diff --git a/machines/gitea/configuration.nix b/machines/gitea/configuration.nix
index 4bf16b7..c78ffea 100644
--- a/machines/gitea/configuration.nix
+++ b/machines/gitea/configuration.nix
@@ -41,6 +41,9 @@
 
   environment.noXlibs = true;
 
+  security.sudo.execWheelOnly = true;
+  security.pam.enableSSHAgentAuth = true;
+
   # services.openssh.enable = true;
 
   sops.defaultSopsFile = ./secrets.yaml;
diff --git a/modules/gitea/default.nix b/modules/gitea/default.nix
index e61641d..abc2a29 100644
--- a/modules/gitea/default.nix
+++ b/modules/gitea/default.nix
@@ -36,9 +36,7 @@ in
         };
 
         log.LEVEL = "Warn";
-        DISABLE_REGISTRATION = true;
-        COOKIE_SECURE = true;
-
+        
         database = {
           LOG_SQL = false;
         };
@@ -50,6 +48,7 @@ in
 
         service = {
           DEFAULT_KEEP_EMAIL_PRIVATE = true;
+          DISABLE_REGISTRATION = true;
         };
 
         picture = {
@@ -59,6 +58,7 @@ in
         session = {
           PROVIDER = "db";
           SAME_SITE = "strict";
+          COOKIE_SECURE = true;
         };
 
         webhook = {
diff --git a/modules/nix-common/default.nix b/modules/nix-common/default.nix
index 76a3f8a..5dab9ac 100644
--- a/modules/nix-common/default.nix
+++ b/modules/nix-common/default.nix
@@ -47,7 +47,7 @@ in
       settings = {
         auto-optimise-store = true;
         allowed-users = [ "root" ];
-        trusted-users = [ "root" ];
+        trusted-users = [ "root" "@wheel" ];
         substituters = [
           "https://nix-community.cachix.org"
           "https://marcus7070.cachix.org"