diff --git a/hosts/hosting-01/git/forgejo.nix b/hosts/hosting-01/git/forgejo.nix
index 4f4ab10..6b0ae75 100644
--- a/hosts/hosting-01/git/forgejo.nix
+++ b/hosts/hosting-01/git/forgejo.nix
@@ -63,34 +63,38 @@ in
     };
   };
 
-  systemd.services.forgejo.preStart = ''
-    auth="${lib.getExe config.services.forgejo.package} admin auth"
+  systemd.services.forgejo = {
+    requires = [ "tailscaled.service" ];
 
-    echo "Trying to find existing sso configuration for Authelia"...
-    set +e -o pipefail
-    id="$($auth list | grep "Authelia.*OAuth2" |  cut -d'	' -f1)"
-    found=$?
-    set -e +o pipefail
+    preStart = ''
+      auth="${lib.getExe config.services.forgejo.package} admin auth"
 
-    if [[ $found = 0 ]]; then
-      echo Found sso configuration at id=$id, updating it if needed.
-      $auth update-oauth \
-        --id       $id \
-        --name     "Authelia" \
-        --provider openidConnect \
-        --key      forgejo \
-        --secret   $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \
-        --auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration
-    else
-      echo Did not find any sso configuration, creating one with name Authelia.
-      $auth add-oauth \
-        --name     Authelia \
-        --provider openidConnect \
-        --key      forgejo \
-        --secret   $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \
-        --auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration
-    fi
-  '';
+      echo "Trying to find existing sso configuration for Authelia"...
+      set +e -o pipefail
+      id="$($auth list | grep "Authelia.*OAuth2" |  cut -d'	' -f1)"
+      found=$?
+      set -e +o pipefail
+
+      if [[ $found = 0 ]]; then
+        echo Found sso configuration at id=$id, updating it if needed.
+        $auth update-oauth \
+          --id       $id \
+          --name     "Authelia" \
+          --provider openidConnect \
+          --key      forgejo \
+          --secret   $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \
+          --auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration
+      else
+        echo Did not find any sso configuration, creating one with name Authelia.
+        $auth add-oauth \
+          --name     Authelia \
+          --provider openidConnect \
+          --key      forgejo \
+          --secret   $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \
+          --auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration
+      fi
+    '';
+  };
 
   services.nginx.virtualHosts."git.escapeangle.com" = {
     forceSSL = true;