diff --git a/ops/nixos/bvm-forgejo/default.nix b/ops/nixos/bvm-forgejo/default.nix
index 55d3b4adf8..0b4a721262 100644
--- a/ops/nixos/bvm-forgejo/default.nix
+++ b/ops/nixos/bvm-forgejo/default.nix
@@ -43,6 +43,11 @@ in {
   };
   my.ip.tailscale = "100.103.26.78";
   my.ip.tailscale6 = "fd7a:115c:a1e0::8d01:1a4e";
+  boot.kernel.sysctl = {
+    # We have statically-configured v6.
+    "net.ipv6.conf.all.accept_ra" = 0;
+    "net.ipv6.conf.default.accept_ra" = 0;
+  };
 
   services.openssh.ports = [ 20022 ];
   my.deploy.args = "-p 20022";
@@ -60,13 +65,13 @@ in {
       smtpd_milters = ${config.services.opendkim.socket}
       non_smtpd_milters = ${config.services.opendkim.socket}
     '';
-    networks = [ "172.17.0.0/16" ];
   };
   services.opendkim = {
     enable = true;
     domains = "csl:git.lukegb.com";
     selector = "bvm-forgejo";
   };
+  systemd.services.opendkim.serviceConfig.UMask = lib.mkForce "0007";
 
   services.pomerium = {
     settings = {