diff --git a/ansible/environments/jail/host_vars/admin_git b/ansible/environments/jail/host_vars/admin_git
new file mode 100644
index 0000000..17b96d4
--- /dev/null
+++ b/ansible/environments/jail/host_vars/admin_git
@@ -0,0 +1,20 @@
+os_flavor: "freebsd"
+users:
+  talexander:
+    initialize: true
+    uid: 11235
+    gid: 11235
+    groups:
+      - name: wheel
+    authorized_keys:
+      - yubikey
+      - main_fido
+      - backup_fido
+  git:
+    initialize: false
+    shell: /usr/local/bin/git-shell
+    authorized_keys:
+      - yubikey
+      - main_fido
+      - backup_fido
+sshd_enabled: true
diff --git a/ansible/environments/jail/hosts b/ansible/environments/jail/hosts
index 065fb4c..6ac7acb 100644
--- a/ansible/environments/jail/hosts
+++ b/ansible/environments/jail/hosts
@@ -3,3 +3,4 @@ nat_dhcp ansible_connection=jail
 homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail
 mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail
 nat_dhcp@172.16.16.2 ansible_connection=sshjail
+admin_git ansible_ssh_host=admin_git@10.217.2.1 ansible_connection=sshjail
diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml
index 4cddade..20c759b 100644
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@@ -92,3 +92,11 @@
     - wireguard
     - plainmacs
     - mrmanager
+
+- hosts: admin_git
+  vars:
+    ansible_become: True
+  roles:
+    - sudo
+    - doas
+    - users
diff --git a/ansible/roles/firewall/files/mrmanager_pf.conf b/ansible/roles/firewall/files/mrmanager_pf.conf
index 4dad8f3..9e6623d 100644
--- a/ansible/roles/firewall/files/mrmanager_pf.conf
+++ b/ansible/roles/firewall/files/mrmanager_pf.conf
@@ -25,6 +25,12 @@ rdr pass on jail_nat inet proto tcp from $jail_nat_v4 to any port 6443 -> 10.215
 nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.204 port 6443 -> (jail_nat)
 nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.204 port 6443 -> (jail_nat)
 
+rdr pass on $ext_if inet proto tcp from $not_jail_nat_v4 to any port 65099 -> 10.215.1.210 port 22
+rdr pass on jail_nat inet proto tcp from $jail_nat_v4 to any port 65099 -> 10.215.1.210 port 22
+nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.210 port 65099 -> (jail_nat)
+nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.210 port 65099 -> (jail_nat)
+
+
 
 # filtering
 block log all
diff --git a/ansible/run.bash b/ansible/run.bash
index 0a80592..12ab0b7 100755
--- a/ansible/run.bash
+++ b/ansible/run.bash
@@ -34,6 +34,8 @@ elif [ "$target" = "mrmanager" ]; then
     ansible-playbook -v -i environments/colo playbook.yaml --diff --limit mrmanager "${@}"
 elif [ "$target" = "jail_mrmanager_nat_dhcp" ]; then
     ansible-playbook -v -i environments/jail playbook.yaml --diff --limit mrmanager_nat_dhcp "${@}"
+elif [ "$target" = "jail_admin_git" ]; then
+    ansible-playbook -v -i environments/jail playbook.yaml --diff --limit admin_git "${@}"
 else
     die 1 "Unrecognized target"
 fi