYSzUvWQotLS0gQW1qd25CS0U2
+bk5uSlcxMjBrZURseWZJWkZLakxxYVFodnBENmQxLzRyQQpBFLUiRAvyFsgZuDsQ
+4/trVbfLtZbl6CdSlGqsgL7QCpS45Wy7iKcI6Lyvoi8EsZdlytGJ3JsPpi8KjqUO
+2r2IpbL3LjerjiAEchqnVRAA
 -----END AGE ENCRYPTED FILE-----