diff --git a/nixos/roles/nginx.nix b/nixos/roles/nginx.nix
index ff8e765..eac88c8 100644
--- a/nixos/roles/nginx.nix
+++ b/nixos/roles/nginx.nix
@@ -33,6 +33,7 @@ in
   networking.firewall.allowedTCPPorts = [
     80
     443
+    12222
   ];
 
   security.acme = {
@@ -47,6 +48,14 @@ in
     recommendedOptimisation = true;
     recommendedGzipSettings = true;
 
+    # Git ssh
+    streamConfig = ''
+      server {
+        listen 12222;
+        proxy_pass ${upstream}:12222;
+      }
+    '';
+
     virtualHosts = {
       # controller services (proxied to upstream tailscale node)
       "git.cyperpunk.de" = (mkProxy 9000) // {